| 测试应用 | wget |
|---|---|
| 版本号 | 1.19.1 |
| fuzz工具 | afl |
| 调试工具 | gdb |
| 交互功能实现 | preeny |
wget编译安装
首先wget下载源码,并使用afl-clang-fast进行安装
wget https://ftp.gnu.org/gnu/wget/wget-1.19.1.tar.gz tar zxvf wget-1.19.1.tar.gz cd wget-1.19.1 CXX=afl-clang-fast++ CC=afl-clang-fast ./configure --prefix=/home/mortywget AFL_USE_ASAN=1 make make install
验证
root@c7c87f16a29d:/home/mortywget/bin# ./wget --version
GNU Wget 1.19.1 built on linux-gnu.
preeny
Preeny项目重写了一些交互的函数,我们可以通过LD_PRELOAD预加载机制,对程序中的交互进行修改,例如将socket相关函数改写为从用户输入输出(stdin,stdout)进行交互,从而方便我们使用afl进行fuzz
项目下载地址
https://github.com/zardus/preeny此处省略安装过程…
验证preeny是否安装成功
预加载desock.so文件,并启动一个socket交互程序wget,若输入的字符串成功当作wget请求的返回值 ,则表明preeny安装配置成功
root@c7c87f16a29d:~# LD_PRELOAD="/root/preeny/x86_64-linux-gnu/desock.so" wget localhost:6666 -q -O result < <(echo "success"); GET / HTTP/1.1 User-Agent: Wget/1.17.1 (linux-gnu) Accept: */* Accept-Encoding: identity Host: localhost:6666 Connection: Keep-Alive root@c7c87f16a29d:~# more result success
我们看到result文件中包含了"success"字符串,说明preeny已经将我们的输入转化成了http response返回结果,说明我们preeny安装配置无误
开始fuzz
本次我们测试wget对于状态码为4xx的接收情况
首先创建我们的payload
HTTP/1.1 401 Not Authorized
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
test运行fuzz
由于此时wget程序接收到response包后并未及时断开,我们的fuzz过程会非常的慢,甚至出现无法fuzz的情况,运行如下命令可看到wget接收到response包后并未及时断开
root@c7c87f16a29d:/home/mortywget/bin# nc -lp 6666 < in/a & ./wget localhost:6666 -F -O /dev/null [1] 7672 --2020-04-20 07:31:52-- http://localhost:6666/ Resolving localhost... 127.0.0.1, ::1 Connecting to localhost|127.0.0.1|:6666... connected. HTTP request sent, awaiting response... GET / HTTP/1.1 User-Agent: Wget/1.19.1 (linux-gnu) Accept: */* Accept-Encoding: identity Host: localhost:6666 Connection: Keep-Alive 401 Not Authorized
对于这种情况,我们可以使用如下命令架起nc,让其返回特定的response包
nc -lp 6666 < out/hangs/id\:000000\,src\:000000\,op\:flip1\,pos\:4然后通过gdb调试找到程序卡住的位置
gdb-peda$ bt
#0 0x00007ffff65d25b3 in __select_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1 0x00000000004c2450 in select_fd (fd=<optimized out>, maxtime=<optimized out>, wait_for=<optimized out>) at connect.c:714
#2 0x00000000004c34b2 in sock_poll (fd=0x4, timeout=<optimized out>, wait_for=0x1) at connect.c:801
#3 poll_internal (fd=<optimized out>, info=0x0, wf=0x1, timeout=<optimized out>) at connect.c:914
#4 fd_read (fd=0x4, buf=0x7fffffffcd00 "gfedcbazzzzffffgggghhhhiiiiddddeeeeffffccccccccbbbbbbb", 'a' <repeats 29 times>, "bbb", 'a' <repeats 58 times>, 'A' <repeats 56 times>...,
bufsize=0xff, timeout=<optimized out>) at connect.c:933
#5 0x000000000052723c in skip_short_body (fd=<optimized out>, contlen=<optimized out>, chunked=<optimized out>) at http.c:989
#6 0x0000000000519a95 in gethttp (u=<optimized out>, original_url=<optimized out>, hs=<optimized out>, dt=<optimized out>, proxy=<optimized out>, iri=<optimized out>,
count=<optimized out>) at http.c:3524
#7 0x0000000000512aa7 in http_loop (u=<optimized out>, original_url=<optimized out>, newloc=0x7fffffffe310, local_file=<optimized out>, referer=<optimized out>, dt=<optimized out>,
proxy=<optimized out>, iri=<optimized out>) at http.c:4193
