morata10 / reaver-wps

Automatically exported from code.google.com/p/reaver-wps
0 stars 0 forks source link

walsh - buffer overflow #86

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. compilation no problem, no error message
2.
3.

What is the expected output? What do you see instead?

root@bt:~/reaver-wps-read-only/src# ./walsh -i mon0 -s -C

Walsh v1.4 beta WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
<cheffner@tacnetsol.com>

BSSID                  Channel       WPS Version       WPS Locked        ESSID
--------------------------------------------------------------------------------
--------------
*** buffer overflow detected ***: ./walsh terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f729d3c1217]
/lib/libc.so.6(+0xfe0d0)[0x7f729d3c00d0]
./walsh[0x406eb3]
./walsh[0x403326]
./walsh[0x40341b]
./walsh[0x403897]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f729d2e0c4d]
./walsh[0x402cb9]
======= Memory map: ========
00400000-00433000 r-xp 00000000 08:17 1001879                            
/root/reaver-wps-read-only/src/walsh
00632000-00633000 r--p 00032000 08:17 1001879                            
/root/reaver-wps-read-only/src/walsh
00633000-00634000 rw-p 00033000 08:17 1001879                            
/root/reaver-wps-read-only/src/walsh
0222d000-02263000 rw-p 00000000 00:00 0                                  [heap]
7f729ca96000-7f729caac000 r-xp 00000000 08:17 130802                     
/lib/libgcc_s.so.1
7f729caac000-7f729ccab000 ---p 00016000 08:17 130802                     
/lib/libgcc_s.so.1
7f729ccab000-7f729ccac000 r--p 00015000 08:17 130802                     
/lib/libgcc_s.so.1
7f729ccac000-7f729ccad000 rw-p 00016000 08:17 130802                     
/lib/libgcc_s.so.1
7f729ccad000-7f729d0a5000 rw-s 00000000 00:07 22584                      
socket:[22584]
7f729d0a5000-7f729d0bd000 r-xp 00000000 08:17 130884                     
/lib/libpthread-2.11.1.so
7f729d0bd000-7f729d2bc000 ---p 00018000 08:17 130884                     
/lib/libpthread-2.11.1.so
7f729d2bc000-7f729d2bd000 r--p 00017000 08:17 130884                     
/lib/libpthread-2.11.1.so
7f729d2bd000-7f729d2be000 rw-p 00018000 08:17 130884                     
/lib/libpthread-2.11.1.so
7f729d2be000-7f729d2c2000 rw-p 00000000 00:00 0 
7f729d2c2000-7f729d43c000 r-xp 00000000 08:17 130767                     
/lib/libc-2.11.1.so
7f729d43c000-7f729d63b000 ---p 0017a000 08:17 130767                     
/lib/libc-2.11.1.so
7f729d63b000-7f729d63f000 r--p 00179000 08:17 130767                     
/lib/libc-2.11.1.so
7f729d63f000-7f729d640000 rw-p 0017d000 08:17 130767                     
/lib/libc-2.11.1.so
7f729d640000-7f729d645000 rw-p 00000000 00:00 0 
7f729d645000-7f729d6cf000 r-xp 00000000 08:17 538989                     
/usr/lib/libsqlite3.so.0.8.6
7f729d6cf000-7f729d8ce000 ---p 0008a000 08:17 538989                     
/usr/lib/libsqlite3.so.0.8.6
7f729d8ce000-7f729d8d0000 r--p 00089000 08:17 538989                     
/usr/lib/libsqlite3.so.0.8.6
7f729d8d0000-7f729d8d2000 rw-p 0008b000 08:17 538989                     
/usr/lib/libsqlite3.so.0.8.6
7f729d8d2000-7f729d902000 r-xp 00000000 08:17 538786                     
/usr/lib/libpcap.so.1.0.0
7f729d902000-7f729db02000 ---p 00030000 08:17 538786                     
/usr/lib/libpcap.so.1.0.0
7f729db02000-7f729db03000 r--p 00030000 08:17 538786                     
/usr/lib/libpcap.so.1.0.0
7f729db03000-7f729db04000 rw-p 00031000 08:17 538786                     
/usr/lib/libpcap.so.1.0.0
7f729db04000-7f729db05000 rw-p 00000000 00:00 0 
7f729db05000-7f729db87000 r-xp 00000000 08:17 130818                     
/lib/libm-2.11.1.so
7f729db87000-7f729dd86000 ---p 00082000 08:17 130818                     
/lib/libm-2.11.1.so
7f729dd86000-7f729dd87000 r--p 00081000 08:17 130818                     
/lib/libm-2.11.1.so
7f729dd87000-7f729dd88000 rw-p 00082000 08:17 130818                     
/lib/libm-2.11.1.so
7f729dd88000-7f729dd8a000 r-xp 00000000 08:17 130781                     
/lib/libdl-2.11.1.so
7f729dd8a000-7f729df8a000 ---p 00002000 08:17 130781                     
/lib/libdl-2.11.1.so
7f729df8a000-7f729df8b000 r--p 00002000 08:17 130781                     
/lib/libdl-2.11.1.so
7f729df8b000-7f729df8c000 rw-p 00003000 08:17 130781                     
/lib/libdl-2.11.1.so
7f729df8c000-7f729dfac000 r-xp 00000000 08:17 130744                     
/lib/ld-2.11.1.so
7f729e17e000-7f729e183000 rw-p 00000000 00:00 0 
7f729e1a8000-7f729e1ab000 rw-p 00000000 00:00 0 
7f729e1ab000-7f729e1ac000 r--p 0001f000 08:17 130744                     
/lib/ld-2.11.1.so
7f729e1ac000-7f729e1ad000 rw-p 00020000 08:17 130744                     
/lib/ld-2.11.1.so
7f729e1ad000-7f729e1ae000 rw-p 00000000 00:00 0 
7fff8ecd8000-7fff8ecf9000 rw-p 00000000 00:00 0                          [stack]
7fff8ed47000-7fff8ed48000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]
Neúspěšně ukončen (SIGABRT)

What version of the product are you using? On what operating system?
walsh svn r65, BackTrack 5 x86_64, KDE, 2.6.39.4, wireless driver ath9k

Please provide any additional information below.

Original issue reported on code.google.com by mmare...@gmail.com on 5 Jan 2012 at 1:00

GoogleCodeExporter commented 8 years ago
Same on Backtrack 5 r2, Reaver 1.3 r65

Original comment by patricks...@gmail.com on 5 Jan 2012 at 1:03

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
I'm not getting this error with the SVN code, I'll try to reproduce with the 
1.3 release; can either of you provide gdb output or a pcap that can be used to 
replicate the bug?

Original comment by cheff...@tacnetsol.com on 5 Jan 2012 at 4:53

GoogleCodeExporter commented 8 years ago
I will wait for reaver 1.4 may bee i made the mistake, after the 3rd start of 
walsh it does not exit with this buffer overflow.

Original comment by patricks...@gmail.com on 5 Jan 2012 at 6:07

GoogleCodeExporter commented 8 years ago
Buffer overflows are never a user mistake, always a developer mistake. I will 
try to reproduce the problem on my end; if this happens again, please let me 
know.

Original comment by cheff...@tacnetsol.com on 5 Jan 2012 at 6:14

GoogleCodeExporter commented 8 years ago
I apologize for my bad English. After compilation, I did "make install" so it 
did not create the /etc/reaver/reaver.db. After creating without error, no 
buffer overflow. Output from gdb will supply later.

Original comment by mmare...@gmail.com on 6 Jan 2012 at 8:10

GoogleCodeExporter commented 8 years ago
For debugging purpose

Original comment by maxmust...@gmail.com on 7 Jan 2012 at 9:08

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by mmare...@gmail.com on 9 Jan 2012 at 12:39

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by mmare...@gmail.com on 9 Jan 2012 at 12:40

Attachments:

GoogleCodeExporter commented 8 years ago
Thanks for the pcap, I can now reproduce the bug here.

Original comment by cheff...@tacnetsol.com on 9 Jan 2012 at 3:56

GoogleCodeExporter commented 8 years ago
Found the bug in the parse_beacon_tags function; pcap helped a lot, thanks 
much. Fix has been checked in. 

FYI, there appears to be a lot of corrupted data in the captures you are 
getting.

Original comment by cheff...@tacnetsol.com on 9 Jan 2012 at 4:47

GoogleCodeExporter commented 8 years ago
Thanks. Good job.

Original comment by mmare...@gmail.com on 9 Jan 2012 at 7:28