gif2apng 1.9 – ‘.gif’ Stack Buffer Overflow

• Exploit Database
• 18 阅读

• 作者： Hamm3r.py
  日期： 2018-04-24
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44519/

• # Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
  # Date: 20 April 2018
  # Exploit Author: Hamm3r.py
  # Vendor Homepage: http://gif2apng.sourceforge.net/
  # Version: 1.9
  # Tested on: Ubuntu 16.04
  # CVE :
  
  gif2apng is vulnerable to a stack based buffer overflow when a malformed
  gif is supplied. Following is the stack trace:
  
  $ ./gif2apng fuzz.gif
  
  gif2apng 1.9 using 7ZIP with 15 iterations
  
  Reading 'fuzz.gif'...
  =================================================================
  ==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
  0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
  0x7fffb1837a88
  WRITE of size 1 at 0x7fffb183bcf1 thread T0
  #0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
  #1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
  #2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
  
  Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
  #0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
  
  This frame has 6 object(s):
  [32, 36) 'size'
  [48, 8242) 'prefix'
  [8512, 12609) 'suffix'
  [12880, 16977) 'str' <== Memory access at offset 16977 overflows
  this variable
  [17248, 18272) 'data'
  [18400, 18401) 'mincodesize'
  HINT: this may be a false positive if your program uses some custom
  stack unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow
  (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
  Shadow bytes around the buggy address:
  0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
  0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  ==3674==ABORTING
  
  
  Version of software in use:
  
  ./gif2apng
  
  gif2apng 1.9
  
  #This issue is identified by Hamm3r.py, a general purpose fuzzer!
  https://github.com/0xshyam/hamm3r.py
  
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44519.zip