credit (was Re: About IGMP and another exploit for Windows95x/98x)

[vision () WHITEHATS COM (Max Vision)]

On Tue, 13 Jul 1999, Hector Leon wrote:
[From flushot.c]
>    ip->id       = htons(1234);

Hi,

The exploit posted earlier as "flushot" has been re-released over the past
year several times.  The posting by Hector Leon gives credit for
flushot.c to Dark Shadow, yet on the Dark Shadow website
(http://www.angelfire.com/ar/WarzonE/flushot.html), flushot.c is available
for download, with different source code (giving credit to Legion 2000).

Here are the assorted banner functions found:

1234.c  (tony () funradio fr / Cameleon Groupe)
   printf("\n1234 1.0 BY CAMELEON G.\n");
   printf("reprise de came.c and ssping.c\n\n");

bloop.c  (Legion2000 Security Research)
   printf("Bloop v 1.0\n\n");
   printf("\n\n");

flushot.c (DarkShadow / The flu Hacking Group)
   printf("Remote Flushot v 1.0\n\n");
   printf("\n\n");

arcticbrew.c (Mac X / The Arctic League)
   printf("\nArctic Brew!\n");
   printf("kinda close 2 ssping and land\n\n");

Although 1234.c was released long before the others, I don't know who the
original author was.  Either way, the practice of re-releasing other
people's code is out of control here :)

FYI, tcpdump of an attack from any of them:
 SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 1234:SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 
1234:9@0+)
 SOURCE > TARGET: (frag 1234:SOURCE > TARGET: (frag 1234:16@8+)

This attack does not seem to affect Win98SE (4.10.2222A) nor Win2000
(5.00.2072).

Max Vision
Senior Security Architect
Globalstar L.P.