RE: [despammed] [Full-Disclosure] Win32 Cisco Exploit
From: Chris Paget (chrisp_at_ngssoftware.com)
Date: 07/24/03
- Previous message: Richard Johnson: "[Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
- In reply to: Eric Appelboom: "RE: [despammed] [Full-Disclosure] Win32 Cisco Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Eric Appelboom <eric@mweb.com> Date: Thu, 24 Jul 2003 16:38:37 -0400 (Eastern Daylight Time)
I just ran this in a virtual machine while monitoring all registry, filesystem,
and network traffic. A quick analysis:
CiscoKill.exe just calls CiscoBug.exe; it does nothing other than that.
Ciscobug sends packets to the target (without spoofing the source address), but
as far as I can tell it won't work. It doesn't manipulate the TTL, neither does
it manipulate the protocol number; the TTL is left default (128), while the
protocol number is set to zero - exactly as Amilabs said.
Another thing it doesn't do is drop any trojans, registry keys, or anything
else. It does some interesting-looking scanning in
HKLM\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32\, but it doesn't
appear to write to any registry keys or files. I have all the logs, if anyone
wants them.
So basically, a functionally inert piece of software, but one which gave us
something to do...
Chris
On Thu, 24 Jul 2003, Eric Appelboom wrote:
>
> I also tested on a couple routers, no luck.
> ---snip
> Strings CiscoKill.exe
>
> Disk full while accessing %1..An attempt was made to access %1 past its
> end.
> No error occurred.-An unknown error occurred while accessing %1./An
> attempt was made to write to the reading %1..
> access %1 past its end.0An attempt was made to read from the writing
> %1.
> %1 has a bad format."%1 contained an unexpected object. %1 contains an
> incorrect schema.
> #Unable to load mail system support.
> Mail system DLL is invalid.!Send Mail failed to send message.
> pixels
> %1: %2
> Continue running script?
> Dispatch exception: %1
> Uncheck
> Check
> Mixed
> ----
>
> Why mail??
> Didnt see any suspect packets on tcp or udp didn't check other
> protocols.
>
> -----Original Message-----
> From: Joel R. Helgeson [mailto:joel@helgeson.com]
> Sent: 24 July 2003 06:44 PM
> To: full-disclosure@lists.netsys.com
>
> I just tested it against one of my test cisco routers.
> nuthin happened.
>
> "Give a man fire, and he'll be warm for a day; set a man on fire, and
> he'll
> be warm for the rest of his life."
> ----- Original Message -----
> From: "amilabs" <amilabs@optonline.net>
> To: "'amilabs'" <amilabs@optonline.net>; <koec@hush.com>;
> <full-disclosure@lists.netsys.com>
> Sent: Thursday, July 24, 2003 9:36 AM
> Subject: RE: [Full-Disclosure] Win32 Cisco Exploit
>
>
> > I meant to say it does NOT generate the correct type of packets below
> in
> > the last email I sent
> >
> > -----Original Message-----
> > From: full-disclosure-admin@lists.netsys.com
> > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of amilabs
> > Sent: Thursday, July 24, 2003 9:57 AM
> > To: koec@hush.com; full-disclosure@lists.netsys.com
> > Subject: RE: [Full-Disclosure] Win32 Cisco Exploit
> >
> >
> > According to protocol trace file analysis it does generate the correct
> > types of packets to cause the exploit. Both the gui and the cmd line
> > send the packets out with ttl 128 and with 0 as the next protocol in
> the
> > IP header. This is what the app spits out. I did not test against a
> > router just took a quick peek with a protocol analyzer and it does not
> > look like it will work based on the packet trace. Can someone tell me
> > otherwise?
> >
> > ------------ ETHER Header ------------
> > Destination: 00-03-A3-43-78-6B
> > Source: This Network Analyzer (00-04-55-2D-F8-A7)
> > Protocol: IP
> > FCS: E67BCBFA
> >
> > ------------ IP Header ------------
> > Version = 4
> > Header length = 20
> > Differentiated Services (DS) Field = 0x00
> > 0000 00.. DS Codepoint = Default PHB (0)
> > .... ..00 Unused
> > Packet length = 40
> > Id = 1ed4
> > Fragmentation Info = 0x0000
> > .0.. .... .... .... Don't Fragment Bit = FALSE
> > ..0. .... .... .... More Fragments Bit = FALSE
> > ...0 0000 0000 0000 Fragment offset = 0
> > Time to live = 128
> > Protocol = 0 (0)
> > Header checksum = 04EB (Verified 04EB)
> > Source address = 10.1.1.28
> > Destination address = 10.1.1.250
> > 20 bytes of data
> >
> > Record #22 (From Node To Hub) Captured on 7/24/2003 at
> > 09:50:56.437327771 Length = 64
> >
> > Frame Data: (Length = 64)
> > 0: 00 08 A3 4D 78 6B 00 02 55 5D F8 A7 08 00 45 00 ...Mxk..
> > U]....E.
> > 16: 00 28 1E D4 00 00 80 00 04 EB 0A 01 01 1C 0A 01 .(......
> > ........
> > 32: 01 FA 45 10 00 14 2E 31 40 00 00 37 C1 76 7F 00 ..E....1
> > @..7.v..
> > 48: 00 01 0A 01 01 FA 00 00 00 00 00 00 E6 7B CB FA ........
> > .....{..
> >
> > -----Original Message-----
> > From: full-disclosure-admin@lists.netsys.com
> > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> > koec@hush.com
> > Sent: Wednesday, July 23, 2003 5:18 PM
> > To: full-disclosure@lists.netsys.com
> > Subject: [Full-Disclosure] Win32 Cisco Exploit
> >
> >
> > Attached is a win32 version of the Cisco Exploit with a nice GUI.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ----------------------------------------------
> Filtered by despammed.com. Tracer: MAA159361059067286
> Remember: you can forward any spam that slips through the filters
> to the abuse desk here at Despammed.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Richard Johnson: "[Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
- In reply to: Eric Appelboom: "RE: [despammed] [Full-Disclosure] Win32 Cisco Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
