# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
# Date: 20 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: http://gif2apng.sourceforge.net/
# Version: 1.9
# Tested on: Ubuntu 16.04
# CVE :
gif2apng is vulnerable to a stack based buffer overflow when a malformed
gif is supplied. Following is the stack trace:
$ ./gif2apng fuzz.gif
gif2apng 1.9 using 7ZIP with 15 iterations
Reading 'fuzz.gif'...
=================================================================
==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
0x7fffb1837a88
WRITE of size 1 at 0x7fffb183bcf1 thread T0
#0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
#1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
#2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
#0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
This frame has 6 object(s):
[32, 36) 'size'
[48, 8242) 'prefix'
[8512, 12609) 'suffix'
[12880, 16977) 'str' <== Memory access at offset 16977 overflows
this variable
[17248, 18272) 'data'
[18400, 18401) 'mincodesize'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/shyam/FUZZ/gif2apng+0x4ebdcd)
Shadow bytes around the buggy address:
0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3674==ABORTING
Version of software in use:
./gif2apng
gif2apng 1.9
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
https://github.com/0xshyam/hamm3r.py
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44519.zip