To test on local machine with a vulnerable glibc version:
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/$ echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/$ sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
Then, from another terminal session, execute the attacks as shown in the examples below.
Needs ability to send replies > 2048 bytes over UDP and TCP.
Attack Sequence:
-
UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/$ curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
-
UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)
-
Ignore next request (triggers UDP retry due to polling timeout)
-
UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/$ curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.
Attack Sequence:
-
UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)
-
UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/$ curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
-
UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)
-
UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)
-
UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/$ curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in /etc/resolv.conf.
Attack Sequence:
-
UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)
-
TCP reply, > 2048 bytes (triggers buffer mismanagement)
-
TCP reply, empty (triggers TCP retry due to 0-byte socket receive)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/$ curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
To trigger a valid type A/AAAA reply of a certain size from the server, send a request for one of the following:
- payload1 (> 64 bytes)
- payload2 (> 128 bytes)
- payload3 (> 256 bytes)
- payload4 (> 512 bytes)
- payload5 (> 1024 bytes)
- payload6 (> 2048 bytes)
- payload7 (> 4096 bytes)
- payload8 (> 8192 bytes)
The requests can be issued over UDP or TCP, and the responses will contain the appropriate number of valid A or AAAA answers to pad the reply to the requested size. When the PoC server is set up as the authoritative name server for a test domain, this allows for exploring the behaviour of DNS cache hierarchies when faced with oversized replies.
Example:
user@localhost:/$ curl http://payload1.somedomain.com