for(k=0;k<=num_of_socks-1;k++){ printf("Creating socket #%i!\n",k+1); socks[k]=socket(AF_INET,SOCK_STREAM,0); if(socks[k]<0) exit(printf("Socket error\n")); /* this line eliminates need to change format to do-while and guarentees only one socket is created/referenced on the -ca flag*/ if(num_of_socks==4) break; }
/*------------------------------- Snip here -----------------------------*/ /* EOF */
QUOTE
Exploit Code Compiled on Red Hat Linux 7.1. Note that one of my tests is enhanced for the effect. I exaggerated the EIP scenario to really pump the server full of 'A' to reduce the computer's memory. To test for an overflow one would not need as many connections. If I had time to improve this code I would change the section that makes 1000 simeltaneous connections. Given the nature of the problem I would send spoofed SYN packets to the affected host. This should adacquately simulate making a connection and should also have the same effect for reducing the affected machine's memory. The benefits of the packet construction would be that it should take up less resources on the attacker's machine and the attack would not be traceable with a spoofed IP address. gcc XP3dos.c -o XP3dos
Research I surfed back to Microsoft's Website for more information. Microsoft provided few clues to the product. Initially I found a page or two that listed, but did not explain, the files associated with program SSDPSRVexe. I also learned that SSDPSRV.exe is Microsoft's Universal Plug and Play technology applied to a network. In the future this will allow for seemless connectivity of various devices such as a printer or a network CD burner without the need to install a driver. So I searched more and found only one technical document relating to UPNP. It was enough! From this document I learned how to query the server and extract information. In fact the server is designed to give away information -- such as the devices and services enabled on the machine -- when requested. My first challenge presented itself: I would simply write a program to communicate with the server and extract information. Looking forward, I planned to create a suite of utilities to test the full functionality of the server as defined in the specification. I did not get that far. After I created a simple program to enumerate all the devices on the machine, I pulled out my 10/100 Ethernet hub, connected my trusty 336Mhz Linux laptop to my parents 1.4Ghz WinME box and made the necessary configurations. I navigated to my recently complied program; rapidly typed the parameters and hit enter to send the request. Crash! I crashed Microsoft's server! It didn't even live up to the specifications they developed. At this point I realized two things: first, I just discovered a DOS attack. Second, the application probably had more bugs. What is the ultimate bug leading to a compromise? A buffer overflow! Since WinME is a single user system arbitrary code will run as root! So, that's what I decided to test next. I pumped the server full of 'A' and hoped the application would crash with EIP equaling '41414141'. The application crashed but not due to an overflow. I also noted at this point that my little 336Mhz laptop could chew up 25% of the available resources of a 1.4Ghz machine before the application crashed again. Alas, I did not secure EIP but I found my second DOS. At this point I wondered what else might be wrong with the application. Since this application was a server it was natural to ask if this server had a limitation on the number of concurrent connections? How many total open connections could the server handle at once? I then revised my program for the third time to make as many simultaneous open connections as possible. Well, I made about 1000 open connections at once. I found I could knock the free memory to below 4% in approximately half a second. My third WinME DOS was as sweet as honey. I decided to end my research and contact Microsoft. I knew I found at least two exploits because I could crash the application and drain the system's memory
Well, why not try it one more time. It's a little different, I'm going to go try to compile. Any feedback would be really great.
Pro21
Feb 23 2004, 12:01 AM
hum with this new method you can get a shell on remote computer ?
BuzzDee
Feb 23 2004, 12:10 AM
is it a new code or just the old one?
CODE
10/23/01
seems to be old huh?
buzzons
Feb 23 2004, 12:13 AM
nope// due to teh way UPNP works its probably imposible to get a shell via it as you can see if you read all the info posted it says he tried to get it to run some code but it did not crash corectly .
Buz
Gangster*
Feb 23 2004, 08:18 AM
Gee.. Thanks for the info. Alot to read
Axl
Apr 4 2004, 09:30 AM
QUOTE (buzzons @ Feb 23 2004, 12:13 AM)
nope// due to teh way UPNP works its probably imposible to get a shell via it as you can see if you read all the info posted it says he tried to get it to run some code but it did not crash corectly .
Buz
don't be too sure about that
nowhere
Apr 4 2004, 02:48 PM
QUOTE
XP3dos.c Three WinXP/ME DOS Attacks by 'ken' of FTU -- 10/23/01 franklin_tech_unlimited@yahoo.com
old, old, old!!!!!!!!!!!!!!!!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
as you can see if you read all the info posted it says he tried to get it to run some code but it did not crash corectly .
