Bochs Stack-Based Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in Bochs versions 2.6 through 5. This vulnerability allows attackers to execute arbitrary code by sending an oversized input string to the application. Exploitation involves crafting a payload with 1200 bytes of padding followed by a return-oriented programming (ROP) chain, which overwrites the instruction pointer. This manipulation enables the execution of shell commands with the privileges of the application.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution within the context of the Bochs application.

Reproduction

The vulnerability can be reproduced by using a Python script that generates a payload consisting of 1200 bytes of padding followed by a ROP chain. This crafted payload is then delivered to the Bochs emulator, causing a segmentation fault and demonstrating the buffer overflow. The ROP chain can be designed to execute shell commands by overwriting the instruction pointer with addresses of specific functions in the Bochs process.