Giter Club home page Giter Club logo

cve-2015-7548's Introduction

PoC attack server for CVE-2015-7547 vulnerability in glibc DNS resolver

To test on local machine with a vulnerable glibc version:

user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/# sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...

Then, from another terminal session, execute the attacks as shown in the examples below.

Attack 1 (UDP+TCP)

Needs ability to send replies > 2048 bytes over UDP and TCP.

Attack Sequence:

  1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

  2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 2 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

  1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)

  2. Ignore next request (triggers UDP retry due to polling timeout)

  3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 3 (UDP+TCP)

Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.

Attack Sequence:

  1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)

  2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

  3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 4 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

  1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)

  2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)

  3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

Attack 5 (TCP only)

Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in /etc/resolv.conf.

Attack Sequence:

  1. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)

  2. TCP reply, > 2048 bytes (triggers buffer mismanagement)

  3. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)

  4. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

  5. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

user@localhost:/# curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)

cve-2015-7548's People

Contributors

jgajek avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.