search

jmk-foofus / medusa

Medusa is a speedy, parallel, and modular, login brute-forcer.
GNU General Public License v2.0
687 stars 177 forks source link

medusa segfault on kali #37

Closed jku209 closed 9 months ago

jku209 commented 4 years ago

I noticed medusa wasn't working. I opened was wireshark and saw no traffic being generated. I checked dmesg and noticed a segfault anytime I ran it. I have kali at the latest version running on VMware workstation 15 pro with vmware tools installed.

[ 35.682869] systemd-xdg-autostart-generator[945]: Not generating service for XDG autostart app-pulseaudio-autostart.service, startup phases are not supported. [ 219.081850] perf: interrupt took too long (2542 > 2500), lowering kernel.perf_event_max_sample_rate to 78500 [ 256.638144] perf: interrupt took too long (3216 > 3177), lowering kernel.perf_event_max_sample_rate to 62000 [ 264.027123] perf: interrupt took too long (4055 > 4020), lowering kernel.perf_event_max_sample_rate to 49250 [ 272.919344] perf: interrupt took too long (5107 > 5068), lowering kernel.perf_event_max_sample_rate to 39000 [ 282.759954] perf: interrupt took too long (6469 > 6383), lowering kernel.perf_event_max_sample_rate to 30750 [ 303.015633] perf: interrupt took too long (9103 > 8086), lowering kernel.perf_event_max_sample_rate to 21750 [ 334.980926] perf: interrupt took too long (11420 > 11378), lowering kernel.perf_event_max_sample_rate to 17500 [ 362.300176] medusa[1867]: segfault at 20 ip 00007f79c5420760 sp 00007ffdb0d27978 error 4 in libpthread-2.31.so[7f79c541c000+10000]
[ 362.300183] Code: ff ff 48 8d 0d 31 c0 00 00 ba a7 01 00 00 48 8d 35 af be 00 00 48 8d 3d de bd 00 00 e8 69 ba ff ff 66 0f 1f 84 00 00 00 00 00 <8b> 47 10 89 c2 81 e2 7f 01 00 00 83 e0 7c 0f 85 7c 00 00 00 53 48 [ 688.304614] perf: interrupt took too long (14287 > 14275), lowering kernel.perf_event_max_sample_rate to 13750 root@pwner:~#

root@pwner:~# valgrind -v medusa -v 6 -u admin -P /usr/share/wordlists/rockyou.txt -h 192.168.2.1 -M ssh ==2146== Memcheck, a memory error detector ==2146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2146== Using Valgrind-3.16.1-36d6727e1d-20200622X and LibVEX; rerun with -h for copyright info ==2146== Command: medusa -v 6 -u admin -P /usr/share/wordlists/rockyou.txt -h 192.168.2.1 -M ssh ==2146== --2146-- Valgrind options: --2146-- -v --2146-- Contents of /proc/version: --2146-- Linux version 5.7.0-kali3-amd64 (devel@kali.org) (gcc version 9.3.0 (Debian 9.3.0-15), GNU ld (GNU Binutils for Debian) 2.35) #1 SMP Debian 5.7.17-1kali1 (2020-08-26) --2146-- --2146-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-bmi-f16c-rdrand --2146-- Page sizes: currently 4096, max supported 4096 --2146-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind --2146-- Reading syms from /usr/bin/medusa --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.31.so --2146-- Considering /usr/lib/debug/.build-id/1d/7aa1d2a5c941715ad76064ccb4ac38dccf48a2.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux --2146-- Considering /usr/lib/debug/.build-id/54/299c4aec0e5e5f3d7b8135341351d0e1dbfc64.debug .. --2146-- .. build-id is valid --2146-- object doesn't have a dynamic symbol table --2146-- Scheduler: using generic scheduler lock implementation. --2146-- Reading suppressions file: /usr/lib/x86_64-linux-gnu/valgrind/default.supp ==2146== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-2146-by-root-on-??? ==2146== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-2146-by-root-on-??? ==2146== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-2146-by-root-on-??? ==2146== ==2146== TO CONTROL THIS PROCESS USING vgdb (which you probably ==2146== don't want to do, unless you know exactly what you're doing, ==2146== or are doing some strange experiment): ==2146== /usr/bin/vgdb --pid=2146 ...command... ==2146== ==2146== TO DEBUG THIS PROCESS USING GDB: start GDB like this ==2146== /path/to/gdb medusa ==2146== and then give GDB the following command ==2146== target remote | /usr/bin/vgdb --pid=2146 ==2146== --pid is optional if only one valgrind process is running ==2146== --2146-- REDIR: 0x401f820 (ld-linux-x86-64.so.2:strlen) redirected to 0x580ca5f2 (vgPlain_amd64_linux_REDIR_FOR_strlen) --2146-- REDIR: 0x401f600 (ld-linux-x86-64.so.2:index) redirected to 0x580ca60c (vgPlain_amd64_linux_REDIR_FOR_index) --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_core-amd64-linux.so --2146-- Considering /usr/lib/debug/.build-id/f2/7641e081d3c37b410d7f31da4e2bf21040f356.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so --2146-- Considering /usr/lib/debug/.build-id/25/7cdcdf80e04f91ca9e3b185ee3b52995e89946.debug .. --2146-- .. build-id is valid ==2146== WARNING: new redirection conflicts with existing -- ignoring it --2146-- old: 0x0401f820 (strlen ) R-> (0000.0) 0x580ca5f2 vgPlain_amd64_linux_REDIR_FOR_strlen --2146-- new: 0x0401f820 (strlen ) R-> (2007.0) 0x0483bda0 strlen --2146-- REDIR: 0x401c040 (ld-linux-x86-64.so.2:strcmp) redirected to 0x483cc90 (strcmp) --2146-- REDIR: 0x401fd60 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4840740 (mempcpy) --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libdl-2.31.so --2146-- Considering /usr/lib/debug/.build-id/a1/a4cba6355e7ee5d76aead3f18990d64f419454.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.31.so --2146-- Considering /usr/lib/debug/.build-id/72/301e20084fe4fbbc192b75e50757eacd953de7.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libssl.so.1.1 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.6 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libgnutls.so.30.28.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/librt-2.31.so --2146-- Considering /usr/lib/debug/.build-id/34/72eb30db68df279bc52c51dc676074eb5d6f40.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.31.so --2146-- Considering /usr/lib/debug/.build-id/25/ca10d167540c167145377083b6b13772d8ff13.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.31.so --2146-- Considering /usr/lib/debug/.build-id/9c/9b4c997fbbff4ea98320bb8c286051f9ed6513.debug .. --2146-- .. build-id is valid --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.29.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libnettle.so.8.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libhogweed.so.6.