#8 0x00000000005556aa in retrieve_url (orig_parsed=<optimized out>, origurl=0x60300000e080 "http://localhost:6666", file=<optimized out>, newloc=<optimized out>, refurl=<optimized out>,
dt=<optimized out>, recursive=<optimized out>, iri=<optimized out>, register_status=<optimized out>) at retr.c:817
#9 0x000000000053c77b in main (argc=<optimized out>, argv=0x7fffffffe3f0, argv@entry=0x7fffffffe738) at main.c:2081
#10 0x00007ffff64f5830 in __libc_start_main (main=0x538f70 <main>, argc=0x2, argv=0x7fffffffe738, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe728) at ../csu/libc-start.c:291
#11 0x00000000004bf659 in _start ()在确定卡住位置之后,修改其源码,使其强制断开连接,退出程序
在http.c的如下位置中分别添加exit(0):
tms = datetime_str (time (NULL)); /* Get the new location (with or without the redirection). */ if (hstat.newloc) *newloc = xstrdup (hstat.newloc); switch (err) { case HERR: case HEOF: case CONSOCKERR: case CONERROR: case READERR: case WRITEFAILED: case RANGEERR: case FOPEN_EXCL_ERR: case GATEWAYTIMEOUT: /* Non-fatal errors continue executing the loop, which will bring them to "while" statement at the end, to judge whether the number of tries was exceeded. */ exit(0); //手动添加 printwhat (count, opt.ntry); continue; case FWRITEERR: case FOPENERR: /* Another fatal error. */ logputs (LOG_VERBOSE, "\n"); logprintf (LOG_NOTQUIET, _("Cannot write to %s (%s).\n"), quote (hstat.local_file), strerror (errno)); case HOSTERR: case CONIMPOSSIBLE: case PROXERR: case SSLINITFAILED: case CONTNOTSUPPORTED: case VERIFCERTERR: case FILEBADFILE: case UNKNOWNATTR:
if (statcode == HTTP_STATUS_UNAUTHORIZED) { /* Authorization is required. */ uerr_t auth_err = RETROK; bool retry; /* Normally we are not interested in the response body. But if we are writing a WARC file we are: we like to keep everyting. */ if (warc_enabled) { int _err; type = resp_header_strdup (resp, "Content-Type"); _err = read_response_body (hs, sock, NULL, contlen, 0, chunked_transfer_encoding, u->url, warc_timestamp_str, warc_request_uuid, warc_ip, type, statcode, head); xfree (type); if (_err != RETRFINISHED || hs->res < 0) { CLOSE_INVALIDATE (sock); retval = _err; goto cleanup; } else CLOSE_FINISH (sock); } else { /* Since WARC is disabled, we are not interested in the response body. */ if (keep_alive && !head_only && skip_short_body (sock, contlen, chunked_transfer_encoding)) exit(0); //手动添加 else exit(0); //手动添加 } pconn.authorized = false;
while (contlen > 0 || chunked) { int ret; if (chunked) { if (remaining_chunk_size == 0) { char *line = fd_read_line (fd); char *endl; if (line == NULL) break; remaining_chunk_size = strtol (line, &endl, 16); xfree (line); if (remaining_chunk_size == 0) { line = fd_read_line (fd); xfree (line); break; } } contlen = MIN (remaining_chunk_size, SKIP_SIZE); } DEBUGP (("Skipping %s bytes of body: [", number_to_static_string (contlen))); ret = fd_read (fd, dlbuf, MIN (contlen, SKIP_SIZE), -1); exit(0);//手动添加 if (ret <= 0)
重新编译后再次测试payload,程序已经可以即时退出
root@c7c87f16a29d:/home/mortywget/bin# nc -lp 6666 < a & ./wget777 localhost:6666 -F -O /dev/null [1] 22021 --2020-04-20 09:06:53-- http://localhost:6666/ Resolving localhost... 127.0.0.1, ::1 Connecting to localhost|127.0.0.1|:6666... connected. HTTP request sent, awaiting response... 401 Not Authorized
