On Tue, 13 Jul 1999, Hector Leon wrote:
[From flushot.c]
> ip->id = htons(1234);
Hi,
The exploit posted earlier as "flushot" has been re-released over the past
year several times. The posting by Hector Leon gives credit for
flushot.c to Dark Shadow, yet on the Dark Shadow website
(http://www.angelfire.com/ar/WarzonE/flushot.html), flushot.c is available
for download, with different source code (giving credit to Legion 2000).
Here are the assorted banner functions found:
1234.c ([EMAIL PROTECTED] / Cameleon Groupe)
printf("\n1234 1.0 BY CAMELEON G.\n");
printf("reprise de came.c and ssping.c\n\n");
bloop.c (Legion2000 Security Research)
printf("Bloop v 1.0\n\n");
printf("\n\n");
flushot.c (DarkShadow / The flu Hacking Group)
printf("Remote Flushot v 1.0\n\n");
printf("\n\n");
arcticbrew.c (Mac X / The Arctic League)
printf("\nArctic Brew!\n");
printf("kinda close 2 ssping and land\n\n");
Although 1234.c was released long before the others, I don't know who the
original author was. Either way, the practice of re-releasing other
people's code is out of control here :)
FYI, tcpdump of an attack from any of them:
SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 1234:9@0+)
SOURCE > TARGET: (frag 1234:16@8+)
This attack does not seem to affect Win98SE (4.10.2222A) nor Win2000
(5.00.2072).
Max Vision
Senior Security Architect
Globalstar L.P.
