1 /*[ ethereal[v0.10.*]: (AFP) remote format string exploit. ] *********
2 *
3 * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)
4 *
5 * compile:
6 * gcc xethereal−afp−fmt.c −o xethereal−afp−fmt
7 *
8 * ethereal homepage/url:
9 * http://www.ethereal.com
10 *
11 * syntax:
12 * ./xethereal−afp−fmt [−spSrPanc] −h host
13 *
14 * vulnerable versions:
15 * v0.10.0 to v0.10.11 (v0.9.* and below not effected)
16 *
17 * fix:
18 * packet−afp.c:1733:−proto_item_set_text(item, rep);
19 * packet−afp.c:1733:+proto_item_set_text(item, "%s", rep);
20 *
21 * Ethereal is used by network professionals around the world for
22 * troubleshooting, analysis, software and protocol development,
23 * and education. It has all of the standard features you would
24 * expect in a protocol analyzer, and several features not seen in
25 * any other product. Its open source license allows talented
26 * experts in the networking community to add enhancements. It runs
27 * on all popular computing platforms, including Unix, Linux, and
28 * Windows.
29 *
30 * ethereal(v0.10.0 to v0.10.11) contains a remotely exploitable
31 * format string bug in its AFP dissector code(packet−afp.c).
32 *
33 * the vulnerable function is located in packet−afp.c in the
34 * dissect_reply_afp_get_server_param() function. this function
35 * uses the get_name() function to pluck a string(the "volume")
36 * from the packet and proceeds to pass it (improperly) to
37 * proto_item_set_text() which uses formats.
38 *
39 * this exploit uses the DSI/afpovertcp(548) TCP port as a means of
40 * exploiting this. the port does NOT have to be open to exploit
41 * this as you can send spoofed packets or connect to a different
42 * port(explained in the next paragraph) to get the job done.
43 *
44 * ethereal may rely on the source port, if no dissector is found
45 * for the destination port, to decide what dissector to use on a
46 * packet. this means ANY destination port may be used, granted it
47 * has no destination port dissector. (ie. port 80 won’t work, but
48 * port 1234 will)