diff --git a/CVE-2002-1496/README.md b/CVE-2002-1496/README.md index 129b1b7..c16c462 100644 --- a/CVE-2002-1496/README.md +++ b/CVE-2002-1496/README.md @@ -15,7 +15,7 @@ make ``` main.h:264:5: error: conflicting types for 'getsid' ``` -Solution: modify all `getsid`, no matter declaration or definition or use to `this_getsid` in the source code so that type conflict could be avoided +Solution: modify all `getsid`, no matter declaration or definition or use to `this_getsid` in the source code so that type conflict could be avoided. In old version glibc, getside isn't implemented, symbol binding conflicts when shifting to new version glibc. ``` server.c(.text+0xfe1): undefined reference to `pthread_detach' @@ -37,11 +37,7 @@ sudo ./http/bin/httpd If you want to see the moment of crash, you may need gdb. ``` -sudo su -gdb ./httpb/httpd -(gdb) set follow-fork-mode child -(gdb) r - +sudo ./http/bin/http --nodaemon ``` ## PoCs [exploit db](https://www.exploit-db.com/exploits/21818/) diff --git a/CVE-2008-5904/README.md b/CVE-2008-5904/README.md index 3abf0fd..e6d063e 100644 --- a/CVE-2008-5904/README.md +++ b/CVE-2008-5904/README.md @@ -30,7 +30,8 @@ In function 'open', /usr/include/i386-linux-gnu/bits/fcntl2/h:50:24: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments __open_missing_mode(); ``` -Solution: modify `os_calls.c:505` to `return open(file_name, O_RDWR | O_CREAT, S_ORUSR | S_IWUSR)` +Solution: modify `os_calls.c:505` to `return open(file_name, O_RDWR | O_CREAT, S_ORUSR | S_IWUSR). This problem is specific to earlier version of xrdp. libc API changed. +``` ## How to trigger vulnerability diff --git a/CVE-2015-7805/README.md b/CVE-2015-7805/README.md index 4541ab7..bac28ee 100644 --- a/CVE-2015-7805/README.md +++ b/CVE-2015-7805/README.md @@ -26,18 +26,20 @@ explanation: `sndfile-play` is actually a wrapper, the real program is '.libs/lt ``` aiff.c aiff_read_header() { -608: dreword = psf_bin_header_readf(psf, "b", cptr, len); +520: case COMT_MARKER: +541: dword -= psf_binheader_readf(psf, "b", cptr, len); } common.c psf_binheader_readf() { - count = va_arg(argptr, size_t); - bytes_count = header_read(psf, charptr, count); // count could be 14000 (0x36B0) +1037: case 'b': +1039: count = va_arg(argptr, size_t); +1041: bytes_count = header_read(psf, charptr, count); // count could be 14000 (0x36B0) } header_read (SF_PRIVATE *psf, void *ptr, int bytes) { - most -> SIGNED_SIZEOF(psf->header) - psf->headindex; // psf->headindex is controlled by input - psf_fread (psf->header + psf->headend, 1, most, psf); // read 'most' bytes from file to psf->header+psf->headend +810: most = SIGNED_SIZEOF(psf->header) - psf->headindex; // psf->headindex is controlled by input +811: psf_fread (psf->header + psf->headend, 1, most, psf); // read 'most' bytes from file to psf->header+psf->headend // psf is dynamically allocated memcpy(ptr, psf->header + psf->headindex, bytes); // you can exploit here diff --git a/CVE-2017-12858/README.md b/CVE-2017-12858/README.md index bcbe5f1..4528cd3 100644 --- a/CVE-2017-12858/README.md +++ b/CVE-2017-12858/README.md @@ -19,7 +19,7 @@ make ``` ## PoCs -[agostino's blog](https://github.com/asarubbo/poc/blob/master/00239-libzip-UAF-_zip_buffer_free`:w) +[agostino's blog](https://github.com/asarubbo/poc/blob/master/00239-libzip-UAF-_zip_buffer_free) ## Vulnerability Details & Patch