关联漏洞
标题:GNU Wget 缓冲区错误漏洞 (CVE-2017-13089)Description:GNU Wget是GNU计划开发的一套用于在网络上进行下载的自由软件,它支持通过HTTP、HTTPS以及FTP这三个最常见的TCP/IP协议下载。 GNU Wget 1.19.2之前的版本中存在基于栈的缓冲区溢出漏洞。远程攻击者可利用该漏洞在受影响的应用程序上下文中执行任意代码或造成拒绝服务。
Description
PoC for wget v1.19.1
介绍
# CVE-2017-13089
wget v1.19.1 for exploit dev.
## NOTE
This is not a working exploit - under development.
## Usage
```bash
# Build the container
docker build -t cve201713089 .
# OR ...
docker pull robertcolejensen/cve201713089
# Play around in the container, `src` will be mounted at `/opt/CVE-2017-13089/src`
./run.sh
# Develop an exploit, runs `gdb` with external debugging symbols loaded
./run.sh dev
# Run the included DoS PoC
./run.sh dos
# Run the included exploit PoC (wip)
./run.sh exploit
```
## Notes
For maximum **FUN** I have done the following:
* Enabled executable stack flag in wget: `execstack -s /usr/local/bin/wget`
* Disabled stack canaries in wget: `CFLAGS="-fno-stack-protector $CFLAGS"`
* Disabled ASLR on the docker host: `docker-machine ssh security-vm 'sudo sysctl -w kernel.randomize_va_space=0'`
* Generated external debug symbols for exploit dev
You should duplicate the ASLR change on your own Docker host - the other changes
are in the Dockerfile.
文件快照
[4.0K] /data/pocs/5e75753d604caff0bae408faa32d973bac8090d9
├── [ 945] Dockerfile
├── [ 991] README.md
├── [ 459] run.sh
└── [4.0K] src
├── [4.0K] dev
│ └── [ 85] exploit-dev.sh
├── [4.0K] dos
│ ├── [ 84] crash.sh
│ └── [1.1K] payload
├── [4.0K] exploit
│ ├── [ 84] exploit.sh
│ └── [1.1K] payload
└── [4.0K] patches
├── [ 426] 01-no-stack-protector.patch
└── [ 349] 02-build-with-debugging-symbols.patch
5 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。