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.0 --2146-- object doesn't have a symbol table --2146-- Reading syms from /usr/lib/x86_64-linux-gnu/libffi.so.7.1.0 --2146-- object doesn't have a symbol table --2146-- REDIR: 0x50d3e60 (libc.so.6:memmove) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3210 (libc.so.6:strncpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d4180 (libc.so.6:strcasecmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d2b30 (libc.so.6:strcat) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3270 (libc.so.6:rindex) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d5510 (libc.so.6:rawmemchr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ed6d0 (libc.so.6:wmemchr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ed270 (libc.so.6:wcscmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3fc0 (libc.so.6:mempcpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3df0 (libc.so.6:bcmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d31b0 (libc.so.6:strncmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d2be0 (libc.so.6:strcmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3f20 (libc.so.6:memset) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ed230 (libc.so.6:wcschr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3110 (libc.so.6:strnlen) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d2cb0 (libc.so.6:strcspn) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d41d0 (libc.so.6:strncasecmp) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d2c50 (libc.so.6:strcpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d4320 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ee8d0 (libc.so.6:wcsnlen) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ed2b0 (libc.so.6:wcscpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d32b0 (libc.so.6:strpbrk) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d2b90 (libc.so.6:index) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d30d0 (libc.so.6:strlen) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d9870 (libc.so.6:memrchr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d4220 (libc.so.6:strcasecmp_l) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3db0 (libc.so.6:memchr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50ed350 (libc.so.6:wcslen) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3550 (libc.so.6:strspn) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d4120 (libc.so.6:stpncpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d40c0 (libc.so.6:stpcpy) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d5550 (libc.so.6:strchrnul) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d4270 (libc.so.6:strncasecmp_l) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x50d3150 (libc.so.6:strncat) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x5150530 (libc.so.6:memcpy_chk) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x51505f0 (libc.so.6:memmove_chk) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) ==2146== WARNING: new redirection conflicts with existing -- ignoring it --2146-- old: 0x051a7a60 (memcpy_chk_avx_una) R-> (2030.0) 0x04840820 __memcpy_chk --2146-- new: 0x051a7a60 (memcpy_chk_avx_una) R-> (2024.0) 0x04840240 memmove_chk --2146-- REDIR: 0x50d3ce0 (libc.so.6:strstr) redirected to 0x482e1b0 (_vgnU_ifunc_wrapper) --2146-- REDIR: 0x51a48b0 (libc.so.6:strrchr_avx2) redirected to 0x483b7b0 (rindex) --2146-- REDIR: 0x51a4a80 (libc.so.6:strlen_avx2) redirected to 0x483bc80 (strlen) --2146-- REDIR: 0x51a1090 (libc.so.6:memcmp_avx2_movbe) redirected to 0x483ee80 (bcmp) --2146-- REDIR: 0x51a03f0 (libc.so.6:strncmp_avx2) redirected to 0x483c370 (strncmp) --2146-- REDIR: 0x51a4490 (libc.so.6:strchr_avx2) redirected to 0x483b930 (index) --2146-- REDIR: 0x519ffb0 (libc.so.6:strcmp_avx2) redirected to 0x483cb90 (strcmp) --2146-- REDIR: 0x50cf0b0 (libc.so.6:malloc) redirected to 0x4838710 (malloc) --2146-- REDIR: 0x51a7a70 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483f760 (memmove) --2146-- REDIR: 0x50cfe10 (libc.so.6:calloc) redirected to 0x483aab0 (calloc) --2146-- REDIR: 0x51a7a60 (libc.so.6:memcpy_chk_avx_unaligned_erms) redirected to 0x4840820 (memcpy_chk) --2146-- REDIR: 0x50cf6e0 (libc.so.6:free) redirected to 0x4839940 (free) --2146-- REDIR: 0x50ebf70 (libc.so.6:strstr_sse2_unaligned) redirected to 0x4840920 (strstr) --2146-- REDIR: 0x51a46c0 (libc.so.6:strchrnul_avx2) redirected to 0x48402b0 (strchrnul) --2146-- REDIR: 0x51a7a50 (libc.so.6:mempcpy_avx_unaligned_erms) redirected to 0x48403c0 (mempcpy) Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks jmk@foofus.net

