Skip to content

jgajek/cve-2015-7547

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
README.md
README.md
 
 
attack-server.py
attack-server.py
 
 
dnsutil.py
dnsutil.py
 
 

Repository files navigation

PoC attack server for CVE-2015-7547 vulnerability in glibc DNS resolver

To test on local machine with a vulnerable glibc version:

user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/# sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...

Then, from another terminal session, execute the attacks as shown in the examples below.

Attack 1 (UDP+TCP)

Needs ability to send replies > 2048 bytes over UDP and TCP.

Attack Sequence:

  1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

  2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 2 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

  1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)

  2. Ignore next request (triggers UDP retry due to polling timeout)

  3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 3 (UDP+TCP)

Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.

Attack Sequence:

  1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)

  2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

  3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 4 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

  1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)

  2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)

  3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 5 (TCP only)

Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in /etc/resolv.conf.

Attack Sequence:

  1. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)

  2. TCP reply, > 2048 bytes (triggers buffer mismanagement)

  3. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)

  4. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  5. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

About

PoC exploit server for CVE-2015-7547

Resources

Readme
Activity

Stars

9 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages