RE: [despammed] [Full-Disclosure] Win32 Cisco Exploit

From: Eric Appelboom (eric_at_mweb.com)
Date: 07/24/03

  • Next message: Richard M. Smith: "RE: Re: [Full-Disclosure] morning_wood should stop posting xss" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 24 Jul 2003 20:03:13 +0200

    I also tested on a couple routers, no luck.
    ---snip
    Strings CiscoKill.exe

    Disk full while accessing %1..An attempt was made to access %1 past its
    end.
    No error occurred.-An unknown error occurred while accessing %1./An
    attempt was made to write to the reading %1..
     access %1 past its end.0An attempt was made to read from the writing
    %1.
    %1 has a bad format."%1 contained an unexpected object. %1 contains an
    incorrect schema.
    #Unable to load mail system support.
    Mail system DLL is invalid.!Send Mail failed to send message.
    pixels
    %1: %2
    Continue running script?
    Dispatch exception: %1
    Uncheck
    Check
    Mixed 

    ----
Why mail??
Didnt see any suspect packets on tcp or udp didn't check other
protocols.
-----Original Message-----
From: Joel R. Helgeson [mailto:joel@helgeson.com] 
Sent: 24 July 2003 06:44 PM
To: full-disclosure@lists.netsys.com
I just tested it against one of my test cisco routers.
nuthin happened.
"Give a man fire, and he'll be warm for a day; set a man on fire, and
he'll
be warm for the rest of his life."
----- Original Message ----- 
From: "amilabs" <amilabs@optonline.net>
To: "'amilabs'" <amilabs@optonline.net>; <koec@hush.com>;
<full-disclosure@lists.netsys.com>
Sent: Thursday, July 24, 2003 9:36 AM
Subject: RE: [Full-Disclosure] Win32 Cisco Exploit
> I meant to say it does NOT generate the correct type of packets below
in
> the last email I sent
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of amilabs
> Sent: Thursday, July 24, 2003 9:57 AM
> To: koec@hush.com; full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] Win32 Cisco Exploit
>
>
> According to protocol trace file analysis it does generate the correct
> types of packets to cause the exploit. Both the gui and the cmd line
> send the packets out with ttl 128 and with 0 as the next protocol in
the
> IP header. This is what the app spits out. I did not test against a
> router just took a quick peek with a protocol analyzer and it does not
> look like it will work based on the packet trace. Can someone tell me
> otherwise?
>
> ------------  ETHER Header  ------------
> Destination: 00-03-A3-43-78-6B
> Source: This Network Analyzer (00-04-55-2D-F8-A7)
> Protocol: IP
> FCS: E67BCBFA
>
> ------------  IP Header  ------------
> Version = 4
> Header length = 20
> Differentiated Services (DS) Field = 0x00
>     0000 00.. DS Codepoint = Default PHB (0)
>     .... ..00 Unused
> Packet length = 40
> Id = 1ed4
> Fragmentation Info = 0x0000
>     .0.. ....  .... .... Don't Fragment Bit = FALSE
>     ..0. ....  .... .... More Fragments Bit = FALSE
>     ...0 0000  0000 0000 Fragment offset = 0
> Time to live = 128
> Protocol = 0 (0)
> Header checksum = 04EB (Verified 04EB)
> Source address = 10.1.1.28
> Destination address = 10.1.1.250
> 20 bytes of data
>
>  Record #22      (From Node To Hub) Captured on 7/24/2003 at
> 09:50:56.437327771 Length =    64
>
> Frame Data: (Length = 64)
>     0: 00 08 A3 4D 78 6B 00 02    55 5D F8 A7 08 00 45 00   ...Mxk..
> U]....E.
>    16: 00 28 1E D4 00 00 80 00    04 EB 0A 01 01 1C 0A 01   .(......
> ........
>    32: 01 FA 45 10 00 14 2E 31    40 00 00 37 C1 76 7F 00   ..E....1
> @..7.v..
>    48: 00 01 0A 01 01 FA 00 00    00 00 00 00 E6 7B CB FA   ........
> .....{..
>
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> koec@hush.com
> Sent: Wednesday, July 23, 2003 5:18 PM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] Win32 Cisco Exploit
>
>
> Attached is a win32 version of the Cisco Exploit with a nice GUI.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
----------------------------------------------
Filtered by despammed.com.  Tracer: MAA159361059067286
Remember: you can forward any spam that slips through the filters
to the abuse desk here at Despammed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Richard M. Smith: "RE: Re: [Full-Disclosure] morning_wood should stop posting xss"