CVE-2015-7547 PoC — GNU C Library 缓冲区错误漏洞

Description

PoC exploit server for CVE-2015-7547

Readme

# PoC attack server for CVE-2015-7547 vulnerability in glibc DNS resolver

To test on local machine with a vulnerable glibc version:

```
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/# sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
```

Then, from another terminal session, execute the attacks as shown in the examples below.

## Attack 1 (UDP+TCP)

Needs ability to send replies > 2048 bytes over UDP and TCP.

Attack Sequence:

1. UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

2. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

3. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/# curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 2 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)

2. Ignore next request (triggers UDP retry due to polling timeout)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/# curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 3 (UDP+TCP)

Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.

Attack Sequence:

1. UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)

2. UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/# curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 4 (UDP only)

Needs ability to send replies > 2048 bytes over UDP.

Attack Sequence:

1. UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)

2. UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)

3. UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. UDP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/# curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

## Attack 5 (TCP only)

Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in `/etc/resolv.conf`.

Attack Sequence:

0. UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)

1. TCP reply, > 2048 bytes (triggers buffer mismanagement)

2. TCP reply, empty (triggers TCP retry due to 0-byte socket receive)

3. TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)

4. TCP reply, > 2048 bytes (overflows stack-allocated buffer)

Example:

```
user@localhost:/# curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
```

File Snapshot

Remarks