This is a presentation called Router Exploitation. It was given at BlackHat 2009. It discusses various vendors such as Cisco, Juniper, Huawei, and more.
d251e8ce38047dd92c1a121ab52dccf2904bfc18ca85475675ae8202a6a1241dCisco CUCM environment and the IP Phone CP-7975G suffer from a directory traversal, have a reversible obfuscation algorithm, security issues related to SCCP, CTFTP, and Voice VLAN separation. Versions 7.0 and 8.0(2) are affected.
17aa1f350cac49473ed6962ed0fc3ece5a0474aa8fa99f6df2c4f4751b652bc7Whitepaper called Cisco IOS Router Exploitation. This paper describes the challenges with the exploitation of memory corruption software vulnerabilities in Cisco IOS. The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.
c8f425e5b59d8610a92403e4d24fbd0a74109b64e2b2600c739f8f66b44a6701Opera versions below 9.25 are susceptible to a heap-based buffer overflow that allows for a denial of service and possibly code execution.
f6dc341cce8dd3f5bc84c05a0c44cde29463acefebfde3867a34bf222e7aabf7The Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application suffers from buffer overflow and cross site scripting vulnerabilities. Details provided.
a242258bd4975d682d6d762fee35ed4b8fd3212690cec9f6401fbc5d74109bb6Cisco Security Advisory - Two sets of vulnerabilities were discovered in the Cisco Secure Access Control Server (ACS) for Windows User-Changeable Password (UCP) application. The first set of vulnerabilities address several buffer overflow conditions in the UCP application that could result in remote execution of arbitrary code on the host system where UCP is installed. The second set of vulnerabilities address cross-site scripting in the UCP application pages.
f88707ab17b43b63e07bb9e4fd28777a8d510ea5523d765ef65f2564020d2700Original Win32 version of the exploit for the gwrd bug in SAP versions below 4.6D patch 1767 and versions below 6.40 patch 4. Allows for remote command execution.
846933d938c8ba642bdaaea38a839367e37ffc3c050691922428ea4ccbdad92dPhenoelit Advisory - Cisco Systems IOS contains bugs when handling the VLAN Trunking Protocol (VTP). Specially crafted packets may cause denial of service conditions, confusion of the network operator and a heap overflow with the possibility for arbitrary code execution.
55835c4dae9bb73bab54d974b898751b7ff9355f4016fc955f35996e0c7aed9fPhenoelit Advisory - Cisco Systems IOS contains a bug when parsing GRE packets with GRE source routing information. A specially crafter GRE packet can cause the router to reuse packet packet data from unrelated ring buffer memory. The resulting packet is reinjected in the routing queues. Tested on C3550 IOS 12.1(19).
c399511f9b9e38917acdb9d548663a1225fa3fd434df65d78c4c032042e0b87aLinux root and Windows NT/2000 Administrator remote exploit for HP Web JetAdmin 6.5.
2313f6c8c3680934ff278d70f97559a0358c9851c286921cd3a616b0ad3e2749Phenoelit Advisory #0815 - Multiple vulnerabilities exist in the HP Web JetAdmin product. Version 6.5 is fully affect. Versions 7.0 and 6.2 and below are partially affected. A vulnerability summary list: Source disclosure of HTS and INC files, real path disclosure of critical files, critical files accessible through web server, user and administrator password disclosure and decryption, user and administrator password replay, and many, many others.
c69f95a71084e7a828d8795c80a234d4f7bda584394ce675667092d629882a14Cisco Systems IOS 11.x UDP echo memory leak remote sniffer. The UDP echo service (UDP port 7) has to be enabled on the device. The bug will cause the Cisco router to send about 20 kilobytes of data from the interface buffer pools containing packets in the send/recv/forward queues. This tool will identify IOS memory blocks, find the router specific offset for packets in the block and decode the packet to the screen. Note that this is not a full dump of the traffic through the remote router but rather a subset of received data. Features include a packet checksum cache to prevent repeated output of the same packet, auto identification of packets and buffer offsets, and IPv4 decoding.
88c96f5f35ee8e8f230938a70d6e512ac19d921be8f468c01cdb28507adc9a83Cisco IOS 12.x/11.x remote exploit for the HTTP integer overflow using a malformed HTTP GET request and two gigabytes of data.
