[11035] in bugtraq
more detail and summary of kod.c (igmp bug for windows)
daemon@ATHENA.MIT.EDU (klepto)
Thu Jul 15 21:26:19 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <000a01bece83$755820a0$5142423f@multilinkws.com>
Date: Thu, 15 Jul 1999 00:32:08 -0500
Reply-To: klepto <klepto@LEVITATE.NET>
From: klepto <klepto@LEVITATE.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Ok,
here we go again..=20
For those who are having trouble with kod, alot of you are using a very =
old version which was the first i submitted.
inserted is the lastest version which should work. I wrote kod.c aka =
cherrycoke.c about 3-4 months ago.=20
It sends a fragmented igmp packet to a windows client that states that =
it is not fragmented but there are more frags to come
windows assembles the packets and dies trying. Here is a dump of the =
packet if you want to rewrite it.
/* output via tcpdump or windump95
63.66.66.44 > 24.128.158.18: igmp-2 [v0][|igmp] (frag 52242:1480@0+) =
(ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@1480+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@2960+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@4440+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@5920+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@7400+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@8880+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@10360+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@11840+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@13320+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:1480@14800+) (ttl 128)
63.66.66.44 > 24.128.158.18: (frag 52242:120@16280) (ttl 128)
*/
::notice the last frag it changed length..
I have also ported kod to windows and please email me if you want a copy =
of it.
As far as I can tell due to my exaustive research on the subject it =
works on 95/98/98se/2k(some betas)
Friends of mine such as defile/nyt/ignitor/etc have rewritten kod to =
suit there needs..
I have tested kod.c out alot on many machines and it works 85% of the =
time for me.
There are circumstances to why kod doesn't always work, some routers my =
drop igmp packets if
the source isn't local so try spoofing =3D). As far as I can see netcom =
and alot of .ca servers drop the kod packets.
So please dont bark at me =3D) I just found the bug, wrote the code and =
what you do with it is your concern =3D).
Patch:
(no hotfix currently)
If you want to protect yourself from kod.c I suggest you get winroute =
from www.winroute.com
get version 4.. It automatically drops igmp packets incoming and =
outgoing ha =3D)
It is also a very good portmapper/NAT firewall/ip masqer as well..
Shoutouts: =
amputee/ignitor/nizda/antibyte/codelogic/ill`/chord/cheesebal/traveler/wi=
nx/naz/dist/mrcide/etc...
(gotta give shoutouts)
hasta,
klepto@Efnet
or klepto@levitate.net
de omnibus dubitandum
