[CVE-2016-2563] confused with PoC

[yongweiy]

Hi, @tintinweb !

I am getting lost when I am trying to reproduce this bug.

What is step 5 of PoC? Everything is reproduced until step 5. Is it the output of some other utility that is not specified in README?

My understanding is that the error message should be output of pscp. Am I getting is right?

Best,
Victor

[tintinweb]

Hi @VictorYYW,

that's pscp on windows debugged with windbg. the output shown is from windbg.

cheers,
tin

[yongweiy]

Oh, I see. I am trying to reproduce it in Debian docker container. What I have is that, pscp exit with code 1 in gdb and an error message "Fatal: Server unexpectedly closed network connection", which is expected from my perspective because the server closed the connection after peer did not ask for a shell.

Is it the expected behavior? If not, do you have any suggestion? Thank you for your time! @tintinweb

[tintinweb]

@VictorYYW Verify that you're running a vulnerable version of pscp. It unexpectedly closes the connection because it crashes. attach gdb to pscp before trriggering the poc to catch the segmentation fault and continue analyzing it (there's great tutorials about that online :)

gdb --args pscp arg1 arg2 arg3

cheers

[yongweiy]

@tintinweb I just checked the source file and found the vulnerable code remained not fixed.

I have a basic knowledge of gdb. Here's what I have found.


It would be great if you give me any hint!