Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-13089 PoC — GNU Wget: stack overflow in HTTP protocol handling

Source
https://github.com/r1b/CVE-2017-13089
Associated Vulnerability
Title:GNU Wget: stack overflow in HTTP protocol handling (CVE-2017-13089)
Description:The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
Description
PoC for wget v1.19.1
Readme
# CVE-2017-13089

wget v1.19.1 for exploit dev.

## NOTE

This is not a working exploit - under development.

## Usage

```bash
# Build the container
docker build -t cve201713089 .
# OR ...
docker pull robertcolejensen/cve201713089

# Play around in the container, `src` will be mounted at `/opt/CVE-2017-13089/src`
./run.sh

# Develop an exploit, runs `gdb` with external debugging symbols loaded
./run.sh dev

# Run the included DoS PoC
./run.sh dos

# Run the included exploit PoC (wip)
./run.sh exploit
```

## Notes

For maximum **FUN** I have done the following:

* Enabled executable stack flag in wget: `execstack -s /usr/local/bin/wget`
* Disabled stack canaries in wget: `CFLAGS="-fno-stack-protector $CFLAGS"`
* Disabled ASLR on the docker host: `docker-machine ssh security-vm 'sudo sysctl -w kernel.randomize_va_space=0'`
* Generated external debug symbols for exploit dev

You should duplicate the ASLR change on your own Docker host - the other changes
are in the Dockerfile.
File Snapshot

 [4.0K]  /data/pocs/5e75753d604caff0bae408faa32d973bac8090d9
├── [ 945]  Dockerfile
├── [ 991]  README.md
├── [ 459]  run.sh
└── [4.0K]  src
    ├── [4.0K]  dev
    │   └── [  85]  exploit-dev.sh
    ├── [4.0K]  dos
    │   ├── [  84]  crash.sh
    │   └── [1.1K]  payload
    ├── [4.0K]  exploit
    │   ├── [  84]  exploit.sh
    │   └── [1.1K]  payload
    └── [4.0K]  patches
        ├── [ 426]  01-no-stack-protector.patch
        └── [ 349]  02-build-with-debugging-symbols.patch

5 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →