int sendEchoRequestHopByHop(char *interface, // Interface inde se sendrá o pacote
unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino]
unsigned char *src6, // Enedereço do host que send o pacote [IPv6]
unsigned char *router6, // Roteador [NULL caso não necessite]
unsigned char **routers, // Lista de Roteamento
unsigned char *buf, // Buffer contendo os dados a serem senddos
unsigned char *mac) { // Endereço do host q send o pacote [MAC]
int pkt3_len = 0; // Tamanho do pacote a ser senddo
unsigned char *pkt3 = NULL; // Pacote a ser montado e senddo
thc_ipv6_hdr *hdr; // Estrutura do header IPv6;
// cria o 3o pacote para o endereco de multicast
if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt3_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL)
return -1;
// caso tenha sido setado uma rota e adicionado um header de rota
if (router6 != NULL)
if (thc_add_hdr_route(pkt3, &pkt3_len, routers, 1) < 0)
return -1;
// adiciona um cabecalho hop by hop ???
if (thc_add_hdr_hopbyhop(pkt3, &pkt3_len, (unsigned char *) &buf, BUF_SIZE) < 0)
return -1;
// adiciona um cabecalho echo request
if (thc_add_icmp6(pkt3, &pkt3_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0)
return -1;
// encapsula o pacote
thc_generate_pkt(interface, NULL, mac, pkt3, &pkt3_len);
// se for para uma rota send como fragmento ??
if (router6 != NULL) {
hdr = (thc_ipv6_hdr *) pkt3;
thc_send_as_fragment6(interface,
src6,
multicast6,
NXT_ROUTE,
hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN,
hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8);
} else // senao send o pacote normalmente
thc_send_pkt(interface, pkt3, &pkt3_len);
}
/**
Função que realiza o envio de um pacote Echo Request para na interface especificada para o endereço de multicast
passado como parâmetro.
*/
int sendEchoRequest(char *interface, // Interface inde se sendrá o pacote
unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino]
unsigned char *src6, // Enedereço do host que send o pacote [IPv6]
unsigned char *router6, // Roteador [NULL caso não necessite]
unsigned char **routers, // Lista de Roteamento
unsigned char *buf, // Buffer contendo os dados a serem senddos
unsigned char *mac, // Endereço do destino [MAC]
unsigned char *macsrc) { //Endereco do host que send o pacote [MAC]
int pkt1_len = 0; // Tamanho do pacote a ser senddo
unsigned char *pkt1 = NULL; // Pacote a ser montado e senddo
thc_ipv6_hdr *hdr; // Estrutura do header IPv6
// cria o 1o pacote para o endereco de multicast
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL)
return -1;
// caso tenha sido setado uma rota e adicionado um header de rota
if (router6 != NULL)
if (thc_add_hdr_route(pkt1, &pkt1_len, routers, 1) < 0)
return -1;
// eh criado o pacote echo request
if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0)
return -1;
// aqui o pacote eh encapsulado
if (thc_generate_pkt(interface, macsrc, mac, pkt1, &pkt1_len) < 0) {
fprintf(stderr, "Error: Can not send packet, exiting ...\n");
exit(-1);
}
// se for para uma rota send como fragmento ??
if (router6 != NULL) {
hdr = (thc_ipv6_hdr *) pkt1;
thc_send_as_fragment6(interface,
src6,
multicast6,
NXT_ROUTE,
hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN,
hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8);
} else // senao send o pacote normalmente
thc_send_pkt(interface, pkt1, &pkt1_len);
}
int main(int argc, char *argv[]) {
unsigned char *pkt = NULL, *pkt_bak, *mcast6, *someaddr6 = NULL;
unsigned char *dst6, *src6 = NULL, *mac = NULL, *routers[2], string[64] = "ip6 and dst ";
int test_start = 0, fragment = 0, alert = 0, sroute = 0;
int do_type = DO_PING, do_alive = 1, hopbyhop = 0, destination = 0, jumbo = 0;
int pkt_len = 0, offset = 0, test_current = 0, i, j, k, do_fuzz = 1, test_ptr = 0;
int test_end = TEST_MAX, ping = NEVER, frag_offset = 0, header = 0, no_send = 1;
int test_pos = 0, test_cnt = 0, do_it, extend = 0, mtu = 1500, size = 64, wait = 0, off2 = 14;
char *interface, fuzzbuf[256], *srcmac, *dns, *route6, *real_dst6 = NULL;
unsigned char buf[256], buf2[100], buf3[16];
unsigned short int *sip;
pcap_t *p;
thc_ipv6_hdr *hdr;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "s:0123456789Xxt:T:p:FSDHRIJan:")) >= 0) {
switch (i) {
case 's':
do_type = DO_TCP;
port = atoi(optarg);
break;
case '0':
do_type = DO_NODEQUERY;
break;
case '1':
do_type = DO_PING;
break;
case '2':
do_type = DO_NEIGHSOL;
break;
case '3':
do_type = DO_NEIGHADV;
break;
case '4':
do_type = DO_RA;
break;
case '5':
do_type = DO_MLD_REP;
break;
case '6':
do_type = DO_MLD_DONE;
break;
case '7':
do_type = DO_MLD_QUERY;
wait = 0xff0000;
break;
case '8':
do_type = DO_MLD2_REPORT;
break;
case '9':
do_type = DO_MLD2_QUERY;
wait = 0xff0000;
break;
case 'X':
do_type = DO_NONE;
break;
case 't':
test_start = atoi(optarg);
break;
case 'T':
test_end = test_start = atoi(optarg);
break;
case 'p':
ping = atoi(optarg);
break;
case 'a':
do_alive = 0;
break;
case 'S':
sroute = 1;
break;
case 'n':
no_send = atoi(optarg);
break;
case 'F':
fragment = 1;
break;
case 'R':
alert = 1;
break;
case 'D':
destination = 1;
break;
case 'H':
hopbyhop = 1;
break;
case 'J':
jumbo = 1;
break;
case 'I':
header = 1;
break;
case 'x':
extend = 1;
break;
}
}
if (argc - optind < 2) {
fprintf(stderr, "ERROR: not enough options, interface and target address are required!\n");
exit(-1);
}
interface = argv[optind];
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "ERROR: %s is not a valid interface which has a MAC, use raw mode?\n", interface);
exit(-1);
}
if (no_send < 1) {
fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n");
exit(-1);
}
if (do_hdr_size) {
test_pos -= do_hdr_size;
offset -= do_hdr_size;
off2 = do_hdr_size;
}
if (do_type != DO_PING && do_type != DO_TCP && do_type != DO_NONE) {
if ((mcast6 = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
exit(-1);
}
if (do_type == DO_NEIGHSOL) {
dst6 = thc_resolve6("ff02::0001:ff00:0000");
memcpy(dst6 + 13, mcast6 + 13, 3);
} else
dst6 = thc_resolve6("ff02::1");
} else {
dst6 = thc_resolve6(argv[optind + 1]);
}
if (argv[optind + 1] != NULL)
if ((real_dst6 = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
exit(-1);
}
if (interface == NULL || argv[optind + 1] == NULL) {
printf("Error: interface and target-ipv6-address are mandatory command line options\n");
exit(-1);
}
if (ping < 1 || test_end < test_start) {
printf("don't f**k up the command line options!\n");
exit(-1);
}
if (argv[optind + 2] != NULL)
someaddr6 = thc_resolve6(argv[optind + 2]);
if (argc - optind > 3) {
printf("Error: too many command line options\n");
exit(-1);
}
if ((mac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
if (do_type == DO_PING || do_type == DO_TCP || do_type == DO_NONE)
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
else
src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK);
if (src6 == NULL) {
fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface);
exit(-1);
}
strcat(string, thc_ipv62notation(src6));
if (sroute) {
if (someaddr6 != NULL)
routers[0] = someaddr6;
else
routers[0] = dst6;
routers[1] = NULL;
}
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
dns = thc_resolve6("ff02::fb");
route6 = thc_resolve6("2a01::");
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
if (real_dst6 != NULL && real_dst6[0] == 0xff)
do_alive = 0;
// ping before to check if it works
if (do_alive)
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
// fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]);
// exit(-1);
}
// generate basic packet
strcpy(fuzzbuf, fuzztype_ether);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (header)
strcat(fuzzbuf, fuzztype_ip6);
else
strcat(fuzzbuf, fuzztype_ip6no);
if (alert || hopbyhop || jumbo) {
memset(buf2, 0, sizeof(buf2));
i = 0;
if (alert) {
buf2[i++] = 5;
buf2[i++] = 2;
i += 2;
strcat(fuzzbuf, ".F.F");
}
if (jumbo) {
buf2[i++] = 0xc2;
buf2[i++] = 4;
buf2[i++] = 'J'; // lookup code
buf2[i++] = 'J';
buf2[i++] = 'J';
buf2[i++] = 'J';
strcat(fuzzbuf, ".FBBBB");
}
if (hopbyhop) {
memset(buf3, 0, sizeof(buf3));
buf3[0] = 'X';
buf3[1] = '.';
for (j = 0; j < 10; j++) {
buf2[i++] = 1; // PadN, length
buf2[i++] = j;
if (j > 0) {
memset(buf2 + i, 0xaa, j);
buf3[2 + j] = '.';
i += j;
}
strcat(fuzzbuf, buf3); // always: X... for every new option
}
}
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, i) < 0)
return -1;
i += 2;
if (i % 8 > 0)
i = ((i / 8) + 1) * 8;
offset += i;
}
if (sroute) {
if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0)
return -1;
else {
strcat(fuzzbuf, "FFFFBBBB................");
offset += 24;
}
}
if (fragment) {
frag_offset = offset;
if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, 0) < 0)
return -1;
else {
strcat(fuzzbuf, "FFWW..");
offset += 8;
}
}
if (destination) {
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
buf3[0] = 'X';
buf3[1] = '.';
i = 0;
for (j = 0; j < 10; j++) {
buf2[i++] = 1; // PadN, length
buf2[i++] = j;
if (j > 0) {
memset(buf2 + i, 0xaa, j);
buf3[2 + j] = '.';
i += j;
}
strcat(fuzzbuf, buf3); // always: X... for every new option
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf2, i) < 0)
return -1;
i += 2;
if (i % 8 > 0)
i = ((i / 8) + 1) * 8;
offset += i;
}
memset(buf, 0, sizeof(buf));
// if (header)
strcat(fuzzbuf, fuzztype_icmp6);
// else
// strcat(fuzzbuf, fuzztype_icmp6no);
switch (do_type) {
case DO_TCP:
// tcp options
buf[0] = 2; // max segment size
buf[1] = 4;
buf[2] = 255;
buf[3] = 255;
buf[4] = 3; // windows size
buf[5] = 3;
buf[6] = 62;
buf[7] = 1; // padding
buf[8] = 8; // timestamp
buf[9] = 10;
buf[10] = time(NULL) / 16777216;
buf[11] = ((time(NULL) / 65536) % 256);
buf[12] = ((time(NULL) / 256) % 256);
buf[13] = time(NULL) % 256;
// 4 bytes ack tstamp 00000000
// rest is padding (2 bytes)
if (thc_add_tcp(pkt, &pkt_len, 65532, port, test_current, 0, TCP_SYN, 5760, 0, (unsigned char *) buf, 20, (unsigned char *) buf, 20) < 0)
return -1;
strcat(fuzzbuf, fuzztype_tcp);
break;
case DO_PING:
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, test_current, (unsigned char *) &buf, 16, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ping);
break;
case DO_NONE:
// empty
break;
case DO_NEIGHSOL:
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
else
memcpy(buf, mcast6, 16);
buf[16] = 1;
buf[17] = 1;
memcpy(buf + 18, srcmac, 6);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ns);
break;
case DO_NEIGHADV:
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
else
memcpy(buf, src6, 16);
buf[16] = 2;
buf[17] = 1;
memcpy(buf + 18, srcmac, 6);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, 0xe0000000, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6na);
break;
case DO_NODEQUERY:
memcpy(buf + 8, real_dst6, 16);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NODEQUERY, 0, 0x0003003e, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6nq);
break;
case DO_RA:
// buf[3] = 250; // 0-3: reachable timer
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = size; // prefix length
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
if (someaddr6 != NULL)
memcpy(&buf[32], someaddr6, 16);
else
memcpy(&buf[32], route6, 16);
i = 48;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, srcmac, 6);
i += 6; // = 8 == 56
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 64; // prefix length /64
