I just ran this in a virtual machine while monitoring all registry, filesystem, and network traffic. A quick analysis:
CiscoKill.exe just calls CiscoBug.exe; it does nothing other than that. Ciscobug sends packets to the target (without spoofing the source address), but as far as I can tell it won't work. It doesn't manipulate the TTL, neither does it manipulate the protocol number; the TTL is left default (128), while the protocol number is set to zero - exactly as Amilabs said. Another thing it doesn't do is drop any trojans, registry keys, or anything else. It does some interesting-looking scanning in HKLM\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32\, but it doesn't appear to write to any registry keys or files. I have all the logs, if anyone wants them. So basically, a functionally inert piece of software, but one which gave us something to do... Chris On Thu, 24 Jul 2003, Eric Appelboom wrote: > > I also tested on a couple routers, no luck. > ---snip > Strings CiscoKill.exe > > Disk full while accessing %1..An attempt was made to access %1 past its > end. > No error occurred.-An unknown error occurred while accessing %1./An > attempt was made to write to the reading %1.. > access %1 past its end.0An attempt was made to read from the writing > %1. > %1 has a bad format."%1 contained an unexpected object. %1 contains an > incorrect schema. > #Unable to load mail system support. > Mail system DLL is invalid.!Send Mail failed to send message. > pixels > %1: %2 > Continue running script? > Dispatch exception: %1 > Uncheck > Check > Mixed > ---- > > Why mail?? > Didnt see any suspect packets on tcp or udp didn't check other > protocols. > > -----Original Message----- > From: Joel R. Helgeson [mailto:[EMAIL PROTECTED] > Sent: 24 July 2003 06:44 PM > To: [EMAIL PROTECTED] > > I just tested it against one of my test cisco routers. > nuthin happened. > > "Give a man fire, and he'll be warm for a day; set a man on fire, and > he'll > be warm for the rest of his life." > ----- Original Message ----- > From: "amilabs" <[EMAIL PROTECTED]> > To: "'amilabs'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Thursday, July 24, 2003 9:36 AM > Subject: RE: [Full-Disclosure] Win32 Cisco Exploit > > > > I meant to say it does NOT generate the correct type of packets below > in > > the last email I sent > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of amilabs > > Sent: Thursday, July 24, 2003 9:57 AM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: RE: [Full-Disclosure] Win32 Cisco Exploit > > > > > > According to protocol trace file analysis it does generate the correct > > types of packets to cause the exploit. Both the gui and the cmd line > > send the packets out with ttl 128 and with 0 as the next protocol in > the > > IP header. This is what the app spits out. I did not test against a > > router just took a quick peek with a protocol analyzer and it does not > > look like it will work based on the packet trace. Can someone tell me > > otherwise? > > > > ------------ ETHER Header ------------ > > Destination: 00-03-A3-43-78-6B > > Source: This Network Analyzer (00-04-55-2D-F8-A7) > > Protocol: IP > > FCS: E67BCBFA > > > > ------------ IP Header ------------ > > Version = 4 > > Header length = 20 > > Differentiated Services (DS) Field = 0x00 > > 0000 00.. DS Codepoint = Default PHB (0) > > .... ..00 Unused > > Packet length = 40 > > Id = 1ed4 > > Fragmentation Info = 0x0000 > > .0.. .... .... .... Don't Fragment Bit = FALSE > > ..0. .... .... .... More Fragments Bit = FALSE > > ...0 0000 0000 0000 Fragment offset = 0 > > Time to live = 128 > > Protocol = 0 (0) > > Header checksum = 04EB (Verified 04EB) > > Source address = 10.1.1.28 > > Destination address = 10.1.1.250 > > 20 bytes of data > > > > Record #22 (From Node To Hub) Captured on 7/24/2003 at > > 09:50:56.437327771 Length = 64 > > > > Frame Data: (Length = 64) > > 0: 00 08 A3 4D 78 6B 00 02 55 5D F8 A7 08 00 45 00 ...Mxk.. > > U]....E. > > 16: 00 28 1E D4 00 00 80 00 04 EB 0A 01 01 1C 0A 01 .(...... > > ........ > > 32: 01 FA 45 10 00 14 2E 31 40 00 00 37 C1 76 7F 00 ..E....1 > > @..7.v.. > > 48: 00 01 0A 01 01 FA 00 00 00 00 00 00 E6 7B CB FA ........ > > .....{.. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, July 23, 2003 5:18 PM > > To: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] Win32 Cisco Exploit > > > > > > Attached is a win32 version of the Cisco Exploit with a nice GUI. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ---------------------------------------------- > Filtered by despammed.com. Tracer: MAA159361059067286 > Remember: you can forward any spam that slips through the filters > to the abuse desk here at Despammed. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