7f4a101d2a92a428372a4b1a01844cc8f4d4614537c428b116c224be6b8b346cPFT is a command line tool to directly communicate with network printers via the Printer Job Language (PJL) using port 9100. Features include full file system access (if installed on printer), environment variable "tuning" and setting of display messages. Platform: Windows and UNIX
19747d97327258d03208b5006e9147231649a304fee583dc581d18ef6baf0bfaHijetter is a tool to directly communicate with network printers via the Printer Job Language (PJL) using port 9100. Features include full file system access (if installed on printer), environment variable "tuning" and setting of display messages. Platform: Windows
3870af38a82823a2f1b72b6532bf696db9adafcf89ddb164ecf54c2ac08bfe60Phenoelit Ultima Ratio - a Cisco IOS exploitation of a heap overflow and using actual shell code to upload a new config; all in one UDP packet. Exploits an issue in the 11.x IOS TFTP server. Works against Cisco 1600 and 1000 series routers, but is designed as PoC.
92eb69ddc50d86688f9ebbb871a850bff12e6f794515a11f2eee91463a3708c2IRPAS is a suite of routing protocol attack tools which sends custom routing protocol packets from the unix command line. It is very useful for searching for new routing protocol vulnerabilities. Included is a tool for sending Cisco Discovery Protocol (CDP) messages, one for injecting IGRP routes, and a scanner for IGRP autonomous systems. Documentation available here.
6fd6dd1b5ca7eb5e3d6f2d12608a58741756eb2b080c577a322a31af1150b1ceSlides for FX's talk at Defcon 2001 on attacking routing protocols.
68e73b3a5647139ae2a8b7ceb88bc2723866a295c5fdd1b4e948cc7d7e738e78VIPRR 1.1 is the first public beta of a concept study of attack routers. It's a userland virtual router which can be used together with any routing protocol attack tools. One of the most interesting features is the ability to inject packets into GRE tunnels and therefore making it possible to perform the RFC1918 hacking attacks described in gre.html without modification of the tools.
f1543db4d953ccae8605fd93c2a39617d3e5693a1ebfb2bae6ca957a517416e9IRPAS is a suite of routing protocol attack tools which sends custom routing protocol packets from the unix command line. It is very useful for searching for new routing protocol vulnerabilities. Included is a tool for sending Cisco Discovery Protocol (CDP) messages, one for injecting IGRP routes, and a scanner for IGRP autonomous systems. Documentation available here.
137b8a73f18383a037c5e6af51cfe6d29c72f38628bd5ce38f1864cf91a8e559This paper describes a possible way to attack hosts with RFC1918 IP addresses behind GRE Tunnels over the Internet.
f56cd653e16527b61bea075fcdd9e9bd1e145226aa80c22f2f48ba8f4bdd083avnx4.c is a VNC attack program ported to Windows. Features cracking of the password in the registry, online brute force against VNC server or cracking a sniffed challange/response handshake.
a507db549f33869781e20c6631dc821d6eba0651c0cbad494ae78e1b0e831359WCI for Windows is a simple ARP connection interceptor for switched networks and especially for SMB, based on here.
fda9e331bce9095af5cf2eee122fa2031fe096d14e3317387a039576396e2b49ARP0c2.c - ARP0c2 is a simple and powerful connection interceptor for switched networks. It features ARP redirection/spoofing, automated bridging, automated routing, progressive attacks of known IP connections, network cleanup on exit, and ARP flooding with random IP and Ethernet addresses. Known network connections can be intercepted by adding them to the routing table file. It is complely userland and tested on Linux.
d0dc915dfa26416aae4f90e45c03ddb5d999877e247e02f827d45f062098954ecd00r.c is a proof of concept code to test the idea of a completely invisible (read: not listening) backdoor server. Standard backdoors and remote access services have one major problem - the port's they are listening on are visible on the system console as well as from outside (by port scanning). To activate the remote access service, one has to send several packets (TCP SYN) to ports on the target system. Which ports in which order and how many of them can be defined in the source code.
2f73a801f48ec39376a23f69b2bdec44c0cc0dc7e9174c8d108cec34d41d0da7
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed