Date: Tue, 18 Jan 2000 14:44:38 -0800
From: The Tree of Life <ttol@JAMES.KALIFORNIA.COM.>
To: [email protected]Subject: stream.c - new FreeBSD exploit?
I've been informed today by an irc admin that a new exploit is circulating
around. It "sends tcp-established bitstream shit" and makes the "kernel
fuck up".
It's called stream.c.
The efnet ircadmin told me servers on Exodus (Exodus Communications) were being
hit and they managed to get a hold of the guy. When asked what was going
on, he just said "stream.c".
When I talked to another person to ask if he had 'acquired' the source, he
said he wasn't going to give it out. I asked him if he had a patch for it,
and he replied "the fbsd team is working on it. No patch is available right
now."
What's the importance of this? Major companies such as Yahoo
(www.yahoo.com) and others run freebsd.
According to the irc admin, a simple reboot fixes it. "Your box reboots or
dies." He also stated, when asked if anything noticeable happened, that
"nothing unusual [happened]".
The only log that he could provide was this one:
---snip---
syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
---snip---
One thing of note: he also stated this happened on non-freebsd systems,
which is contrary to what the other person said, who was "under the
impression it was freebsd specific."
I have the source, which I'm not going to post for 2-3 days (give time for
fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
---snip---
void usage(char *progname)
{
fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n",
progname);
fprintf(stderr, " dstaddr - the target we are trying to attack.\n");
fprintf(stderr, " dstport - the port of the target, 0 = random.\n");
fprintf(stderr, " pktsize - the extra size to use. 0 = normal
syn.\n");
exit(1);
}
---snip---
Thanks for listening to my ramblings, hope everything I said helps.
- ttol
http://www.alladvantage.com/home.asp?refid=AME389
Get Paid to Surf. It works actually, cause people get thousands of dollars
a month from it...it's neet :P My id is AME389 - use it! :)