Last active
April 16, 2018 02:37
-
-
Save slayerlab/b39878b1b783af2f378007c86c63db52 to your computer and use it in GitHub Desktop.
causing stack corruption in crunch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title : Crunch Wordlist (Ubuntu) stack corruption | |
| Version : 3.6 | |
| Date : 2016-12-27 | |
| Vendor : https://sourceforge.net/projects/crunch-wordlist/ | |
| Impact : Low/Med | |
| Contact : submit [dot] slayerowner [at] gmail.com | |
| Twitter : @slayer_owner | |
| tested : Ubuntu 16.10 desktop x86_64 | |
| Author : SLAYER OWNER | |
| ############################################################################################### | |
| Description: | |
| - Crunch is an tool to built wordlist that runs under Unix-like environment | |
| ############################################################################################### | |
| Bug: | |
| - The vulnerability invokes SIGFPE, a stack corruption (division by zero). | |
| ############################################################################################### | |
| Impact: | |
| - That will trigger a denial of service condition | |
| ############################################################################################### | |
| (gdb) r 0 0 blockbit -o 2wordlist_blockbit | |
| The program being debugged has been started already. | |
| Start it from the beginning? (y or n) y | |
| Starting program: /usr/bin/crunch 0 0 blockbit -o 2wordlist_blockbit | |
| [Thread debugging using libthread_db enabled] | |
| Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". | |
| Crunch will now generate the following amount of data: 0 bytes | |
| 0 MB | |
| 0 GB | |
| 0 TB | |
| 0 PB | |
| Crunch will now generate the following number of lines: 0 | |
| [New Thread 0x7ffff720f700 (LWP 2455)] | |
| Thread 1 "crunch" received signal SIGFPE, Arithmetic exception. | |
| 0x000055555555c313 in ?? () | |
| (gdb) whatis $rip | |
| type = void (*)() | |
| (gdb) x/10i 0x000055555555c313 | |
| => 0x55555555c313: divq 0x204d7e(%rip) # 0x555555761098 | |
| 0x55555555c31a: lea 0x18e7(%rip),%rdx # 0x55555555dc08 | |
| 0x55555555c321: mov %eax,%ecx | |
| 0x55555555c323: mov 0x204cce(%rip),%rax # 0x555555760ff8 | |
| 0x55555555c32a: mov (%rax),%rdi | |
| 0x55555555c32d: xor %eax,%eax | |
| 0x55555555c32f: callq 0x5555555555c0 <__fprintf_chk@plt> | |
| 0x55555555c334: mov %r14,%rdi | |
| 0x55555555c337: callq 0x555555555400 <strlen@plt> | |
| 0x55555555c33c: add %rax,%r12 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dropping this "report" as public 2 years later.