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x20;
buf[i++] = 4; // 56-71 address, 2004:: for default
i += 14; // = 24 == 70
// dns option
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // 74-75 reserved
memset(buf + i, 1, 4); // validity time
i += 4;
if (someaddr6 != NULL)
memcpy(buf + i, someaddr6, 16); // dns server
else
memcpy(buf + i, dns, 16); // dns server
i += 16; // = 24 == 94
// seachlist option
buf[i++] = 31;
buf[i++] = 4;
i += 2;
memset(buf + i, 1, 4); // validity time
i += 4;
buf[i++] = 3;
memcpy(buf + i, "foo", 3);
i += 3;
buf[i++] = 4;
memcpy(buf + i, "corp", 4);
i += 5; // + null byte
buf[i++] = 5;
memcpy(buf + i, "local", 5);
i += 5;
buf[i++] = 6;
memcpy(buf + i, "domain", 6);
i += 7; // + null byte
// = 32 == 126
// flag extension option
buf[i++] = 26;
buf[i++] = 1;
buf[i++] = 0x08;
i += 5;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ra);
break;
case DO_MLD_QUERY:
case DO_MLD_DONE:
case DO_MLD_REP:
buf[0] = 0xff;
buf[1] = 0x02;
buf[15] = 0x05;
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, wait, buf, 16, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld);
break;
case DO_MLD2_QUERY:
buf[0] = 0xff;
buf[1] = 0x02;
buf[15] = 0x05;
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
buf[16] = 7;
buf[17] = 120;
buf[19] = 3;
memcpy(buf + 20, dst6, 16);
memcpy(buf + 36, buf, 16);
if (thc_add_icmp6(pkt, &pkt_len, DO_MLD_QUERY, 0, wait, buf, 68, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld2que);
break;
case DO_MLD2_REPORT:
for (i = 0; i < 3; i++) {
buf[0 + 68 * i] = 1 + i * 2 - i / 2; //include new++, generates 1, 3 and 4
buf[3 + 68 * i] = 3; //3 sources
buf[4 + 68 * i] = 0xff;
buf[5 + 68 * i] = 0x02;
buf[18 + 68 * i] = 0x82 + i % 256;
buf[19 + 68 * i] = 0xff;
memcpy(buf + 20 + 68 * i, src6, 16);
buf[36 + 68 * i] = 0xfe;
buf[37 + 68 * i] = 0x80;
buf[46 + 68 * i] = 0xf0;
if (someaddr6 != NULL)
memcpy(buf + 52 + 68 * i, someaddr6, 16);
}
if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, 3, buf, 208, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld2rep);
break;
default:
fprintf(stderr, "ERROR: Mode not implemented yet!\n");
exit(-1);
}
if (thc_generate_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (jumbo) {
i = 0;
j = 1;
while (i < hdr->pkt_len + 4 && j) {
if (hdr->pkt[i] == 'J')
if (memcmp(&hdr->pkt[i], "JJJJ", 4) == 0)
j = 0;
i++;
}
if (j) {
fprintf(stderr, "ERROR: fuckup, cant find my own marker?!\n");
exit(-1);
} else
i--;
hdr->pkt[i] = 0;
hdr->pkt[i + 1] = 0;
hdr->pkt[i + 2] = hdr->pkt[4 + off2];
hdr->pkt[i + 3] = hdr->pkt[5 + off2];
hdr->pkt[4 + off2] = 0;
hdr->pkt[5 + off2] = 0;
}
if (extend)
for (i = 0; i < strlen(fuzzbuf); i++)
if (fuzzbuf[i] == 'B' || fuzzbuf[i] == 'F')
fuzzbuf[i] = 'X';
// backup of generated packet
pkt_bak = malloc(hdr->pkt_len);
memcpy(pkt_bak, hdr->pkt, hdr->pkt_len);
printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d, every packet sent denoted by a dot:\n", test_start, test_end);
//printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf);
while (do_fuzz) {
if (test_cnt == 0)
while (fuzzbuf[test_ptr] == '.') {
test_ptr++;
test_pos++;
}
if (fuzzbuf[test_ptr] == 0)
do_fuzz = 0;
test_cnt++;
do_it = 1;
//printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| ", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end);
switch (fuzzbuf[test_ptr]) {
case 0:
break;
case 'X':
if (test_cnt <= COUNT_EXTEND) {
if (pkt_bak[test_pos] != extends[test_cnt - 1])
hdr->pkt[test_pos] = extends[test_cnt - 1];
else
do_it = 0;
} else {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'B':
if (test_cnt <= COUNT_BYTE) {
if (pkt_bak[test_pos] != bytes[test_cnt - 1])
hdr->pkt[test_pos] = bytes[test_cnt - 1];
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_BYTE && do_it) {
if (bytes[i] == pkt_bak[test_pos])
do_it = 0;
i++;
}
if (do_it)
hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
}
if (test_cnt == COUNT_BYTE + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'F':
if (test_cnt <= COUNT_FLAG) {
if (pkt_bak[test_pos] != flags[test_cnt - 1])
hdr->pkt[test_pos] = flags[test_cnt - 1];