此时再次fuzz,发现hang数量明显减少,速度有所增加
运行后不久便fuzz出了一个crash
查看crash内容
root@c7c87f16a29d:/home/mortywget/bin# xxd out_777/3/crashes/id\:000000\,sig\:06\,src\:000024+000208\,op\:splice\,rep\:16 00000000: 4854 5450 2f31 2e31 2034 3031 204e 6f74 HTTP/1.1 401 Not 00000010: 2041 7574 7a65 646e 5563 696f 6e3a 5446 AutzednUcion:TF 00000020: 2d38 0a54 7261 6e73 6665 722d 456e 636f -8.Transfer-Enco 00000030: 6469 6e67 3a20 6368 756e 6b65 640a 436f ding: chunked.Co 00000040: 6e6e 6563 7469 6f6e 3a20 6b65 0a0a 2d30 nnection: ke..-0 00000050: 7846 4646 4646 4430 3050 2f31 2e31 2034 xFFFFFD00P/1.1 4 00000060: 3031 204e 312e 3120 3430 3120 4e6f 7420 01 N1.1 401 Not 00000070: 4175 747a 6564 6e55 6369 6f6e 3a54 462d AutzednUcion:TF- 00000080: 380a 5472 616e 7366 6572 2d45 6e63 6f64 8.Transfer-Encod 00000090: 696e 673a 2063 6875 6e6b 5764 0a43 6f6e ing: chunkWd.Con 000000a0: 6e65 6374 696f 6e3a 206b 650a 0a2d 3078 nection: ke..-0x 000000b0: 4646 4646 4644 3030 502f 312e 3120 3430 FFFFFD00P/1.1 40 000000c0: 3120 4e6f 7420 416f 6f6f 6f6f 6f6f 6f6f 1 Not Aooooooooo 000000d0: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 000000e0: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 000000f0: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000100: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000110: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000120: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000130: 6f6f 6f6f 6f6f 6f6f 6f6f 7574 7a65 646e ooooooooooutzedn 00000140: 5563 696f 6e3a 5446 2d38 0a54 7261 6e73 Ucion:TF-8.Trans 00000150: 6665 722d 456e 636f 6469 6e67 3a20 6368 fer-Encoding: ch 00000160: 756e 6565 640a 436f 6e6e 6563 7469 6f6e uneed.Connection 00000170: 3a20 6b65 0a0a 4030 7846 4646 2034 3031 : ke..@0xFFF 401 00000180: 204e 312e 3120 3430 3120 4e6f 7420 4175 N1.1 401 Not Au 00000190: 0000 0064 6e55 6369 6f6e 3a54 462d 380a ...dnUcion:TF-8. 000001a0: 5472 616e 7366 6572 2d45 6e63 6f64 696e Transfer-Encodin 000001b0: 673a 2063 6875 6e6b 5764 0a43 6f6e 6e65 g: chunkWd.Conne 000001c0: 6374 696f 6e3a 206b 650a 0a2d 3078 4646 ction: ke..-0xFF 000001d0: 4646 4644 3030 502f 312e 3120 3430 3120 FFFD00P/1.1 401 000001e0: 4e6f 7420 416f 6f6f 6f6f 6f6f 6f6f 6f6f Not Aooooooooooo 000001f0: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000200: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000210: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000220: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000230: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000240: 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f 6f6f oooooooooooooooo 00000250: 6f6f 6f6f 6f6f 6f6f 7574 7a65 646e 5563 ooooooooutzednUc 00000260: 696f 6e3a 5446 2d38 0a54 7261 6e73 6665 ion:TF-8.Transfe 00000270: 722d 456e 636f 6469 6e67 3a20 6368 756e r-Encoding: chun 00000280: 6565 640a 436f 6e6e 6563 7469 6f6e 3a20 eed.Connection: 00000290: 6b65 0a0a 4030 7846 4646 4646 4430 666f ke..@0xFFFFFD0fo 000002a0: 7420 4175 747a 7464 6e55 6369 1f1f 1f1f t AutztdnUci.... 000002b0: 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f ................ 