Monday, 18 March 2019

unmass Buffer Overflow

unmass is a package in Linux (e.g., Ubunut) to "ëxtract game archive files" 
        void FillListSorted( e_sort sorttype );

        CWndSize        SizeCtrls;

        char    ProgramPath[ 512 ], TempDir[ 512 ]; // no end slashes

        int             NoExtInCombo;

        int             ArchiveOpened;

};
Ok.. so ProgramPath and TempDir are both 512 bytes. 
BOOL CUnmasswDlg::OnInitDialog()
{
        CDialog::OnInitDialog();

        icon = LoadIcon( AfxGetInstanceHandle(), MAKEINTRESOURCE( IDR_MAINFRAME 
) );
        SetIcon( icon, true );          // Set big icon
        SetIcon( icon, false );         // Set small icon


        ArchiveOpened = 0;

        int             i;

        GetModuleFileName( NULL, ProgramPath, 512 );
        i = strlen( ProgramPath ) - 1;
        while (( ProgramPath[ i ] != '\\' ) && ( ProgramPath[ i ] != '/' ))
                i--;
        ProgramPath[ i ] = 0;

        strcpy( TempDir, ProgramPath );
        strcat( TempDir, "\\TEMP" );
TempDir can have more than 512 bytes written to it. A simple buffer overflow.
at

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...