tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow

Author: nitr0us
type: local
platform: linux
port: 
date_added: 2006-05-25  
date_updated: 2016-07-29  
verified: 1  
codes: OSVDB-26030;CVE-2006-2656  
tags:   
aliases: 05262006-tiffspl33t.tar.gz  
screenshot_url:   
application_url: http://www.exploit-db.comtiff-3.8.2.tar.gz  

raw file: 1831.txt  

# tiffsplit (libtiff <= 3.8.2) local stack buffer overflow PoC

tiffsplit from libtiff (http://www.remotesensing.org/libtiff/)
is vulnerable to a bss-based and stack-based overflow, but, I just
wrote the concept c0de for stack-based b0f 'cause I don't know how
to take advantage of the overwritten bss data (after the overflow,
that data is overwritten again correctly by a program' function).

.bss section is in higher addresses than .dtors section, so, we
can't hijack .dtors to....

PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/1831.tar.gz (05262006-tiffspl33t.tar.gz)

nitr0us <nitrousenador[at]gmail[dot]com>

# milw0rm.com [2006-05-26]