Crash on Client 16 - 14320388 #5
Comments
|
Hi,
It looks like the clients are running out of sync. The clients should run
in sequential order (1,2 .. 14, 15, 16) etc, for both the requests and
responses. Best bet is to revise the code to remove threading and create an
array of clients and make them one sequentially, that should correct the
issue.
…On Tue, Sep 7, 2021 at 9:34 AM meirtolpin11 ***@***.***> wrote:
Hi,
so I am trying to run the PoC against build 14320388, but every time it
crashes on this part -
` requests[14].put(close())
requests[15].put(connect())
requests[15].put(attribute_request(b'service:pwn', 0x20))
requests[13].put(block(0x110))
requests[16].put(connect())
requests[17].put(connect())
Any Ideas why ? I tried to play with the timer, set it 1,5,8,10, but
nothing helps. Everytime the same error :([SLP Client-14] service request
[SLP Client-14] recv:
b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00'
[SLP Client-12] service request [SLP Client-12] recv:
b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00'
[SLP Client-14] close [SLP Client-15] connect [SLP Client-15] attribute
request [SLP Client-15] recv: b'' [SLP Client-13] service request [SLP
Client-13] recv: b'' [SLP Client-16] connect [SLP Client-17] connect [SLP
Client-12] close Exception in thread Thread-16: Traceback (most recent call
last): File "C:\Python38-32\lib\threading.py", line 932, in
_bootstrap_inner self.run() File "CVE-2021-21974.py", line 56, in run
s.connect((IP, PORT)) ConnectionRefusedError: [WinError 10061] No
connection could be made because the target machine actively refused it
[SLP Client-18] connect `
Any ideas?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#5>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBX6EDFUQSVV7YBO5APDY3UAY5I5ANCNFSM5DSYOR2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Hi, I just removed the threading, and tried to exploit it again - Still crashing on SLP client 16 connect. |
|
played a bit with a debugger - crashing when 15 is sending attribute_request(b'service:pwn', 0x20) |
|
It looks like it is still out of sync, the request and response for each
client must be in consecutive order. It is my bad for using threading.
Perhaps remove threading + introduce a sleep per each request/response to
see if it makes a difference?
…On Thu, Sep 9, 2021 at 10:37 AM meirtolpin11 ***@***.***> wrote:
played a bit with a debugger - crashing when 15 is sending
attribute_request(b'service:pwn', 0x20)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBX6ECOXK35CPCIGD4EY2LUBDWHBANCNFSM5DSYOR2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
I already removed threading. this is the code part, the order in the code is the same as in the terminal output. And the after every client's request there is the same client's recv (and only then the next client). |
|
If that's the case, the heap grooming got messed up I assume. This could be
the way how you start up the slpd daemon, i noticed running it directly, or
through init.d have different heap states for the slpd
…On Thu, Sep 9, 2021 at 11:58 AM meirtolpin11 ***@***.***> wrote:
I already removed threading.
it's running exactly like the order in the exploit function.
`
slpclients[11].run(connect())
slpclients[12].run(connect())
slpclients[13].run(connect())
slpclients[11].run(block(0x810))
slpclients[14].run(connect())
slpclients[14].run(block(0x160))
slpclients[12].run(block(0x810))
slpclients[14].run(close())
slpclients[15].run(connect())
slpclients[15].run(attribute_request(b'service:pwn', 0x20))
slpclients[13].run(block(0x110))
slpclients[16].run(connect())
slpclients[17].run(connect())
slpclients[12].run(close())
slpclients[18].run(connect())
`
this is the code part, the order in the code is the same as in the
terminal output. And the after every client's send there is the same
client's recv.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBX6EB4Q7RGD25ONI5OOOLUBD7UDANCNFSM5DSYOR2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Yes it's really the problem. |
|
You will have to setup a debugger to see what the heap looks like when slpd
starts. From there, it probably have some freed chunks that needs to be
filled up ahead of time or it gets pick up by the heap grooming process.
…On Thu, Sep 9, 2021 at 12:46 PM meirtolpin11 ***@***.***> wrote:
Yes it's really the problem.
When I run the slpd manually it's working perfect, but when its starting
up by the os - the heap grooming not working.
you have any idea how to bypass this issue?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBX6EFWYQH6KNCRBJONJI3UBEFI5ANCNFSM5DSYOR2Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
@meirtolpin11 Hi, could you please share your exploit after replacing the thread with the array implementation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
so I am trying to run the PoC against build 14320388, but every time it crashes on this part -
Any Ideas why ? I tried to play with the timer, set it 1,5,8,10, but nothing helps. Everytime the same error :(
Any ideas?
The text was updated successfully, but these errors were encountered: