2

For the sake of demonstration, I'm trying to perform a Ping Of Death sent from a Kali Linux virtual machine to a Windows 95 virtual machine (vmware) on a private network.

I've set both vms correctly, they are able to ping each other. I've installed Windump on th victim Win95 and I'm able to monitor incoming packets.

I've then used Scapy to send an oversized payload in an ICMP packet:

for p in fragment(IP(dst="192.168.25.10")/ICMP()/('X'*60000)):
    send(p)

The packets are received by the victim vm but nothing happens. It survives. What am I doing wrong?

mak
  • 121
  • 1
  • 3
  • Can you try sending between Windows 95 VMs? I know that in Windows 95 it was as simple as ping -l 65510 [victim]. I also remember this trick having mixed results on Windows 95 and NT 3.5 - some systems would crash, some wouldn't, and there didn't seem to be much rhyme nor reason to why one system was invulnerable, and another wasn't. (So, maybe you're not doing anything wrong and your VM's just not vulnerable to the PoD.) – HopelessN00b Feb 20 '14 at 10:27
  • Actually, the ping command won't let you input such a length value for option -l :) Hence the use of Scapy. Plus Scapy is written in Python which is cool. – mak Feb 20 '14 at 20:03
  • 1
    it used to. I would suggest that if the copy of Windows you're using doesn't let you input an invalidly long length for your pings, it may be a patched version. See if you can find one that lets you enter in an invalidly long length... more likely to be vulnerable. – HopelessN00b Feb 20 '14 at 23:15

0 Answers0