--2146-- REDIR: 0x51a7ef0 (libc.so.6:memset_avx2_unaligned_erms) redirected to 0x483f650 (memset) --2146-- REDIR: 0x51a6340 (libc.so.6:__strncpy_avx2) redirected to 0x483bf70 (strncpy) --2146-- REDIR: 0x50d39f0 (libc.so.6:GI_strstr) redirected to 0x4840990 (__strstr_sse2)

^CALERT: Medusa received SIGINT - Sending notification to login threads that we are are aborting. ==2146== Invalid read of size 4 ==2146== at 0x487A760: pthread_mutex_lock (pthread_mutex_lock.c:67) ==2146== by 0x11134C: thr_pool_wait (in /usr/bin/medusa) ==2146== by 0x10D7D9: sigint_handler (in /usr/bin/medusa) ==2146== by 0x488313F: ??? (in /usr/lib/x86_64-linux-gnu/libpthread-2.31.so) ==2146== by 0x5133E4B: read (read.c:26) ==2146== by 0x50C6859: _IO_file_underflow@@GLIBC_2.2.5 (fileops.c:517) ==2146== by 0x50C7AC1: _IO_default_uflow (genops.c:362) ==2146== by 0x50BAA1B: _IO_getline_info (iogetline.c:60) ==2146== by 0x50B9A15: fgets (iofgets.c:53) ==2146== by 0x10EC13: loadFile (in /usr/bin/medusa) ==2146== by 0x10CCD0: main (in /usr/bin/medusa) ==2146== Address 0x20 is not stack'd, malloc'd or (recently) free'd ==2146== ==2146== ==2146== Process terminating with default action of signal 11 (SIGSEGV) ==2146== Access not within mapped region at address 0x20 ==2146== at 0x487A760: pthread_mutex_lock (pthread_mutex_lock.c:67) ==2146== by 0x11134C: thr_pool_wait (in /usr/bin/medusa) ==2146== by 0x10D7D9: sigint_handler (in /usr/bin/medusa) ==2146== by 0x488313F: ??? (in /usr/lib/x86_64-linux-gnu/libpthread-2.31.so) ==2146== by 0x5133E4B: read (read.c:26) ==2146== by 0x50C6859: _IO_file_underflow@@GLIBC_2.2.5 (fileops.c:517) ==2146== by 0x50C7AC1: _IO_default_uflow (genops.c:362) ==2146== by 0x50BAA1B: _IO_getline_info (iogetline.c:60) ==2146== by 0x50B9A15: fgets (iofgets.c:53) ==2146== by 0x10EC13: loadFile (in /usr/bin/medusa) ==2146== by 0x10CCD0: main (in /usr/bin/medusa) ==2146== If you believe this happened as a result of a stack ==2146== overflow in your program's main thread (unlikely but ==2146== possible), you can try to increase the size of the ==2146== main thread stack using the --main-stacksize= flag. ==2146== The main thread stack size used in this run was 8388608. ==2146== ==2146== HEAP SUMMARY: ==2146== in use at exit: 94,049 bytes in 702 blocks ==2146== total heap usage: 1,302 allocs, 600 frees, 108,775 bytes allocated ==2146== ==2146== Searching for pointers to 702 not-freed blocks ==2146== Checked 373,736 bytes ==2146== ==2146== LEAK SUMMARY: ==2146== definitely lost: 0 bytes in 0 blocks ==2146== indirectly lost: 0 bytes in 0 blocks ==2146== possibly lost: 0 bytes in 0 blocks ==2146== still reachable: 94,049 bytes in 702 blocks ==2146== suppressed: 0 bytes in 0 blocks ==2146== Rerun with --leak-check=full to see details of leaked memory ==2146== ==2146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ==2146== ==2146== 1 errors in context 1 of 1: ==2146== Invalid read of size 4 ==2146== at 0x487A760: pthread_mutex_lock (pthread_mutex_lock.c:67) ==2146== by 0x11134C: thr_pool_wait (in /usr/bin/medusa) ==2146== by 0x10D7D9: sigint_handler (in /usr/bin/medusa) ==2146== by 0x488313F: ??? (in /usr/lib/x86_64-linux-gnu/libpthread-2.31.so) ==2146== by 0x5133E4B: read (read.c:26) ==2146== by 0x50C6859: _IO_file_underflow@@GLIBC_2.2.5 (fileops.c:517) ==2146== by 0x50C7AC1: _IO_default_uflow (genops.c:362) ==2146== by 0x50BAA1B: _IO_getline_info (iogetline.c:60) ==2146== by 0x50B9A15: fgets (iofgets.c:53) ==2146== by 0x10EC13: loadFile (in /usr/bin/medusa) ==2146== by 0x10CCD0: main (in /usr/bin/medusa) ==2146== Address 0x20 is not stack'd, malloc'd or (recently) free'd ==2146== ==2146== ERROR SUMMARY: 1

jmk-foofus commented 9 months ago

The rockyou wordlist is 14M+ entries. It's a better fit for offline auditing (e.g., John the Ripper). Bruting SSH is slow (~ 1 attempt / sec) and better targeted with custom password lists specific for the situation. Medusa reads the entire file into memory and maybe you're just running out of it on your VM. Feel free to reopen if you find spots in the ssh2 module where we're leaking memory.