000002c0: 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f 1f1f ................ 000002d0: 1f1f 6e65 6374 696f 6e3a 206b 650a 0a2d ..nection: ke..- 000002e0: 3046 4644 3066 6f74 2041 7574 7a74 646e 0FFD0fot Autztdn 000002f0: 5563 696f 6e3a 5446 2d38 0a54 7255 6e73 Ucion:TF-8.TrUns 00000300: 6665 012d 456e 636f 6469 6e67 3a20 6368 fe.-Encoding: ch 00000310: 756e 6b65 640a 436f 6e6e 6563 7469 6f6e unked.Connection 00000320: 3a20 6b65 0a0a 2d30 784b 4646 4646 4430 : ke..-0xKFFFFD0 00000330: 300e 62 0.b
使用gdb进行漏洞验证
gdb-peda$ r localhost:6666 Starting program: /home/mortywget/bin/wget localhost:6666 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". --2020-04-20 09:17:49-- http://localhost:6666/ Resolving localhost... 127.0.0.1, ::1 Connecting to localhost|127.0.0.1|:6666... connected. HTTP request sent, awaiting response... 401 Not AutzednUcion:TF-8 ================================================================= ==30736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcf01 at pc 0x000000445f10 bp 0x7fffffffcc50 sp 0x7fffffffc410 WRITE of size 689 at 0x7fffffffcf01 thread T0 [New process 31313] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". process 31313 is executing new program: /usr/local/bin/llvm-symbolizer [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". #0 0x445f0f in read /root/llvmmorty/llvm-3.5.0.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:345:16 #1 0x4c361a in sock_read /home/wget-1.19.1/src/connect.c:783:11 #2 0x4c361a in fd_read /home/wget-1.19.1/src/connect.c:938 #3 0x52723b in skip_short_body /home/wget-1.19.1/src/http.c:989:13 #4 0x519a94 in gethttp /home/wget-1.19.1/src/http.c:3524:18 #5 0x512aa6 in http_loop /home/wget-1.19.1/src/http.c:4193:13 #6 0x5556a9 in retrieve_url /home/wget-1.19.1/src/retr.c:817:16 #7 0x53c77a in main /home/wget-1.19.1/src/main.c:2081:15 #8 0x7ffff64f582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4bf658 in _start (/home/mortywget/bin/wget+0x4bf658) Address 0x7fffffffcf01 is located in stack of thread T0 at offset 545 in frame #0 0x526f4f in skip_short_body /home/wget-1.19.1/src/http.c:947 This frame has 2 object(s): [32, 545) 'dlbuf' [688, 696) 'endl' <== Memory access at offset 545 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /root/llvmmorty/llvm-3.5.0.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:345 read Shadow bytes around the buggy address: 0x10007fff7990: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff79b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff79c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff79d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff79e0:[01]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff79f0: f2 f2 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe ==30736==ABORTING [Inferior 2 (process 31313) exited normally]
程序在http.c:skip_short_body()发生了溢出,在网上对该漏洞进行查找,找到该漏洞正是CVE-2017-13089
https://www.cvedetails.com/cve/CVE-2017-13089/
至此完整的fuzz过程全部结束,对于该漏洞shellcode的编写,请看https://snappyjack.github.io/articles/2019-12/CVE-2017-13089
文章来源: http://xz.aliyun.com/t/7643
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh