search

CERTCC / PoC-Exploits

Select proof-of-concept exploits for software vulnerabilities to aid in identifying and testing vulnerable systems.
BSD 3-Clause "New" or "Revised" License
181 stars 47 forks source link

Resolved Issue #7 compatibility issues with new kernel and scapy #8

Closed sei-vsarvepalli closed 5 months ago

sei-vsarvepalli commented 3 years ago

This is to resolve issues #7 with newer version of scary, kernel that now make this code incompatible. The behavior of pppd/modem abrupt hangup when sending a large payload is normal as tested.

@trentn being added as reviewer but not critical if unable to test this out.

Vijay

dansmits commented 3 years ago

The code executes and I captured a buffer overflow in wireshark, but it did not crash the pppd server and claimed it did not get a return response from the server despite capturing one in wireshark. This was done using pppd version 2.4.7 and pptpd v1.4.0 on openwrt 18.06.1. output wireshark

sei-vsarvepalli commented 3 years ago

The code executes and I captured a buffer overflow in wireshark, but it did not crash the pppd server and claimed it did not get a return response from the server despite capturing one in wireshark. This was done using pppd version 2.4.7 and pptpd v1.4.0 on openwrt 18.06.1. output wireshark

Hello Dan,

Hopefully you checked the interface is "eth0" - it is assumed in the code which could be wrong if your kali box has a different interface.

Can you turn on debugging on the pptpd server using "debug" options on /etc/ppp/pptpd-options or equivalent file referred to in your pptpd.conf. Send me the debug data so we can see what exactly is the EAP response.

The crash may not happen if you are on a MIPS or some other architecture too. We may need to detect on the server what exactly is pppd doing with the excess payload sent as "AAA..."

Vijay

dansmits commented 3 years ago

Yes my network device is eth0. The device we are testing on is MIPS. Here is a screenshot of the server log. image

When I run it against a VM of Ubuntu 14.04 I get this: image image

dansmits commented 3 years ago

I changed my options file to match yours as I was configured previously for EAP-TLS in Ubuntu 14.04 and got the following: image I also found more details in the syslog: image The PPTPD still did not crash, but also did not respond after the overflow packet. image

sei-vsarvepalli commented 3 years ago

I changed my options file to match yours as I was configured previously for EAP-TLS in Ubuntu 14.04 and got the following: image I also found more details in the syslog: image The PPTPD still did not crash, but also did not respond after the overflow packet. image

Hello Dan,

Let me know what were the earlier options that did not cause ppp to crash. I can try to update my script to other possible nuance scenarios. Detection of this event is sort of tricky across architecture and implementations. So without looking at the logs on the server, it seems difficult to know the success of the buffer overflow. The only way to be sure is write an exploit that can act like a downloader and ping back. It will take a lot of time, as I heard from our attacks development engineer (Trent) who I work with.

Vijay