CVE-2018-1160 题材以及内容来源于pwnable，还算有意思的 然后本次我的测试及复现要特别感谢wetw0rk的思路参考。 由于文章复盘在我实际操作结束后一个月左右，所以我不会讲的太细，其中包括众多技术细节相关截图以及相关图表也没有得到保存 所以在这里我就口述主要思路以及我觉得可能需要做归档的部分了，需要详细了解漏洞细节的可以移步别的文章。 首先，目标是是netatalk的67256322aa5a1fff01de471d6787d1d862678746commit，已确定在这次commit之后已经得到修复，具体涉及版本号没去看，感兴趣的自己去了解，本文只做针对此次commit为基础的复现。 漏洞产生原因简述： git原文 CVE-2018-1160: libatalk/dsi: add correct bound checking to dsi_opensession The memcpy memcpy(&dsi->attn_quantum, dsi->commands + i + 1, dsi->commands[i]); trusted dsi->commands[i] to specify a size that fits into dsi->attn_quantum. The sizeof attn_quantum is four bytes. A malicious client can send a dsi->command[i] larger than 4 bytes to begin overwriting variables in the DSI struct. dsi->command[i] is a single char in a char array which limits the amount of data the attacker can overwrite in the DSI struct to 0xff. So for this to be useful in an attack there needs to be something within the 0xff bytes that follow attn_quantum. From dsi.h: uint32_t attn_quantum, datasize, server_quantum; uint16_t serverID, clientID; uint8_t *commands; /* DSI recieve buffer */ uint8_t data[DSI_DATASIZ]; /* DSI reply buffer */ The commands pointer is a heap allocated pointer that is reused for every packet received and sent. Using the memcpy, an attacker can overwrite this to point to an address of their choice and then all subsequent AFP packets will be written to that location. If the attacker chose the preauth_switch buffer, overwriting the function pointer there with functions pointers of his choice, he can invoke this functions over the network, Signed-off-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b6895be) 所以，这里的触发点在于memcpy，由于DSI协议中用户对dsi结构体的内容控制边界没有得到妥善处理导致这里的memcpy的size args可以被控制 ...