GoHttp icon indicating copy to clipboard operation
GoHttp copied to clipboard
verified publisher icon fekberg

stack-buffer-overflow 619 characters in User-Agent string causes stack-overflow.

Open 0xGotcha opened this issue 6 years ago • 2 comments 

root@0xGotcha:~/fuzzing/GoHttp# curl -A "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" localhost:7000

root@0xGotcha:~/fuzzing/GoHttp# ./GoHttp 
Settings:
Port:			7000
Server root:		/home/frw/public_html/
Configuration file:	httpd.conf
Logfile:		.log
Deamon:			0
=================================================================
==1666==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff1110bd40 at pc 0x000000487f40 bp 0x7fff1110bae0 sp 0x7fff1110b290
READ of size 513 at 0x7fff1110bd40 thread T0
    #0 0x487f3f  (/root/fuzzing/GoHttp/GoHttp+0x487f3f)
    #1 0x51718b  (/root/fuzzing/GoHttp/GoHttp+0x51718b)
    #2 0x517412  (/root/fuzzing/GoHttp/GoHttp+0x517412)
    #3 0x517972  (/root/fuzzing/GoHttp/GoHttp+0x517972)
    #4 0x517c21  (/root/fuzzing/GoHttp/GoHttp+0x517c21)
    #5 0x517cbc  (/root/fuzzing/GoHttp/GoHttp+0x517cbc)
    #6 0x518656  (/root/fuzzing/GoHttp/GoHttp+0x518656)
    #7 0x7fc656ca009a  (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #8 0x41d439  (/root/fuzzing/GoHttp/GoHttp+0x41d439)

Address 0x7fff1110bd40 is located in stack of thread T0 at offset 544 in frame
    #0 0x51728f  (/root/fuzzing/GoHttp/GoHttp+0x51728f)

  This frame has 1 object(s):
    [32, 544) 'buffer' (line 522) <== Memory access at offset 544 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/root/fuzzing/GoHttp/GoHttp+0x487f3f) 
Shadow bytes around the buggy address:
  0x100062219750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100062219760: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
  0x100062219770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100062219780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100062219790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000622197a0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
  0x1000622197b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000622197c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000622197d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000622197e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000622197f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1666==ABORTING

0xGotcha avatar May 19 '19 18:05 0xGotcha

FYI this project isn't maintained. I only wrote it as a part of a university course years ago.

Don't use the code for anything but playing around

fekberg avatar May 20 '19 10:05 fekberg

No problem. It is great for learning.

0xGotcha avatar May 20 '19 11:05 0xGotcha