/* By: e.wiZz! *Info: tuga je golema :D *tnx 2 QKrunix,F34R,aluigi,and pplz from 50centshost.com,pozdrav deckima s elitesecurity.org * tested on winpcap 4.0.2, Dev-CPP 4.9.9.2, windows xp professional sp2....found by http://spion.ws/projects.php *Okai,send TCP packetz to remote serv0r,eh? */ #include #include #include #include #include #include #include #define IP_PORT 0x0800 char LocalIP[20] = { 0 }; char InterfaceName[256] = { 0 }; char GatewayIP[20] = { 0 }; BYTE GatewayMac[6]; typedef struct et_header { unsigned char eh_dst[6]; unsigned char eh_src[6]; unsigned short eh_type; }ET_HEADER; typedef struct ip_hdr { unsigned char h_verlen; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP; } IP_HEADER; typedef struct tcp_hdr { unsigned short th_sport; unsigned short th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; unsigned short th_win; unsigned short th_sum; unsigned short th_urp; }TCP_HEADER; typedef struct tsd_hdr { unsigned long saddr; unsigned long daddr; char mbz; char ptcl; unsigned short tcpl; }PSD_HEADER; unsigned short CheckSum(unsigned short * buffer, int size) { unsigned long cksum = 0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char *) buffer; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >> 16); return (unsigned short) (~cksum); } /* void GetLocalIP( ) { WORD wVersionRequested; WSADATA wsaData; char name[255]; PHOSTENT hostinfo; wVersionRequested = MAKEWORD( 2, 0 ); if( WSAStartup( wVersionRequested, &wsaData ) == 0 ) { if( gethostname( name, sizeof(name) ) == 0 ) { if( (hostinfo = gethostbyname(name) ) != NULL ) { strcpy( LocalIP, inet_ntoa( *(struct in_addr*)*hostinfo->h_addr_list ) ); } WSACleanup( ); } */ int GetDevices( ) { pcap_if_t *alldevs; pcap_if_t *d; int i = 0; char errbuf[PCAP_ERRBUF_SIZE]; /* divajs,eh?*/ if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL /* auth is not needed */, &alldevs, errbuf) == -1) { fprintf(stderr,¡±Error in pcap_findalldevs_ex: %s\n¡°, errbuf); exit(1); } for( d = alldevs; d != NULL; d = d->next ) { printf(¡±%d. %s¡°, ++i, d->name); if (d->description) { printf( ¡° (%s)¡°, d->description ); } if( d->addresses != NULL ) { if( d->addresses->addr->sa_family == AF_INET ) { printf( ¡°: %s\n¡°, inet_ntoa( ((struct sockaddr_in*)d->addresses->addr)->sin_addr ) ); } else { printf( ¡°\n¡± ); } } else { printf(¡± (No description available)\n¡°); } } if (i == 0) { printf(¡±\nNejma interfejsa ba! Imash winpcap?.\n¡°); return -1; } printf( ¡°\nIzaberi index adaptera£º¡± ); int AdapterIndex = 1; scanf( ¡°%d¡°, &AdapterIndex ); if( AdapterIndex > i ) { printf( ¡°Íø¿¨Ñ¡´íÀ²\n¡± ); return -1; } d = alldevs; for( int index = 1; index < AdapterIndex; index ++ ) { d = d->next; } if( d->name == NULL || d->addresses == NULL ) { printf( ¡°Íø¿¨Ñ¡´íÀ²\n¡± ); return -1; } strcpy( InterfaceName, d->name ); strcpy( LocalIP, inet_ntoa( ((struct sockaddr_in *)d->addresses->addr)->sin_addr ) ); /*spektakl,eh?*/ pcap_freealldevs(alldevs); return 1; } int GetGateWayMac( ) { PIP_ADAPTER_INFO AdapterInfo; ULONG OutBufLen = sizeof(IP_ADAPTER_INFO); > > > > AdapterInfo = (IP_ADAPTER_INFO *)malloc(sizeof (IP_ADAPTER_INFO)); if( AdapterInfo == NULL ) { printf(¡±Error allocating memory needed to call GetAdaptersinfo\n¡°); return -1; } if( GetAdaptersInfo( AdapterInfo, &OutBufLen ) == ERROR_BUFFER_OVERFLOW ) { free( AdapterInfo ); AdapterInfo = (IP_ADAPTER_INFO *)malloc( OutBufLen ); if( AdapterInfo == NULL ) { printf(¡±Error allocating memory needed to call GetAdaptersinfo\n¡°); return -1; } } if( GetAdaptersInfo( AdapterInfo, &OutBufLen ) == NO_ERROR ) { PIP_ADAPTER_INFO a = AdapterInfo; BOOL Found = FALSE; while( a ) { if( strcmp(a->IpAddressList.IpAddress.String, LocalIP) == 0 ) { strcpy( GatewayIP, a->GatewayList.IpAddress.String ); Found = TRUE; break; } a = a->Next; } if( !Found ) { printf( ¡°Get gateway¡¯s ip error.\n¡± ); free( AdapterInfo ); return -1; } else { free( AdapterInfo ); } } else { printf( ¡°Get gateway¡¯s ip error.\n¡± ); free( AdapterInfo ); return -1; } BYTE Mac[6]; ULONG MacLen = 6; SendARP( inet_addr(GatewayIP), 0, (PULONG)&Mac, &MacLen ); memcpy( GatewayMac, Mac, MacLen ); /* for( int index = 0; index < MacLen; index ++ ) { printf( ¡°%d: %02x\n¡±, index, Mac[index] ); } printf( ¡°\n%d\n¡±, MacLen ); */ } void Usage( char *me ) { printf( ¡°Make tcp package 0.1,\n¡± ); printf( ¡°%s: targetip targetport [flag]\n¡°, me ); printf( ¡°flag: \n¡± ); printf( ¡° u|U set urg flag.\n¡± ); printf( ¡° a|A set ack flag.\n¡± ); printf( ¡° p|P set push flag.\n¡± ); printf( ¡° r|R set rst flag.\n¡± ); printf( ¡° s|S set syn flag.\n¡± ); printf( ¡° f|F set fin flag.\n¡± ); printf( ¡° default is syn flag, and you can use sa to set syn+ack, and more¡­\n¡± ); } int main( int argc, char *argv[] ) { ET_HEADER EtHeader; IP_HEADER IpHeader; TCP_HEADER TcpHeader; PSD_HEADER PsdHeader; u_char Buffer[sizeof(ET_HEADER) + sizeof(IP_HEADER) + sizeof(TCP_HEADER)] = { 0 }; if( (argc != 3) && (argc != 4) ) { Usage( argv[0] ); exit( -1 ); } int Flag = 2; if( argc == 4 ) { Flag = 0; if( strchr(argv[3], ¡®U¡¯) || strchr(argv[3], ¡®u¡¯) ) { Flag = Flag | 32; } if( strchr(argv[3], ¡®A¡¯) || strchr(argv[3], ¡®a¡¯) ) { Flag = Flag | 16; } if( strchr(argv[3], ¡®P¡¯) || strchr(argv[3], ¡®p¡¯) ) { Flag = Flag | 8; } if( strchr(argv[3], ¡®R¡¯) || strchr(argv[3], ¡®r¡¯) ) { Flag = Flag | 4; } if( strchr(argv[3], ¡®S¡¯) || strchr(argv[3], ¡¯s¡¯) ) { Flag = Flag | 2; } if( strchr(argv[3], ¡®F¡¯) || strchr(argv[3], ¡®f¡¯) ) { Flag = Flag | 1; } } //GetLocalIP( ); if( -1 == GetDevices( ) ) { exit( -1 ); } //printf( ¡°Adapter is %s, ip is %s\n¡±, InterfaceName, LocalIP ); if( -1 == GetGateWayMac( ) ) { exit( -1 ); } //printf( ¡°Gateway IP is %s\n¡±, GatewayIP ); //printf( ¡°Gateway Mac is %x\n¡±, *GatewayMac ); memcpy( EtHeader.eh_dst, GatewayMac, 6 ); memset( EtHeader.eh_src, 0xa, 6 ); EtHeader.eh_type = htons( IP_PROTO ); IpHeader.h_verlen = (4<<4 | sizeof(IpHeader)/sizeof(unsigned int)); IpHeader.tos = 0; IpHeader.total_len = htons(sizeof(IpHeader)+sizeof(TcpHeader)); IpHeader.ident = 1; IpHeader.frag_and_flags = 0¡Á40; IpHeader.ttl = 128; IpHeader.proto = IPPROTO_TCP; IpHeader.checksum = 0; IpHeader.sourceIP = inet_addr( LocalIP ); IpHeader.destIP = inet_addr( argv[1] ); TcpHeader.th_sport = htons( rand()%60000 + 1024 ); TcpHeader.th_dport = htons( atoi(argv[2]) ); TcpHeader.th_seq = htonl( rand()%900000000 + 100000 ); TcpHeader.th_ack = 0; TcpHeader.th_lenres = (sizeof(TcpHeader)/4<<4|0); TcpHeader.th_flag = Flag; TcpHeader.th_win = htons(512); TcpHeader.th_sum = 0; TcpHeader.th_urp = 0; PsdHeader.saddr = inet_addr( LocalIP ); PsdHeader.daddr = IpHeader.destIP; PsdHeader.mbz = 0; PsdHeader.ptcl = IPPROTO_TCP; PsdHeader.tcpl = htons(sizeof(TcpHeader)); memcpy( Buffer, &PsdHeader, sizeof(PsdHeader) ); memcpy( Buffer + sizeof(PsdHeader), &TcpHeader, sizeof(TcpHeader) ); TcpHeader.th_sum = CheckSum( (unsigned short *)Buffer, sizeof(PsdHeader) + sizeof(TcpHeader) ); memset( Buffer, 0, sizeof(Buffer) ); memcpy( Buffer, &IpHeader, sizeof(IpHeader) ); IpHeader.checksum = CheckSum( (unsigned short *)Buffer, sizeof(IpHeader) ); memset( Buffer, 0, sizeof(Buffer) ); memcpy( Buffer, (void *)&EtHeader, sizeof(ET_HEADER) ); memcpy( Buffer + sizeof(ET_HEADER), (void *)&IpHeader, sizeof(IP_HEADER) ); memcpy( Buffer + sizeof(ET_HEADER) + sizeof(IP_HEADER), (void*)&TcpHeader, sizeof(TCP_HEADER) ); char errbuf[PCAP_ERRBUF_SIZE] = { 0 }; pcap_t *fp; if ( (fp= pcap_open( InterfaceName, 100, PCAP_OPENFLAG_PROMISCUOUS, 100, NULL, errbuf ) ) == NULL ) { fprintf(stderr,¡±\nUnable to open the adapter. %s is not supported by WinPcap\n¡°, InterfaceName ); return -1; } if ( pcap_sendpacket( fp, Buffer, sizeof(Buffer) ) != 0 ) { fprintf(stderr,¡±\nError sending the packet: \n¡°, pcap_geterr(fp)); return -1; } printf( ¡°poslano ok!\nData is:\n¡± ); for( int i = 0; i < sizeof(Buffer); i ++ ) { printf( ¡°%02x ¡°, Buffer ); } return 0; }