Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17498 PoC — libssh2 输入验证错误漏洞

Source
https://github.com/Timon-L/3007Project
Associated Vulnerability
Title:libssh2 输入验证错误漏洞 (CVE-2019-17498)
Description:In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
Description
Secure coding project, research on CVE-2019-17498 and implement a player score function written in C.
Readme
# 3007Project
setuid program used to update player's score. Read score file content, search and update score base on given player ID, if no player ID is found, then new ID and score is added to file. Program should not crash unexpectedly and should exit gracefully with errors handled. Check for overflows, memory leaks, race condition and escalated privileges.

## TODO
- [x] Handle error message.
- [x] hand setuid privileges.
- [x] Unit testing.
File Snapshot

 [4.0K]  /data/pocs/963af8725784254d7e40e82ca4b3d4c7ac4f2bb8
├── [ 11K]  adjust_score.c
├── [ 52K]  adjust_score.o
├── [4.0K]  findings
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 136]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [222K]  plot_data
│       └── [4.0K]  queue
│           ├── [   4]  id:000000,time:0,execs:0,orig:file0
│           ├── [  12]  id:000001,src:000000,time:843,execs:193,op:havoc,rep:16,+cov
│           ├── [  12]  id:000002,src:000001,time:5738,execs:1197,op:havoc,rep:16,+cov
│           ├── [  12]  id:000003,src:000002,time:31954,execs:6508,op:havoc,rep:2,+cov
│           ├── [  16]  id:000004,src:000003,time:1000847,execs:193627,op:havoc,rep:64,+cov
│           ├── [  36]  id:000005,src:000004,time:1225086,execs:238887,op:havoc,rep:4,+cov
│           ├── [  36]  id:000006,src:000005,time:1292897,execs:252651,op:havoc,rep:2,+cov
│           └── [  24]  id:000007,src:000005,time:1293046,execs:252680,op:havoc,rep:8,+cov
├── [4.0K]  findings2
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [104K]  plot_data
│       └── [4.0K]  queue
│           ├── [   4]  id:000000,time:0,execs:0,orig:file0
│           ├── [  12]  id:000001,src:000000,time:563,execs:127,op:havoc,rep:4,+cov
│           ├── [  12]  id:000002,src:000001,time:5810,execs:1224,op:havoc,rep:4,+cov
│           └── [  36]  id:000003,src:000001,time:5341282,execs:731322,op:havoc,rep:64,+cov
├── [4.0K]  findings3
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [ 16K]  plot_data
│       └── [4.0K]  queue
│           ├── [   8]  id:000000,time:0,execs:0,orig:file0
│           ├── [   8]  id:000001,src:000000,time:190,execs:26,op:havoc,rep:4,+cov
│           ├── [   4]  id:000002,src:000000,time:328,execs:40,op:havoc,rep:4,+cov
│           ├── [   3]  id:000003,src:000000,time:403,execs:48,op:havoc,rep:8
│           ├── [   4]  id:000004,src:000000,time:535,execs:63,op:havoc,rep:8
│           ├── [   1]  id:000005,src:000000,time:657,execs:76,op:havoc,rep:16
│           ├── [   2]  id:000006,src:000000,time:798,execs:89,op:havoc,rep:16
│           ├── [   4]  id:000007,src:000000,time:952,execs:102,op:havoc,rep:16,+cov
│           ├── [   1]  id:000008,src:000000,time:1018,execs:110,op:havoc,rep:16
│           ├── [  11]  id:000009,src:000000,time:1112,execs:119,op:havoc,rep:8,+cov
│           ├── [  13]  id:000010,src:000000,time:1315,execs:143,op:havoc,rep:8
│           ├── [   1]  id:000011,src:000000,time:1619,execs:171,op:havoc,rep:16
│           ├── [   1]  id:000012,src:000000,time:4316,execs:481,op:havoc,rep:16
│           ├── [   2]  id:000013,src:000000,time:4793,execs:535,op:havoc,rep:8
│           ├── [   8]  id:000014,src:000000,time:4919,execs:550,op:havoc,rep:2
│           ├── [   8]  id:000015,src:000000,time:5052,execs:563,op:havoc,rep:4
│           └── [   4]  id:000016,src:000000,time:5274,execs:588,op:havoc,rep:16
├── [4.0K]  findings4
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [ 225]  plot_data
│       └── [4.0K]  queue
│           ├── [   8]  id:000000,time:0,execs:0,orig:file0
│           ├── [   8]  id:000001,src:000000,time:206,execs:26,op:havoc,rep:8,+cov
│           ├── [   7]  id:000002,src:000000,time:410,execs:41,op:havoc,rep:16
│           ├── [  13]  id:000003,src:000000,time:497,execs:50,op:havoc,rep:8,+cov
│           ├── [   8]  id:000004,src:000000,time:582,execs:61,op:havoc,rep:2,+cov
│           ├── [   4]  id:000005,src:000000,time:692,execs:72,op:havoc,rep:4
│           ├── [   1]  id:000006,src:000000,time:770,execs:80,op:havoc,rep:16
│           ├── [   2]  id:000007,src:000000,time:843,execs:88,op:havoc,rep:2
│           ├── [  12]  id:000008,src:000000,time:1010,execs:104,op:havoc,rep:16
│           ├── [   4]  id:000009,src:000000,time:1217,execs:119,op:havoc,rep:8
│           ├── [   9]  id:000010,src:000000,time:1838,execs:174,op:havoc,rep:8
│           ├── [   1]  id:000011,src:000000,time:2028,execs:188,op:havoc,rep:16
│           ├── [   2]  id:000012,src:000000,time:2165,execs:202,op:havoc,rep:8,+cov
│           ├── [  17]  id:000013,src:000000,time:2282,execs:216,op:havoc,rep:16
│           ├── [   8]  id:000014,src:000000,time:2466,execs:229,op:havoc,rep:4
│           └── [   3]  id:000015,src:000000,time:2645,execs:242,op:havoc,rep:8
├── [ 449]  README.md
└── [4.0K]  testcase(good)
    ├── [ 483]  file0
    ├── [ 252]  file1
    ├── [ 294]  file2
    ├── [  63]  file3
    ├── [  21]  file4
    ├── [  84]  file5
    ├── [  63]  file6
    ├── [ 525]  file7
    ├── [ 483]  file8
    └── [  21]  file9

13 directories, 78 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →