Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault when --regen-lost-salts=1 #1154

Closed
loverszhaokai opened this issue Mar 26, 2015 · 0 comments
Closed

Segfault when --regen-lost-salts=1 #1154

loverszhaokai opened this issue Mar 26, 2015 · 0 comments
Assignees
@jfoug
Labels
bug

Comments

@loverszhaokai
Copy link
Contributor

This bug is found by fuzzing the options of John
#1. Prepare

1.1 content of 7z_fmt

$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a31646ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f9184adafd6b5333fb1

1.2 compile

$ ./configure && make -sj8
#2. Reproduce
#2.1 Run

$ ./john 7z_fmt --regen-lost-salts=1

Loaded 1 password hash (7z, 7-Zip [SHA256 AES 32/64])
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Segmentation fault (core dumped)
#2.2 GDB debug
#0 crk_guess_fixup_salt (

source=0x2a44b98 "$7z$0$19$0$1122$8$d1f5022775941589", '0' <repeats 16 times>, "$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd8"...,
salt=0x13 <error: Cannot access memory at address 0x13>) at fake_salts.c:134

#1 0x00000000005e2175 in crk_process_guess (salt=salt@entry=0x2a44b10, pw=pw@entry=0x2a44b60, index=index@entry=2) at cracker.c:338
#2 0x00000000005e2c1a in crk_password_loop (salt=salt@entry=0x2a44b10) at cracker.c:729
#3 0x00000000005e344a in crk_salt_loop () at cracker.c:767
#4 0x000000000060b0f5 in do_wordlist_crack (db=db@entry=0x104a1c0 , name=, rules=,

rules@entry=1) at wordlist.c:1233

#5 0x00000000005d9fe9 in do_wordlist_pass (db=0x104a1c0 ) at batch.c:38
#6 do_batch_crack (db=0x104a1c0 ) at batch.c:58
#7 0x00000000005ecd5f in john_run () at john.c:1415
#8 0x00000000005ed528 in main (argc=3, argv=0x7ffef94f0578) at john.c:1687
#3. Debug

printf("%p\n", salt); == 0x13

fake_salts.c

void crk_guess_fixup_salt(char *source, char *salt)

cracker.c

static int crk_process_guess(struct db_salt *salt, struct db_password *pw, int index)
 {
    ...
    if (options.regen_lost_salts)
        crk_guess_fixup_salt(pw->source, *(char**)(salt->salt));
   ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jfoug jfoug

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@magnumripper @jfoug @loverszhaokai