Full Disclosure mailing list archives
RE: [despammed] Win32 Cisco Exploit
From: "Eric Appelboom" <eric () mweb com>
Date: Thu, 24 Jul 2003 20:03:13 +0200
I also tested on a couple routers, no luck. ---snip Strings CiscoKill.exe Disk full while accessing %1..An attempt was made to access %1 past its end. No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1.. access %1 past its end.0An attempt was made to read from the writing %1. %1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema. #Unable to load mail system support. Mail system DLL is invalid.!Send Mail failed to send message. pixels %1: %2 Continue running script? Dispatch exception: %1 Uncheck Check Mixed ---- Why mail?? Didnt see any suspect packets on tcp or udp didn't check other protocols. -----Original Message----- From: Joel R. Helgeson [mailto:joel () helgeson com] Sent: 24 July 2003 06:44 PM To: full-disclosure () lists netsys com I just tested it against one of my test cisco routers. nuthin happened. "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." ----- Original Message ----- From: "amilabs" <amilabs () optonline net> To: "'amilabs'" <amilabs () optonline net>; <koec () hush com>; <full-disclosure () lists netsys com> Sent: Thursday, July 24, 2003 9:36 AM Subject: RE: [Full-disclosure] Win32 Cisco Exploit
I meant to say it does NOT generate the correct type of packets below
in
the last email I sent -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of amilabs Sent: Thursday, July 24, 2003 9:57 AM To: koec () hush com; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Win32 Cisco Exploit According to protocol trace file analysis it does generate the correct types of packets to cause the exploit. Both the gui and the cmd line send the packets out with ttl 128 and with 0 as the next protocol in
the
IP header. This is what the app spits out. I did not test against a router just took a quick peek with a protocol analyzer and it does not look like it will work based on the packet trace. Can someone tell me otherwise? ------------ ETHER Header ------------ Destination: 00-03-A3-43-78-6B Source: This Network Analyzer (00-04-55-2D-F8-A7) Protocol: IP FCS: E67BCBFA ------------ IP Header ------------ Version = 4 Header length = 20 Differentiated Services (DS) Field = 0x00 0000 00.. DS Codepoint = Default PHB (0) .... ..00 Unused Packet length = 40 Id = 1ed4 Fragmentation Info = 0x0000 .0.. .... .... .... Don't Fragment Bit = FALSE ..0. .... .... .... More Fragments Bit = FALSE ...0 0000 0000 0000 Fragment offset = 0 Time to live = 128 Protocol = 0 (0) Header checksum = 04EB (Verified 04EB) Source address = 10.1.1.28 Destination address = 10.1.1.250 20 bytes of data Record #22 (From Node To Hub) Captured on 7/24/2003 at 09:50:56.437327771 Length = 64 Frame Data: (Length = 64) 0: 00 08 A3 4D 78 6B 00 02 55 5D F8 A7 08 00 45 00 ...Mxk.. U]....E. 16: 00 28 1E D4 00 00 80 00 04 EB 0A 01 01 1C 0A 01 .(...... ........ 32: 01 FA 45 10 00 14 2E 31 40 00 00 37 C1 76 7F 00 ..E....1 @..7.v.. 48: 00 01 0A 01 01 FA 00 00 00 00 00 00 E6 7B CB FA ........ .....{.. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of koec () hush com Sent: Wednesday, July 23, 2003 5:18 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Win32 Cisco Exploit Attached is a win32 version of the Cisco Exploit with a nice GUI. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ---------------------------------------------- Filtered by despammed.com. Tracer: MAA159361059067286 Remember: you can forward any spam that slips through the filters to the abuse desk here at Despammed. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [despammed] Win32 Cisco Exploit Eric Appelboom (Jul 24)
- RE: [despammed] Win32 Cisco Exploit Chris Paget (Jul 24)