Full Disclosure mailing list archives
Re: Win32 Cisco Exploit
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Thu, 24 Jul 2003 11:43:39 -0500
I just tested it against one of my test cisco routers. nuthin happened. "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." ----- Original Message ----- From: "amilabs" <amilabs () optonline net> To: "'amilabs'" <amilabs () optonline net>; <koec () hush com>; <full-disclosure () lists netsys com> Sent: Thursday, July 24, 2003 9:36 AM Subject: RE: [Full-disclosure] Win32 Cisco Exploit
I meant to say it does NOT generate the correct type of packets below in the last email I sent -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of amilabs Sent: Thursday, July 24, 2003 9:57 AM To: koec () hush com; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Win32 Cisco Exploit According to protocol trace file analysis it does generate the correct types of packets to cause the exploit. Both the gui and the cmd line send the packets out with ttl 128 and with 0 as the next protocol in the IP header. This is what the app spits out. I did not test against a router just took a quick peek with a protocol analyzer and it does not look like it will work based on the packet trace. Can someone tell me otherwise? ------------ ETHER Header ------------ Destination: 00-03-A3-43-78-6B Source: This Network Analyzer (00-04-55-2D-F8-A7) Protocol: IP FCS: E67BCBFA ------------ IP Header ------------ Version = 4 Header length = 20 Differentiated Services (DS) Field = 0x00 0000 00.. DS Codepoint = Default PHB (0) .... ..00 Unused Packet length = 40 Id = 1ed4 Fragmentation Info = 0x0000 .0.. .... .... .... Don't Fragment Bit = FALSE ..0. .... .... .... More Fragments Bit = FALSE ...0 0000 0000 0000 Fragment offset = 0 Time to live = 128 Protocol = 0 (0) Header checksum = 04EB (Verified 04EB) Source address = 10.1.1.28 Destination address = 10.1.1.250 20 bytes of data Record #22 (From Node To Hub) Captured on 7/24/2003 at 09:50:56.437327771 Length = 64 Frame Data: (Length = 64) 0: 00 08 A3 4D 78 6B 00 02 55 5D F8 A7 08 00 45 00 ...Mxk.. U]....E. 16: 00 28 1E D4 00 00 80 00 04 EB 0A 01 01 1C 0A 01 .(...... ........ 32: 01 FA 45 10 00 14 2E 31 40 00 00 37 C1 76 7F 00 ..E....1 @..7.v.. 48: 00 01 0A 01 01 FA 00 00 00 00 00 00 E6 7B CB FA ........ .....{.. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of koec () hush com Sent: Wednesday, July 23, 2003 5:18 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Win32 Cisco Exploit Attached is a win32 version of the Cisco Exploit with a nice GUI. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Win32 Cisco Exploit koec (Jul 23)
- RE: Win32 Cisco Exploit amilabs (Jul 24)
- MS03-031 rollup missing a patch? Geo. (Jul 24)
- Re: MS03-031 rollup missing a patch? Jensenne Roculan (Jul 24)
- RE: Win32 Cisco Exploit amilabs (Jul 24)
- Re: Win32 Cisco Exploit Joel R. Helgeson (Jul 24)
- RE: Win32 Cisco Exploit amilabs (Jul 24)
- MS03-031 rollup missing a patch? Geo. (Jul 24)
- RE: Win32 Cisco Exploit amilabs (Jul 24)
- <Possible follow-ups>
- RE: Win32 Cisco Exploit Leif Sawyer (Jul 24)
- Re: Win32 Cisco Exploit Michael Scheidell (Jul 24)
- RE: Win32 Cisco Exploit Bojan Zdrnja (Jul 24)
- Re: Win32 Cisco Exploit Michael Scheidell (Jul 24)
- Re: Win32 Cisco Exploit olafandjasper (Jul 24)