Skip to content

Instantly share code, notes, and snippets.

@slayerlab
Last active April 16, 2018 02:37
Show Gist options
  • Save slayerlab/b39878b1b783af2f378007c86c63db52 to your computer and use it in GitHub Desktop.
Save slayerlab/b39878b1b783af2f378007c86c63db52 to your computer and use it in GitHub Desktop.
causing stack corruption in crunch
Title : Crunch Wordlist (Ubuntu) stack corruption
Version : 3.6
Date : 2016-12-27
Vendor : https://sourceforge.net/projects/crunch-wordlist/
Impact : Low/Med
Contact : submit [dot] slayerowner [at] gmail.com
Twitter : @slayer_owner
tested : Ubuntu 16.10 desktop x86_64
Author : SLAYER OWNER
###############################################################################################
Description:
- Crunch is an tool to built wordlist that runs under Unix-like environment
###############################################################################################
Bug:
- The vulnerability invokes SIGFPE, a stack corruption (division by zero).
###############################################################################################
Impact:
- That will trigger a denial of service condition
###############################################################################################
(gdb) r 0 0 blockbit -o 2wordlist_blockbit
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/crunch 0 0 blockbit -o 2wordlist_blockbit
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Crunch will now generate the following amount of data: 0 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 0
[New Thread 0x7ffff720f700 (LWP 2455)]
Thread 1 "crunch" received signal SIGFPE, Arithmetic exception.
0x000055555555c313 in ?? ()
(gdb) whatis $rip
type = void (*)()
(gdb) x/10i 0x000055555555c313
=> 0x55555555c313: divq 0x204d7e(%rip) # 0x555555761098
0x55555555c31a: lea 0x18e7(%rip),%rdx # 0x55555555dc08
0x55555555c321: mov %eax,%ecx
0x55555555c323: mov 0x204cce(%rip),%rax # 0x555555760ff8
0x55555555c32a: mov (%rax),%rdi
0x55555555c32d: xor %eax,%eax
0x55555555c32f: callq 0x5555555555c0 <__fprintf_chk@plt>
0x55555555c334: mov %r14,%rdi
0x55555555c337: callq 0x555555555400 <strlen@plt>
0x55555555c33c: add %rax,%r12
@slayerlab
Copy link
Author

Dropping this "report" as public 2 years later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment