[11029] in bugtraq
credit (was Re: About IGMP and another exploit for Windows95x/98x)
daemon@ATHENA.MIT.EDU (Max Vision)
Thu Jul 15 15:54:45 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <Pine.LNX.4.10.9907141943030.21579-100000@whitehats.com>
Date: Wed, 14 Jul 1999 20:46:02 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: Hector Leon <darksun@COMPUTER-MANIACS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <003a01becda0$424ebb30$1311b0cf@DARKSTATION>
On Tue, 13 Jul 1999, Hector Leon wrote:
[From flushot.c]
> ip->id = htons(1234);
Hi,
The exploit posted earlier as "flushot" has been re-released over the past
year several times. The posting by Hector Leon gives credit for
flushot.c to Dark Shadow, yet on the Dark Shadow website
(http://www.angelfire.com/ar/WarzonE/flushot.html), flushot.c is available
for download, with different source code (giving credit to Legion 2000).
Here are the assorted banner functions found:
1234.c (tony@funradio.fr / Cameleon Groupe)
printf("\n1234 1.0 BY CAMELEON G.\n");
printf("reprise de came.c and ssping.c\n\n");
bloop.c (Legion2000 Security Research)
printf("Bloop v 1.0\n\n");
printf("\n\n");
flushot.c (DarkShadow / The flu Hacking Group)
printf("Remote Flushot v 1.0\n\n");
printf("\n\n");
arcticbrew.c (Mac X / The Arctic League)
printf("\nArctic Brew!\n");
printf("kinda close 2 ssping and land\n\n");
Although 1234.c was released long before the others, I don't know who the
original author was. Either way, the practice of re-releasing other
people's code is out of control here :)
FYI, tcpdump of an attack from any of them:
SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 1234:9@0+)
SOURCE > TARGET: (frag 1234:16@8+)
This attack does not seem to affect Win98SE (4.10.2222A) nor Win2000
(5.00.2072).
Max Vision
Senior Security Architect
Globalstar L.P.
