Associated Vulnerability
Description
PoC exploit server for CVE-2015-7547
Readme
# PoC attack server for CVE-2015-7547 vulnerability in glibc DNS resolver
To test on local machine with a vulnerable glibc version:
```
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/# sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
```
Then, from another terminal session, execute the attacks as shown in the examples below.
## Attack 1 (UDP+TCP)
Needs ability to send replies > 2048 bytes over UDP and TCP.
Attack Sequence:
1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
```
user@localhost:/# curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```
## Attack 2 (UDP only)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)
2. Ignore next request (triggers UDP retry due to polling timeout)
3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
```
user@localhost:/# curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```
## Attack 3 (UDP+TCP)
Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.
Attack Sequence:
1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)
2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
```
user@localhost:/# curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```
## Attack 4 (UDP only)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)
2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)
3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
```
user@localhost:/# curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```
## Attack 5 (TCP only)
Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in `/etc/resolv.conf`.
Attack Sequence:
0. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)
1. TCP reply, > 2048 bytes (triggers buffer mismanagement)
2. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)
3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
```
user@localhost:/# curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```
File Snapshot
[4.0K] /data/pocs/918b2da6345c1a30c7a8cc0dba38e3f402b44235
├── [9.9K] attack-server.py
├── [ 14K] dnsutil.py
└── [3.4K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.