-
Notifications
You must be signed in to change notification settings - Fork 1
/
drench_send.c
172 lines (148 loc) · 7.06 KB
/
drench_send.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
/*
* drench, a connection exhaustion test tool
*
* Copyright (c) 2005-2007 Michael Santos/michael.santos@gmail.com
*
* Stateless TCP connection flood
*
*/
#include "drench.h"
#include <openssl/md5.h>
/* Check the ISN returned in the ACK. If isn is
* 0, create the ISN
*
* Return: 0 = passed, -1 = failed
*
*/
int check_isn(pkt_t *dp, in_port_t port, u_int32_t *isn);
void
drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt)
{
struct ether_header *eh = NULL;
struct ip *ih = NULL;
struct tcphdr *th = NULL;
char *state = NULL;
in_port_t sport = 0;
size_t paylen = 0;
u_int32_t isn = 0;
if (dp->payload != NULL)
paylen = strlen(dp->payload);
state = TCP_PHASE(dp->flags, "S", "A");
if (pkt != NULL) {
eh = (struct ether_header *)pkt;
ih = (struct ip *)(pkt + sizeof(struct ether_header));
th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip));
isn = th->th_ack;
sport = th->th_dport;
}
else {
sport = libnet_get_prand(LIBNET_PRu16);
}
/* Sanity check: check the ack number of the packet to
* make sure we sent it. We can do this by performing
* a calculation on the sequence number we
* send, based on a "secret" random number */
if (check_isn(dp, sport, &isn) < 0) {
(void)fprintf(stdout,
"(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n",
state,
TCP_PHASE(
dp->flags,
dp->saddr,
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport,
(dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""),
isn);
if (dp->opts & O_CHKISN)
return;
}
LIBNET_ERR(dp->p_tcp = libnet_build_tcp(
TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */
dp->dport, /* Destination port */
TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */
/* Sniffed packet's seq num */
TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */
TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */
dp->winsize, /* window size */
0, /* auto checksum */
0, /* Urgent data pointer */
TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */
TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */
TCP_PHASE(dp->flags, 0, paylen), /* payload size */
dp->l, /* libnet context */
dp->p_tcp /* ptag */
));
LIBNET_ERR(dp->p_ip = libnet_build_ipv4(
TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen),
TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */
libnet_get_prand(LIBNET_PRu16),
0, /* Frag */
MAX_TTL, /* TTL */
IPPROTO_TCP, /* Protocol */
0, /* auto checksum */
TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
ih->ip_dst.s_addr), /* XXX error check, source */
TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE),
ih->ip_src.s_addr), /* XXX error check, destination */
NULL, /* payload */
0, /* payload size */
dp->l, /* libnet context */
dp->p_ip /* libnet ptag */
));
if (libnet_write(dp->l) == -1)
state = "x";
(void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state,
TCP_PHASE(
dp->flags,
libnet_addr2name4(
htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
LIBNET_DONT_RESOLVE
),
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport);
(void)fflush(stdout);
}
int
check_isn(pkt_t *dp, in_port_t port, u_int32_t *isn)
{
u_char md5[MD5_DIGEST_LENGTH];
u_int32_t s = 0;
struct {
u_int32_t secret;
u_int32_t addr;
in_port_t port;
} seed;
(void)memset(&seed, 0, sizeof(seed));
seed.secret = dp->secret;
seed.addr = libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE);
seed.port = port;
(void)MD5((u_char *)&seed, sizeof(seed), md5);
(void)memcpy(&s, md5, sizeof(s));
switch (*isn) {
case 0:
*isn = htonl(s);
return (0);
break;
default:
if (*isn == htonl(s+1))
return (0);
(void)fprintf(stdout, "\t[ISN RECEIVED = %u, EXPECTING = %u, SECRET = %u, ADDR = %s, PORT = %u]\n",
*isn, htonl(s+1), dp->secret, dp->daddr, port);
/* fall through */
}
return (-1);
}