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_FLAG && do_it) {
if (bytes[i] == pkt_bak[test_pos]) // yes, bytes[] is the right one even for flags
do_it = 0;
i++;
}
if (do_it)
hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
}
if (test_cnt == COUNT_FLAG + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'W':
sip = (unsigned short int *) &pkt_bak[test_pos];
if (test_cnt <= COUNT_WORD) {
if (*sip != words[test_cnt - 1])
memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1] + _TAKE2, 2);
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_WORD && do_it) {
if (words[i] == *sip)
do_it = 0;
i++;
}
if (do_it) {
i = *sip ^ xors[test_cnt - COUNT_WORD - 1];
sip = (unsigned short int *) &hdr->pkt[test_pos];
*sip = i % 65536;
}
}
if (test_cnt == COUNT_WORD + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos += 2;
}
break;
default:
fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr,
fuzzbuf);
exit(-1);
break;
}
if (do_it && do_fuzz) {
if (test_current >= test_start && test_current <= test_end && do_fuzz) {
// fill icmp id+seq and unique buffer with test case number
if (fragment)
memcpy(hdr->pkt + frag_offset + 58, (char *) &test_current + _TAKE4, 4);
switch (do_type) {
case DO_NONE:
// empty
break;
case DO_PING:
for (i = 0; i < 4 + 1; i++)
memcpy(hdr->pkt + offset + 58 + i * 4, (char *) &test_current + _TAKE4, 4);
break;
case DO_TCP:
memcpy(hdr->pkt + offset + 58, (char *) &test_current + _TAKE4, 4);
break;
case DO_NEIGHSOL:
case DO_NEIGHADV:
break; // do nothing for these
case DO_NODEQUERY:
memcpy(hdr->pkt + offset + 66, (char *) &test_current + _TAKE4, 4);
break;
case DO_RA:
memcpy(hdr->pkt + offset + 0x62, (char *) &test_current + _TAKE4, 4); // prefix update
memcpy(hdr->pkt + offset + 0x7e, hdr->pkt + offset + 0x5e, 16); // routing update
memcpy(hdr->pkt + 8, (char *) &test_current + _TAKE4, 4); // srcmac update
memcpy(hdr->pkt + offset + 0x72, (char *) &test_current + _TAKE4, 4); // srcmac update
memcpy(hdr->pkt + 0x10 + off2, (char *) &test_current + _TAKE4, 4); // srcip update
memcpy(hdr->original_src, hdr->pkt + 8 + off2, 16); // srcip update for checksum
break;
case DO_MLD_QUERY:
case DO_MLD_DONE:
case DO_MLD_REP:
case DO_MLD2_QUERY:
memcpy(hdr->pkt + offset + 0x4a, (char *) &test_current + _TAKE4, 4);
break;
case DO_MLD2_REPORT: //??? XXX TODO CHECK
memcpy(hdr->pkt + offset + 0x4d, (char *) &test_current + _TAKE4, 4);
memcpy(hdr->pkt + offset + 0x4d + 68, (char *) &test_current + _TAKE4, 4);
memcpy(hdr->pkt + offset + 0x4d + 136, (char *) &test_current + _TAKE4, 4);
break;
default:
fprintf(stderr, "ERROR!!!\n");
exit(-1);
}
// regenerate checksum
if (do_type != DO_TCP && do_type != DO_NONE) { // maybe for later non-icmp stuff
hdr->pkt[offset + 56] = 0;
hdr->pkt[offset + 57] = 0;
i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
hdr->pkt[offset + 56] = i / 256;
hdr->pkt[offset + 57] = i % 256;
} else { // TCP
hdr->pkt[offset + 70] = 0;
hdr->pkt[offset + 71] = 0;
i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_TCP, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
hdr->pkt[offset + 70] = i / 256;
hdr->pkt[offset + 71] = i % 256;
}
// send packet
for (k = 0; k < no_send; k++) {
while(thc_send_pkt(interface, pkt, &pkt_len) < 0)
usleep(1);
}
printf(".");
usleep(250);
// if ping, check ping again
if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current)
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1;
printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", argv[optind + 1], i < 0 ? 0 : i, test_current);
exit(1);
}
}
//else printf("NOT SENT - NOT IN TEST LIST\n");
// reset to basic packet
memcpy(hdr->pkt, pkt_bak, hdr->pkt_len);
test_current++;
}
//else printf("NOT SENT!\n");
}
printf("\n");
// ping afterwards to check if it worked
if (do_alive) {
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
printf("Result: target %s is NOT alive via direct ping6 - good work! (position: %d)\n", argv[optind + 1], test_pos);
exit(1);
} else
printf("Result: target %s is still alive via direct ping6, better luck next time.\n", argv[optind + 1]);
}
thc_pcap_close(p);
return 0;
}
